13reak Oct 30

#DFIR #knowledgedrop

Awesome blogpost on how to dump shm on Linux:

https://isc.sans.edu/diary/How+to+collect+memoryonly+filesystems+on+Linux+systems/32432/

#memoryforensics #RAM #memoryanalysis

13reak Oct 18

#dfir #knowledgedrop

Interesting observation:

Hard-coded RAM relocations (i.e. not ASLR) are actually way less common in modern day (64 bit) programs than you think. Most jumps etc. are relative and not hard-coded e.g. in the .reloc table.

I ran some velo tests and only one program on my standard Windows 10 installation with browsers had hard coded relocations: velociraptor itself.

#RAM #memory #relocation #velociraptor

PS: before someone complains: yes, 32 bit programs have Base of Data relocations, but that's for backwards compatibility when I'm correctly informed.

13reak Jul 27

Recently having some #Sharepoint #cve202553770 cases.

Hint for analysts: also check for Visual Basic and C# not just PowerShell.

#DFIR #incidentresponse #knowledgedrop

13reak Jun 11, 2025

Apparently, Microsoft broke the API a bit when retiring some of its parts

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/action-required-msonline-and-azuread-powershell-retirement---2025-info-and-resou/4364991

The Microsoft Extractor Suite broke.

➡️ Workaround:

You can get up to 50.000 events via the Azure Web Portal. So filter for a username or a small timeframe.

⚠️ Note: you cannot download everything via the Web Portal, after 50.000 events, it'll just stop.

#DFIR #Azure #Cloud #knowledgedrop

Action required: MSOnline and AzureAD PowerShell retirement - 2025 info and resources | Microsoft Community Hub

Retirement of MSOnline PowerShell begins in April 2025. Learn about the timeline and required actions.

TECHCOMMUNITY.MICROSOFT.COM
13reak May 28, 2025

Interesting defense against attacks:

Move your SSH authorized_keys to a different location and set the rights to 0444. Then an attacker needs root rights to place an SSH backdoor.

https://isc.sans.edu/diary/31986

#DFIR #knowledgedrop #hardening

13reak May 25, 2025

#DFIR #threatintel #Knowledgedrop

Attackers are still actively exploiting firewall "../" vulnerabilities. Be aware and patch your firewalls!

13reak Apr 23, 2025

Most organizations do not have multi-factor authentication (MFA) enabled for their Azure service principals.

Why?

You need a special license for every single application you want to enable MFA for.

#cloud #azure #knowledgedrop #pentesting

13reak Apr 21, 2025

Watch out with your Azure Automation Account / Runbooks.

  • they often include hard-coded credentials
  • their output is not protected. So attackers can see your results
  • they can use Shared Resources (i.e. credentials or certificates)
  • Hybrid Worker and Azure Arc allow access to your on-premise infrastructure

Dangerous stuff if not managed correctly!

#cloud #azure #knowledgedrop #dfir #pentesting #privilegeescalation

13reak Apr 15, 2025

How to reconstruct OneDrive?

OneDriveExplorer (by @Beercow) can reconstruct OneDrive from <UserCid>.dat or SQLite databases etc.

Check it out:
https://github.com/Beercow/OneDriveExplorer

#DFIR #artifact #azure #onedrive #knowledgedrop

GitHub - Beercow/OneDriveExplorer: OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file.

OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file. - Beercow/OneDri...

GitHub
13reak Apr 10, 2025

Today a pentester asked me if attackers really use brute force.

Yes, they do, especially in cloud environments. That's why multi factor authentication (MFA) is so important there.

#knowledgedrop #purpleteam #cloud