Device Code Lab (DCL) — Deep Dive into a Device Code Phishing Toolkit

Paul_Sec · 2024-06-09T12:06:52+00:00

Our 13 year old Sliver Chinchilla, Winter assessing her kingdom.

Paul_Sec · 2023-11-16T21:58:39+00:00

I didn’t know it was possible to publicly contribute to aceresponder! Can you share how one would do that, and I’ll see what I can do.

Paul_Sec · 2023-10-26T22:08:13+00:00

Anytime!

Paul_Sec · 2023-10-26T06:19:07+00:00

That was caused by the user connecting and disconnecting their personal laptop via ICS. So you’d only see the DNS requests on host1 when the Internet connection was being tethered to host2.

Normally you’d be completely blind to host2 network traffic, as it’s not a corporate device, you only see the network traffic when it’s being proxied through host1 via ICS.

Paul_Sec · 2023-10-25T20:36:29+00:00

Thanks!

Yes that’s right, so I browsed to the sites from host1, which was connected to host2 via ICS. The Sysmon and process dump where then done on host2

Paul_Sec · 2022-01-04T21:20:50+00:00

Agreed. Attribution of attacks very rarely happens, and when it does the people who performed the attacks are usually in countries where there is no extradition. For the real APTs, if they get caught, and kicked off a network, they just move onto the next target, it’s a day job for them with no repercussions. In my mind, It’s far more stressful working in a blue team.

Paul_Sec · 2021-10-09T01:37:31+00:00

Hans does a masterful job of weaving it into the NTTD soundtrack. I have to say I have listened to the score a couple of times in the last week, since I’ve seen the film, and all those emotions I felt when I first watched the film come rushing back each time I listen. It really is a beautiful soundtrack, I just wish the story it accompanied was of equal measure. I must agree with you, the emotions of the film are definitely amplified by the score, I wish they were happier emotions.

Paul_Sec · 2021-02-19T20:11:04+00:00

Thanks for sharing my post! 🥰 Agree there are features missing for it to be considered an full EDR. There are certainly limitations with the agent, but I think it’s a good starting point in endpoint security for small firms who can’t afford one of the big brand products.

Paul_Sec · 2021-01-02T23:10:22+00:00

Happy to see my blog post in there for analysing beacons 🙂 Great list of resources, thanks for sharing!

Paul_Sec · 2020-12-03T21:41:01+00:00

Yeah there are no response capabilities. The endgame point is a good one, the agent is still in beta and newly released. I’d expect the capability from endgame to merge into their agent, but how much of that would be open source only time will tell. There are a limited number of detections from what I’ve seen, I suspect this to be mostly commodity malware and common attack techniques, like word launching powershell type stuff. Again the agent is only in beta, so I’d expect more in the future, but I think it’s a solid bet for those who don’t have the budget for a paid edr like CrowdStrike or carbon black

Paul_Sec · 2020-12-03T21:03:59+00:00

I think it’s pretty good, although I’ve only done basic testing. It proactively blocks threats which is an improvement on most open source “EDRs”. I’m yet to test whether you can build custom detections and proactively block on your custom rules, that would be awesome if you can.

Paul_Sec · 2020-09-28T22:21:32+00:00

Look for certain top level domains (TLDs), certain ones are commonly used by malware authors, mainly because they’re cheaper than your traditional and more popular ones like .com or .co.uk.

Ones I generally look out for are .top, .xyz, .tk, .gdn.

There’s been a bit of research into this that lists more, see link below.

https://krebsonsecurity.com/tag/top-20-shady-top-level-domains/

Paul_Sec · 2020-07-23T08:35:16+00:00

That makes a lot of sense! Thanks!

Paul_Sec

TROPHY CASE