DORA and ICT Risk Management: how to self-assess your compliance

TL;DR โ€“ In this blogpost, we will give you an introduction to the key requirements associated with the Risk Management Framework introduced by DORA (Digital Operational Resilience Act);  More specifically, throughout this blogpost we will try to formulate an answer to following questions: What are the key requirements associated with the Risk Management Framework of DORA?What … Continue reading DORA and ICT Risk Management: how to self-assess your compliance

Kernel Karnage – Part 5 (I/O & Callbacks)

After showing interceptor's options, itโ€™s time to continue coding! On the menu are registry callbacks, doubly linked lists and a struggle with I/O in native C. 1. Interceptor 2.0 Until now, I relied on the Evil driver to patch kernel callbacks while I attempted to tackle $vendor2, however the Evil driver only implements patching for … Continue reading Kernel Karnage – Part 5 (I/O & Callbacks)

Cobalt Strike: Decrypting DNS Traffic – Part 5

Cobalt Strike beacons can communicate over DNS. We show how to decode and decrypt DNS traffic in this blog post. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting DNS Traffic – Part 5

The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see.

TL;DR โ€“ In this blogpost, we will give you an introduction to DORA, as well as how you can prepare yourself to be ready for it. More specifically, throughout this blogpost we will try to formulate an answer to following questions: What is DORA and what are the key requirements of DORA?What are the biggest challenges … Continue reading The digital operational resilience act (DORA): what you need to know about it, the requirements and challenges we see.

Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

To make up for the long wait between parts 2 and 3, we're releasing another blog post this week. Part 4 is a bit smaller than the others, an intermezzo between parts 3 and 5 if you will, discussing interceptor. 1. RTFM & W(rite)TFM! The past few weeks I spent a lot of time getting … Continue reading Kernel Karnage – Part 4 (Inter(ceptor)mezzo)

Cobalt Strike: Decrypting Obfuscated Traffic – Part 4

Encrypted Cobalt Strike C2 traffic can be obfuscated with malleable C2 data transforms. We show how to deobfuscate such traffic. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. In part 2, we decrypted … Continue reading Cobalt Strike: Decrypting Obfuscated Traffic – Part 4

Kernel Karnage – Part 3 (Challenge Accepted)

While I was cruising along, taking in the views of the kernel landscape, I received a challenge โ€ฆ 1. Player 2 has entered the game The past weeks I mostly experimented with existing tooling and got acquainted with the basics of kernel driver development. I managed to get a quick win versus $vendor1 but that … Continue reading Kernel Karnage – Part 3 (Challenge Accepted)

Detecting DCSync and DCShadow Network Traffic

This blog post on detecting Mimikatz' DCSync and DCShadow network traffic, accompanies SANS webinar "Detecting DCSync and DCShadow Network Traffic". Intro Mimikatz provides two commands to interact with a Windows Domain Controller and extract or alter data from the Active Directory database. These two commands are dcsync and dcshadow. The dcsync command can be used, … Continue reading Detecting DCSync and DCShadow Network Traffic

Another spin to Gamification: how we used Gather.town to build a (great!) Cyber Security Game

CSI Game hosted on Gather.town platform Let's recap October. Cyber Security Awareness Month. For a cyber awareness enthusiast, it is hard to conceal the excitement that comes with a full month of initiatives in all shapes and sizes, built around a genuine and strong effort to help keep companies and their people โ€œsafe onlineโ€. At … Continue reading Another spin to Gamification: how we used Gather.town to build a (great!) Cyber Security Game

Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3

We decrypt Cobalt Strike traffic with cryptographic keys extracted from process memory. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. In part 1 of this series, we revealed private encryption keys found in rogue Cobalt Strike packages. And in part 2, we decrypted Cobalt Strike traffic starting with a private … Continue reading Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3