Cybersecurity

This post was inspired by the amazing research done by thedigitaldetective found on RDP Forensics Part 2: Fingerprinting Attacks with Timezone, OS Type, and Monitor Display Resolution As a follow up on my previous post about Hunting Keyboard locales with Velociraptor I decided to make another Velociraptor based on @thedigitaldective’s article about digging deeper into adversary attribution and fingerprinting by looking at more RDP specific artifacts. What to understand from his research is that when a client system is using the Remote Desktop Protocol it leaves several artifacts on the destination system that can help identify what operating system the client is coming from, what the timezone offset is and what the requested resolution for the RDP session is. This post is focused on the first two pieces of evidence. ...

This post was inspired by the amazing research done by thedigitaldetective found on RDP Forensics Part 1: Fingerprinting Attacks with Keyboard Layout Data I have always thought that adversarial attribution is interesting and trying to get a glimpse of whos actually behind the keyboard excites me. As the adversaries is just humans - and humans makes mistakes - sometimes its possible to find some of the OPSEC issues they leave behind, e.g. it being them accedentily authenticating over SSH without specifying their username resulting in the SSH client will automatically use the local account name of the attacker’s machine. ...

Most attackers don’t walk into your tenant and announce themselves. They quietly blend into normal logins and API calls, making life annoying for incident responders. Until now, tracing what happened during a single session across Microsoft 365 was slow, messy, and filled with guesswork. If you have ever worked an AiTM phishing case, you know the pain. The attacker steals a token, skips MFA, and suddenly starts pulling emails and good luck figuring out which login that activity actually came from. ...

The research is still ongoing :-) I have been studying mr.d0x blogposts, and recently stumbled upon his new article about ClickFix and FileFix. For those of you that do not know what ClickFix is about, it is a sneaky social engineering trick. Attackers set up fake sites like fake updates or CAPTCHA pages that copy a malicious command to your clipboard. You are then told to hit Win+R, paste, and run it. Just like that, you install the malware yourself. ...

When shit hits the fan So I was recently on a Digital Forensics assignment for a customer, where I had to collect evidence from the suspects laptop. I had to brush the dust of my DFIR-skills, as these types of assignments are too common for us. For this case I quickly looked at what we had in our Go-Bag, and I noticed that we were met with two hardware writer blockers from wiebetech. Cool we got everything we need to capture our image, didn’t we? ...

Introduction I have gotten a few inquiries regarding how it is to work as a consultant, and what makes this profession so exciting. My name is Christian Henriksen, and I work as a Cybersecurity Consultant at Trifork Security in Denmark. My primary job areas are quite broad compared to other consultants, but I primarily work in Managed Detection & Response (MDR), Offensive Security and also participate as Incident Response Lead for our Incident Response team. ...

In this blog post, I will take a look at a cool tool that I have been working with the last couple of weeks, called WAFW00F. WAFW00F is a tool for fingerprinting if a webserver has a Web Application Firewall. Image is from WAFW00F Github What is a Web Application Firewall (WAF)? What is Fingerprinting? What is WAFW00F How to use WAFW00F References What is a Web Application Firewall (WAF)? ...

In this blog post, I will try to enlighten some of the questions that a new candidate in this industry might stumble upon. I will build my points on my own experience being fairly new, therefore this might not apply to you. However, I’m sure that you can relate to at least, some of the upcoming points. This post is inspired by a talk that @David Thejl-Clayton gave on an internal FDCA webinar. ...

Hvad er FDCA, hvordan bliver man medlem, og hvad laver en cyber forening egentligt? Det vil jeg prøve at beskrive i følgende blog post. This post is in Danish, and will eventually be posted in English Hvad er Cyberværnepligten? Cyberværnepligten er et politisk udspil der skal udklække ~30+ nye digitale sikkerhedstalenter om året - vis formål er at være ambassadører for god IT-sikkerhed i det danske kongerige. ...