Category: Tools

Bypassing WAFs Using Oversized Requests

Source: Black Hills Information Security, Inc.

Author: BHIS

URL: https://www.blackhillsinfosec.com/bypassing-wafs-using-oversized-requests/

ONE SENTENCE SUMMARY:

Exploiting WAF limitations with oversized request bypass techniques highlights the need for careful security configuration and testing.

MAIN POINTS:

  1. Oversized requests can bypass many web application firewalls, exploiting size limits on request processing.
  2. WAF configuration determines exploitability; some allow bypass by default due to flexible design goals.
  3. Examples given include testing WAFs like Cloudflare, Barracuda, ModSecurity, AWS, Azure, Google, Sucuri, and Fortinet.
  4. Cloudflare’s free tier can be bypassed with requests above 8KB, while higher tiers have larger limits.
  5. Barracuda’s WAF is secure by default, lacking size-based vulnerabilities without manual configuration.
  6. ModSecurity requires settings adjustments from default to secure, as it starts in detection-only mode.
  7. AWS limits WAF inspection to the first 8KB by default for certain services, with options to increase.
  8. Azure’s Application Gateway has a secure “fail closed” design, unlike Azure Front Door, which defaults insecurely.
  9. Google Cloud Armor and Sucuri default to vulnerable configurations, allowing large requests by default limits.
  10. Balancing WAF performance, usability, and security is crucial, with appropriate rule adjustments necessary.

TAKEAWAYS:

  1. Oversized requests exploit WAF limits, necessitating tailored configurations for secure operation.
  2. Cloudflare, AWS, and ModSecurity often need manual rule adjustments to close security gaps.
  3. Azure’s Application Gateway is inherently secure against oversized request bypasses due to its “fail closed” design.
  4. Real-world application behavior should inform WAF configurations to effectively handle scale and security needs.
  5. Testing WAFs for both rule coverage and handling of resource limits is essential for robust protection.

RealBlindingEDR Tool That Permanently Turns Off AV/EDR Using Kernel Callbacks

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/realblindingedr-tool/

ONE SENTENCE SUMMARY:

RealBlindingEDR is an open-source tool used to disable antivirus and endpoint detection software by manipulating kernel callbacks.

MAIN POINTS:

  1. RealBlindingEDR blinds, disables, or terminates AV/EDR by clearing kernel callbacks.
  2. Released on GitHub in 2023, it uses signed drivers for memory operations.
  3. It exploits vulnerable drivers to gain kernel-level access without detection.
  4. The tool targets six major kernel callback types to bypass security.
  5. Ransomware groups like Crypto24 have used it in recent attacks.
  6. Compatible with Windows 7 to 11 and various servers, ensuring wide applicability.
  7. Demonstrated against 360 Security Guard, Tencent, Kaspersky, Windows Defender, and more.
  8. Blinding mode prevents monitoring of behaviors like malware drops.
  9. Requires a signed driver and admin rights for deployment.
  10. Organizations are advised to monitor vulnerable driver loads and kernel anomalies.

TAKEAWAYS:

  1. RealBlindingEDR poses significant risks despite being designed for research purposes.
  2. Microsoft and vendors recommend driver signature enforcement to mitigate threats.
  3. Security teams must review endpoint logs for unusual sys file access.
  4. Advanced EDR with behavioral analytics can help detect anomalies.
  5. Awareness and monitoring are crucial to counteract this evolving threat.

peter-hackertarget/llm-tools-nmap

Source: GitHub

Author: unknown

URL: https://github.com/peter-hackertarget/llm-tools-nmap

ONE SENTENCE SUMMARY:

The plugin integrates Nmap network scanning into Simon Willison’s LLM, enabling network discovery and security tasks through function calling.

MAIN POINTS:

  1. Provides Nmap capabilities for network discovery and security scanning via LLM function calls.
  2. Enables network discovery, port scanning, service, OS detection, and more.
  3. Supports Python 3.7+ and requires working LLM and Nmap installations.
  4. Functions include get_local_network_info, nmap_scan, quick scans, and script scanning.
  5. Use commands like llm --functions llm-tools-nmap.py for network queries and scans.
  6. Experiments include scanning local networks, detecting services, and quick port scans.
  7. Nmap features like OS detection may need administrative privileges.
  8. Compliance with legal and security policies is essential for network scanning.
  9. The tool is open source and requires permission for scanning target networks.
  10. The plugin is experimental and potential risks in tool access should be considered.

TAKEAWAYS:

  1. The plugin expands LLM capabilities with powerful Nmap scanning functions.
  2. Installation and preparation require specific commands for different OS environments.
  3. Practical for quick, detailed network assessments and discovering network vulnerabilities.
  4. Compliance with laws and policies is crucial when using network scanning tools.
  5. Ensure you have explicit permission before conducting any scans.

LSASS Dump via comsvcs.dll: Defender Detection Guide

Source: Securityinbits

Author: Ayush Anand

URL: https://www.securityinbits.com/detection-engineering/lsass-dump-comsvcs-rundll32/

ONE SENTENCE SUMMARY:

The query filters device process events for suspicious rundll32.exe activity involving specific command line patterns indicating potential threats.

MAIN POINTS:

  1. Filters DeviceProcessEvents for suspicious rundll32.exe activity.
  2. Targets FolderPath ending with “\rundll32.exe”.
  3. Includes processes with OriginalFileName “RUNDLL32.EXE”.
  4. Searches for ProcessCommandLine containing “rundll32”.
  5. Detects command line patterns: “#+”, “#-“, “#0”.
  6. Includes command patterns “#655” and “#656”.
  7. Aims to identify potential security threats.
  8. Uses specific command line criteria for filtering.
  9. Focuses on unusual rundll32.exe execution.
  10. Enhances threat detection in device processes.

TAKEAWAYS:

  1. Rundll32.exe processes with unusual commands may indicate a threat.
  2. Specific command line patterns are crucial for detection.
  3. Filtering by executable name helps narrow down suspicious activity.
  4. Command lines with specific patterns signal potential malicious behavior.
  5. It’s essential for detecting and mitigating security threats.

CQURE Hacks #68: NTLM Relay Attacks Explained and Why It’s Time to Phase Out NTLM

Source: CQURE Academy

Author: Daniel

URL: https://cqureacademy.com/blog/ntlm-relay-attacks-and-why-to-phase-out/

ONE SENTENCE SUMMARY:

Disabling NTLM authentication prevents relay attacks by forcing the use of Kerberos, enhancing security across Active Directory environments.

MAIN POINTS:

  1. Initially, NTLM authentication setting is disabled on the Domain Controller, allowing relay attacks.
  2. Attacker uses Responder and ntlmrelayx tools on Kali Linux to perform NTLM relay.
  3. Successful relay allows attacker access with credentials as CQURE\Administrator for further actions.
  4. Switching Group Policy to “Deny All” disables NTLM, blocking relay attacks.
  5. Kerberos authentication replaces NTLM, removing vulnerability to relay attacks.
  6. Demonstration highlights reduced NTLM attack surface when disabled.
  7. Phasing out NTLM requires identifying systems dependent on it.
  8. CQURE NTLM Phase-out Guide aids Active Directory NTLM replacement.
  9. New Advanced Windows Security Course 2026 registration is open.
  10. CQURE Hacks video demonstrates NTLM relay attack and mitigation steps.

TAKEAWAYS:

  1. Disabling NTLM eliminates relay attack vulnerability.
  2. Kerberos provides a more secure authentication method.
  3. Identify and audit NTLM-dependent systems before disabling.
  4. Proper planning is essential for a smooth NTLM phase-out.
  5. Educational resources and courses can aid in transitioning to secure methods.

New AmCache EvilHunter Tool For Detecting Malicious Activities in Windows Systems

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/amcache-evilhunter-tool/

ONE SENTENCE SUMMARY:

AmCache-EvilHunter enhances incident response by parsing AmCache data, automating threat detection, and accelerating DFIR workflows.

MAIN POINTS:

  1. AmCache aids in identifying benign and malicious software on Windows systems.
  2. It is resistant to tampering, preserving data even after malware auto-deletion.
  3. Stores SHA-1 hashes for querying threat intelligence feeds like VirusTotal.
  4. Kaspersky’s tool automates parsing of Amcache.hve registry for indicators of compromise.
  5. Developed in Python, it extracts metadata from specific registry keys.
  6. Offers advanced filtering with features like the –find-suspicious flag.
  7. Performs automated threat lookups, enhancing response efficiency.
  8. Supports keyword searches for deleted or transient tools.
  9. Modular architecture allows for custom integrations and platform support.
  10. Available on GitHub for Windows and Linux, reducing manual DFIR effort.

TAKEAWAYS:

  1. Automatically preserves evidence against self-erasing malware.
  2. Integrates threat intelligence feeds for rapid IOC generation.
  3. Simplifies detection and containment processes in incident response.
  4. Provides advanced filtering to reduce analytical noise.
  5. Modular setup facilitates further customization and platform integration.

Dissecting Shellcode Execution in Memory

Source: itamarhall.github.io

Author: unknown

URL: https://itamarhall.github.io/Tracepoint/blog/writeups/dissecting-process-hollowing-rogue-lsass-with-injected-shellcode/

ONE SENTENCE SUMMARY:

This forensic investigation examines process hollowing in Windows memory, revealing malicious activities involving lsass.exe and Metasploit-like shellcode.

MAIN POINTS:

  1. Analysis focuses on identifying process hollowing using Volatility 3.
  2. Multiple tools used: MemProcFS, YARA, Eric Zimermman tools, PEstudio.
  3. Memory image reveals dual lsass.exe processes, indicating malicious activity.
  4. Suspicious processes involve rogue lsass.exe and related cmd.exe executions.
  5. Handle investigations highlight unusual file and network interactions.
  6. Memory injections detected using ldrmodules, malfind, ProcSentinel.
  7. In-memory module linked to Metasploit-style API hashing, reflecting injection.
  8. Disk artifacts like Prefetch, Amcache, PCA confirm file execution.
  9. Timeline correlates defense impairments with malicious execution activities.
  10. Metasploit YARA matches suggest network-capable shellcode operation.

TAKEAWAYS:

  1. Process hollowing detected via memory analysis shows disguised malicious processes.
  2. Volatility 3 and complementary tools enrich memory forensics investigation.
  3. Dual lsass.exe presence reveals process manipulation and shellcode execution.
  4. Timeline analysis correlates defensive changes with malicious actions.
  5. Comprehensive analysis ties network activity to injected shellcode behavior.

Build secure network architectures for generative AI applications using AWS services

Source: AWS Security Blog

Author: Joydipto Banerjee

URL: https://aws.amazon.com/blogs/security/build-secure-network-architectures-for-generative-ai-applications-using-aws-services/

ONE SENTENCE SUMMARY:

This post guides securing generative AI on AWS, addressing threats with comprehensive strategies including network, application, and edge defenses.

MAIN POINTS:

  1. Generative AI presents new opportunities and threats requiring robust security measures.
  2. Complex architectures increase vulnerabilities to classic and emerging external threats.
  3. AWS services enable secure network architectures for generative AI applications.
  4. Network DDoS (layer 4) and web request floods (layer 7) are common attack methods.
  5. Application-specific exploits can lead to unauthorized access and data breaches.
  6. OWASP Top 10 helps identify common security risks in AI applications.
  7. Amazon Bedrock facilitates secure, private networking for AI applications.
  8. AWS WAF shields applications from malicious bot threats and automated abuse.
  9. AWS Shield defends against DDoS attacks, maintaining application reliability and performance.
  10. Continuous monitoring is crucial for detecting malicious activity and securing AI models.

TAKEAWAYS:

  1. Generative AI security involves multi-layered defenses to mitigate various threats.
  2. AWS offers tools like Shield, WAF, and GuardDuty for comprehensive protection.
  3. Private networking and AWS PrivateLink enhance data security by avoiding public internet.
  4. Defense-in-depth strategies are vital for resilient AI application infrastructures.
  5. Staying informed of OWASP guidelines and CVEs is key to maintaining AI security.

Unlock new possibilities: AWS Organizations service control policy now supports full IAM language

Source: AWS Security Blog

Author: Swara Gandhi

URL: https://aws.amazon.com/blogs/security/unlock-new-possibilities-aws-organizations-service-control-policy-now-supports-full-iam-language/

ONE SENTENCE SUMMARY:

AWS Organizations now supports full IAM policy language for Service Control Policies, enhancing permission management with new elements and flexibility.

MAIN POINTS:

  1. AWS Organizations now offers full IAM policy language support for SCPs.
  2. New features include conditions, resource ARNs, and wildcards in SCPs.
  3. Enhanced permission management simplifies policy designs and reduces operational overhead.
  4. NotResource element allows broad deny-by-default policies with scoped exceptions.
  5. Updated SCPs improve clarity and simplicity compared to previous implementations.
  6. Wildcard support expands to beginning/middle of Action or NotAction strings.
  7. Allow statements can now use conditions for more precise access control.
  8. Explicit Deny statements are recommended to ensure security best practices.
  9. IAM Access Analyzer validates SCPs for security and compliance before deployment.
  10. Enhanced SCP capabilities align with IAM policies for better access control.

TAKEAWAYS:

  1. Full IAM policy language in SCPs improves precision and policy expressiveness.
  2. NotResource elements simplify deny-by-default policy structures.
  3. Support for conditions in Allow statements enhances targeted access control.
  4. Wildcards in Action/NotAction elements offer greater flexibility.
  5. IAM Access Analyzer aids in secure and compliant policy deployment.

Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1)

Source: Black Hills Information Security, Inc.

Author: BHIS

URL: https://www.blackhillsinfosec.com/wrangling-windows-event-logs-with-hayabusa-sof-elk-part-1/

ONE SENTENCE SUMMARY:

Hayabusa and SOF-ELK streamline Windows Event Log analysis by reducing entries and enhancing search efficiency for investigations.

MAIN POINTS:

  1. Event logs are crucial yet overwhelming in Windows security investigations.
  2. Hayabusa helps filter event logs by reducing entries significantly.
  3. Hayabusa outputs timelines in CSV or JSON with rule-based severity.
  4. SOF-ELK ingests and parses Hayabusa outputs for efficient analysis.
  5. SOF-ELK offers a user-friendly web UI for searching and filtering logs.
  6. Windows, Mac, and Linux platforms support the Hayabusa tool.
  7. Hayabusa can achieve a 75% reduction in event log entries.
  8. Focus on high-severity rule hits for prioritized analysis.
  9. Utilize SOF-ELK’s virtual machine and secure copy (scp) for output transfer.
  10. Adjust data views and filters in SOF-ELK to refine investigations.

TAKEAWAYS:

  1. Use Hayabusa for substantial log entry reduction during investigations.
  2. SOF-ELK facilitates detailed search and analysis of log data.
  3. Utilize high-severity filtering to streamline investigation focus.
  4. Familiarize with SOF-ELK’s web UI for seamless data review.
  5. Enhance investigation efficiency by combining tools effectively.

Navigating Amazon GuardDuty protection plans and Extended Threat Detection

Source: AWS Security Blog

Author: Nisha Amthul

URL: https://aws.amazon.com/blogs/security/navigating-amazon-guardduty-protection-plans-and-extended-threat-detection/

ONE SENTENCE SUMMARY:

Organizations leverage Amazon GuardDuty’s AI-driven threat detection services to enhance security across AWS environments with various protection plans.

MAIN POINTS:

  1. Amazon GuardDuty uses AI and ML for continuous AWS environment threat detection.
  2. Protection plans extend GuardDuty’s capabilities to specific AWS services like S3 and EKS.
  3. S3 Protection detects data exfiltration and unauthorized bucket changes.
  4. EKS Protection analyzes Kubernetes audit logs for malicious activities.
  5. Runtime Monitoring identifies threats at the operating system level on EC2 and container workloads.
  6. Malware Protection scans EBS volumes and S3 objects for known threats.
  7. RDS Protection analyzes login activities for potential unauthorized database access.
  8. Lambda Protection monitors network activities to detect serverless function threats.
  9. Enabling relevant protection plans offers cost-effective, comprehensive monitoring.
  10. Extended Threat Detection leverages AI to correlate security signals and highlight active threats.

TAKEAWAYS:

  1. Align protection plans with workload types for optimal threat detection.
  2. Use Extended Threat Detection for enhanced security insights.
  3. Protection plans are flexible, enabling customized security strategies.
  4. GuardDuty maps findings to MITRE ATT&CK® for context.
  5. Each plan includes a 30-day trial to evaluate security needs.

WizOS Is Here: Transforming Container Security from the Image Up

Source: Wiz Blog | RSS feed

Author: unknown

URL: https://www.wiz.io/blog/wizos-transforming-container-security-from-the-image-up

ONE SENTENCE SUMMARY:

WizOS launches public preview, offering secure, minimal container images to reduce vulnerabilities and streamline container image management.

MAIN POINTS:

  1. WizOS offers minimal, secure container images with near-zero CVEs for public preview.
  2. Public repositories often pose security risks and increase vulnerability noise.
  3. Secured images eliminate vulnerabilities via trusted, verifiable sources.
  4. WizOS facilitates adoption through visibility, risk prioritization, and developer-friendly image swaps.
  5. A new approach secures containers across the lifecycle, starting from the base image.
  6. WizOS images reduce vulnerabilities, saving time for security and development teams.
  7. The platform provides complete visibility into the container landscape for risk prioritization.
  8. Mika AI offers guidance on the most impactful image swap opportunities.
  9. Built-in compatibility ensures seamless adoption within development workflows.
  10. The expansion of WizOS includes a growing image catalog and enhanced security features.

TAKEAWAYS:

  1. WizOS minimizes container vulnerabilities with secure, source-built images.
  2. Provides full visibility and prioritization for effective image management.
  3. Enhances developer workflows with streamlined, proactive security.
  4. Mika AI aids in prioritizing and planning image migrations.
  5. Ongoing expansion and improvements will strengthen the platform further.

LudusHound: Open-source tool brings BloodHound data to life

Source: Help Net Security

Author: Mirko Zorz

URL: https://www.helpnetsecurity.com/2025/08/20/ludushound-open-source-tool-bloodhound-data/

ONE SENTENCE SUMMARY:

LudusHound integrates BloodHound data with Ludus to create safe, realistic AD testing environments for red and blue team use.

MAIN POINTS:

  1. LudusHound uses BloodHound data to set up Ludus Range for safe testing.
  2. Creates a copy of an Active Directory environment for testing.
  3. Red teams can map attack paths and test exploits in a lab.
  4. Blue teams can practice defense and improve AD security strategies.
  5. Requirements include Ludus, network access to BloodHound CE, and Go.
  6. Integrates Ludus framework and BloodHound for realistic test environments.
  7. Provides an accurate lab for testing planned attacks.
  8. Future plans may include SCCM and ADCS integration.
  9. LudusHound is free and available on GitHub.
  10. Offers a practical and contained environment to test network vulnerabilities.

TAKEAWAYS:

  1. Enhances both offensive and defensive cybersecurity practice.
  2. Facilitates risk-free testing of network misconfigurations.
  3. Encourages collaborative tool integration for comprehensive security testing.
  4. Supports continuous improvement with plans for future feature expansion.
  5. Accessible as a free, open-source tool on GitHub.

MorDavid/vCenterHound: Collect infrastructure and permissions data from vCenter and export it as a BloodHound‑compatible graph using Custom Nodes/Edges

Source: GitHub

Author: unknown

URL: https://github.com/MorDavid/vCenterHound

ONE SENTENCE SUMMARY:

vCenterHound collects and exports vCenter infrastructure and permission data as a BloodHound-compatible graph using custom nodes and edges.

MAIN POINTS:

  1. Supports connections to multiple vCenters for data collection.
  2. Collects data on infrastructure entities and permissions.
  3. Exports data as a JSON graph compatible with BloodHound.
  4. Custom nodes and edges provide detailed visualization.
  5. Model.json file defines styles for custom nodes.
  6. Requires Python 3.8 or higher to run.
  7. Dependencies include pyvmomi and requests libraries.
  8. CLI options allow custom configurations and verbose logging.
  9. Comprehensive model schema details various vCenter components.
  10. Aimed at security researchers integrating AI in penetration testing.

TAKEAWAYS:

  1. Facilitates investigation of infrastructure and permission paths.
  2. Customizable output supports specific research needs.
  3. Designed to enhance pen-testing workflows with AI integration.
  4. Offers modular and scalable data collection from existing vCenters.
  5. Provides a detailed graph schema for advanced analysis.

Applying CIS Benchmarks to Harden Windows 11 VDI Systems

Source: Blog Feed – Center for Internet Security

Author: unknown

URL: https://www.cisecurity.org/insights/blog/applying-cis-benchmarks-harden-windows-11-vdi-systems

ONE SENTENCE SUMMARY:

The CIS IT team effectively applied CIS Benchmarks to secure a Virtual Desktop Infrastructure environment running Windows 11 systems.

MAIN POINTS:

  1. Successfully implemented CIS Benchmarks in a VDI environment.
  2. Focused on securing Windows 11 systems.
  3. Addressed specific security needs for virtual desktops.
  4. Improved overall security posture of the VDI.
  5. Utilized CIS Benchmarks as a guide for configuration.
  6. Enhanced compliance with industry best practices.
  7. Streamlined the integration process for IT teams.
  8. Minimized security vulnerabilities and risks.
  9. Ensured a consistent security framework.
  10. Facilitated better protection against potential threats.

TAKEAWAYS:

  1. CIS Benchmarks are effective tools for enhancing VDI security.
  2. Windows 11-specific guidelines were crucial in this implementation.
  3. Maintaining compliance improves security outcomes.
  4. Consistent frameworks help manage and mitigate risks.
  5. Industry best practices support secure virtual environments.

Anthropic targets DevSecOps with Claude Code update as AI rivals gear up

Source: Anthropic targets DevSecOps with Claude Code update as AI rivals gear up | CSO Online

Author: unknown

URL: https://www.infoworld.com/article/4035583/anthropic-targets-devsecops-with-claude-code-update-as-ai-rivals-gear-up.html

ONE SENTENCE SUMMARY:

Claude enhances enterprise DevSecOps by automating secure code reviews, accelerating development, and embedding early-stage security practices.

MAIN POINTS:

  1. Claude enhances intelligent, high-confidence code findings.
  2. GenAI-driven development increases code velocity and complexity.
  3. Claude must prove resilience at scale in DevSecOps.
  4. It automates one of the most time-consuming aspects: manual security reviews.
  5. Enables developers to use natural language prompts for reviews.
  6. Streamlines early-stage security without burdening human experts.
  7. Accelerates shift-left security practices.
  8. Embeds security earlier in the Software Development Life Cycle (SDLC).
  9. Relevant across sprawling codebases and bespoke threat models.
  10. Useful for varying compliance mandates.

TAKEAWAYS:

  1. Claude automates secure code review, enhancing DevSecOps workflows.
  2. Natural language prompts simplify initiating security reviews.
  3. Embeds security earlier, accelerating development processes.
  4. Effective across complex codebases and compliance needs.
  5. Enables intelligent findings and resilience in enterprise settings.

Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource

Source: Black Hills Information Security, Inc.

Author: BHIS

URL: https://www.blackhillsinfosec.com/offensive-tooling-cheatsheets/

ONE SENTENCE SUMMARY:

The Infosec Survival Guide evolved from printed books to flexible digital formats, offering curated cheatsheets for cybersecurity professionals.

MAIN POINTS:

  1. Infosec Survival Guide is an ongoing experimental resource for cybersecurity professionals.
  2. Initial editions focused on explaining services; later editions provided direct reader value.
  3. The “Green Book” offered foundational knowledge and resources for infosec professionals.
  4. Collaboration with community volunteers was key to creating useful cheatsheets.
  5. The “Offensive Tooling Cheatsheet Edition” shifted towards a digital format for flexibility.
  6. Content creation initially emphasized articles but adapted to cheatsheet challenges.
  7. Internal Security Analysts reviewed each cheatsheet for technical accuracy.
  8. The digital format allows for continuous updates as technology evolves.
  9. The guide includes blog posts and printer-friendly PDFs of cheatsheets.
  10. Instant free access to Infosec Survival Guide issues and related content online.

TAKEAWAYS:

  1. Digital formats provide flexibility for continuous updates.
  2. Collaboration enhances content accuracy and quality.
  3. Cheatsheets fulfill evolving infosec professional needs.
  4. Community involvement is crucial for resource development.
  5. Free access to comprehensive infosec resources supports learning.

PivotTables For InfoSec Dummies

Source: TrustedSec

Author: Philip DuBois

URL: https://trustedsec.com/blog/pivottables-for-infosec-dummies

ONE SENTENCE SUMMARY:

Excel pivot tables provide advanced data analysis capabilities beyond basic sorting and searching of IP addresses and ports.

MAIN POINTS:

  1. Many users input IP addresses and ports into Excel for simple tasks.
  2. Pivot tables allow for deeper exploration of complex data sets.
  3. They enable efficient organization and summarization of large data.
  4. Through pivot tables, users can uncover trends and patterns.
  5. Advanced filter options refine data analysis techniques.
  6. They offer dynamic adjustments without altering the original data.
  7. Visual tools like charts help present data insights effectively.
  8. Drag-and-drop interface simplifies creating custom data views.
  9. They support diverse data types beyond addresses and ports.
  10. Mastery of pivot tables boosts Excel proficiency significantly.

TAKEAWAYS:

  1. Use pivot tables for advanced data analysis beyond basic Excel functions.
  2. Leverage dynamic adjustments and visual tools to enhance insights.
  3. Develop proficiency in pivot tables to improve data handling skills.
  4. Explore trend and pattern recognition with advanced filtering options.
  5. Pivot tables cater to various data types, broadening analysis scope.

BloodHound 8.0 debuts with major upgrades in attack path management

Source: Help Net Security

Author: Help Net Security

URL: https://www.helpnetsecurity.com/2025/08/05/bloodhound-8-0-open-source-attack-path-management-platform/

ONE SENTENCE SUMMARY:

BloodHound 8.0 enhances attack path management with OpenGraph integration, expanding capabilities and usability across diverse systems.

MAIN POINTS:

  1. BloodHound 8.0 introduces OpenGraph, enhancing identity attack path management.
  2. Users can ingest data from systems like GitHub, Snowflake, and Microsoft SQL Server.
  3. Innovations have focused on Microsoft Active Directory and Entra ID.
  4. OpenGraph boosts research, collaboration, and attack path management.
  5. Version 8.0 includes expandability and usability improvements.
  6. New support for Microsoft Privileged Identity Management (PIM) roles.
  7. Integrates ServiceNow for ticketing and vulnerability management.
  8. Duo integration strengthens access with two-factor authentication.
  9. Privilege Zones feature extends least privilege enforcement.
  10. BloodHound 8.0 is freely available on GitHub.

TAKEAWAYS:

  1. BloodHound 8.0 offers major advancements with the new OpenGraph feature.
  2. Expanded data ingestion capabilities enhance threat modeling.
  3. Supports enhanced visibility into privileged roles and access control.
  4. New integrations streamline ticketing and authentication processes.
  5. Available for free, it remains a key tool in cybersecurity management.

Conditional Access policies on Azure DevOps – Azure DevOps Services

Source: Microsoft Learn: Build skills that open doors in your career

Author: chcomley

URL: https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/conditional-access-policies?view=azure-devops

ONE SENTENCE SUMMARY:

Microsoft Entra ID enables tenant admins to control user access to resources through Conditional Access policies with specific conditions.

MAIN POINTS:

  1. Tenant admins use Conditional Access to control access to Microsoft resources.
  2. Access is based on conditions like group membership, location, and device.
  3. Policies can require multifactor authentication or block access.
  4. Policies are set in the Azure portal through “Microsoft Entra Conditional Access.”
  5. Azure DevOps requires specific Conditional Access settings.
  6. Entra ID checks all Conditional Access policies during web sign-ins.
  7. PATs must meet sign-in policies on REST API calls.
  8. Azure DevOps supports IP fencing policies for IPv4 and IPv6.
  9. ARM Conditional Access policies no longer cover Azure DevOps sign-ins.
  10. ARM access is still required for billing and service connection roles.

TAKEAWAYS:

  1. Admins have granular control over resource access using Conditional Access.
  2. Azure DevOps requires a new specific Conditional Access policy.
  3. Multifactor authentication is enforceable for web flows.
  4. IP fencing policies enhance security for non-interactive flows.
  5. ARM policies must be adjusted for roles needing continued access.

WhyUseExample.md

Source: GitHub

Author: Cyberlorians

URL: https://github.com/Cyberlorians/M-21-31/blob/main/WhyUseExample.md

ONE SENTENCE SUMMARY:

The PowerApp and Workbook transform event logging by operationalizing the M-21-31 model, enhancing security, compliance, and threat detection.

MAIN POINTS:

  1. Agencies often lack validation on event logging completeness in their existing logs.
  2. The workbook applies M-21-31 guidance to validate telemetry coverage with concrete queries.
  3. Security teams can verify log collection and ensure logs’ utility for compliance and response.
  4. Integration with Microsoft Defender, Entra, and Windows streamlines according to M-21-31.
  5. Supports collaboration across diverse teams for a unified security and compliance view.
  6. Enables real-time logging validation using live KQL queries in Microsoft environments.
  7. Multi-workload coverage includes Microsoft Defender, Entra ID, and more.
  8. Identity use case: Tracks and validates account creation activities in Entra ID.
  9. Enhances detection of operational risks, shadow accounts, and policy compliance.
  10. Delivers a zero trust-aligned tool, aiding both technical and policy discussions.

TAKEAWAYS:

  1. Validates logging maturity beyond assumptions with live data queries.
  2. Bridges security and compliance, aligning evidence with policy.
  3. Facilitates proactive threat hunting and operational awareness.
  4. Enhances multi-tenant context awareness and service principal targeting.
  5. Acts as a control panel for organizations using Microsoft security tools.

CISA Launches The Eviction Strategies Tool

Source: Packet Storm Security – News

Author: unknown

URL: https://www.cisa.gov/resources-tools/resources/eviction-strategies-tool

ONE SENTENCE SUMMARY:

CISA’s Eviction Strategies Tool, featuring Playbook-NG and COUN7ER, aids cyber defenders in crafting customized incident response plans.

MAIN POINTS:

  1. Playbook-NG and COUN7ER support incident response by providing systematic eviction plans.
  2. The tool accelerates creation of response plans and offers tailored eviction strategies.
  3. Users can export their inputs, but cannot alter the tool.
  4. Playbook-NG uses MITRE ATT&CK® for matching incident findings with countermeasures.
  5. COUN7ER database offers a collection of post-compromise countermeasures mapped to TTPs.
  6. COUN7ER entries include intended outcomes, preparation, risks, guidance, and references.
  7. CISA updates COUN7ER based on threat intelligence and incident observations.
  8. Playbook-NG allows export in multiple formats like JSON and Microsoft Word.
  9. Disclaimer emphasizes COUN7ER is informational, with users assuming all risks.
  10. CISA encourages feedback through an anonymous survey.

TAKEAWAYS:

  1. Tools are open source under the MIT License to encourage development.
  2. COUN7ER aligns countermeasures with various security frameworks.
  3. Playbook-NG provides incident templates for quick customization.
  4. The tool helps in crisis response and tabletop exercise planning.
  5. Feedback via an anonymous survey is welcomed by CISA.

jeanlucdupont/EXEfromCER: PoC that downloads an executable from a public SSL certificate

Source: GitHub

Author: jeanlucdupont

URL: https://github.com/jeanlucdupont/EXEfromCER

ONE SENTENCE SUMMARY:

The text describes navigation and session management actions for a user interface related to search and account activities.

MAIN POINTS:

  1. Options for searching code, repositories, users, issues, and pull requests are available.
  2. Users can save searches to filter results more quickly.
  3. Sign-up and sign-in functionalities are provided for users.
  4. There are alerts related to signing in or out in different tabs or windows.
  5. Reloading the session is necessary after signing in or out in another tab.
  6. Switching accounts in another tab requires refreshing the session.
  7. Actions cannot be performed if not currently possible.
  8. Visual elements assist in navigating menus and user sessions.
  9. Errors occur when actions are attempted but not permitted.
  10. Interface supports multiple user account management.

TAKEAWAYS:

  1. Interface facilitates efficient search and navigation through various user actions.
  2. Session management ensures user activity continuity across tabs.
  3. Saved searches optimize user experience by speeding up filtering.
  4. Alerts maintain user awareness of session status changes.
  5. Restrictions prevent unauthorized or impossible actions in the system.

DNS Packet Inspection for Network Threat Hunters

Source: Active Countermeasures

Author: Faan Rossouw

URL: https://www.activecountermeasures.com/dns-packet-inspection-for-network-threat-hunters/

ONE SENTENCE SUMMARY:

DNS packet inspection is crucial for network threat hunters to effectively identify and mitigate command and control threats.

MAIN POINTS:

  1. Command and Control (C2) often uses DNS for covert communication.
  2. DNS packet inspection helps detect unusual patterns.
  3. Long, garbled DNS queries can indicate malicious activity.
  4. Network threat hunters focus on identifying C2 channels.
  5. Active Countermeasures provides insights into DNS analytics.
  6. DNS data can reveal hidden C2 servers.
  7. Understanding common DNS behaviors assists in threat detection.
  8. Tools are available to aid in DNS packet analysis.
  9. Analyzing DNS traffic enhances security measures.
  10. DNS inspection is a key part of cybersecurity strategies.

TAKEAWAYS:

  1. DNS packet analysis is vital for identifying hidden threats.
  2. Recognizing C2 patterns aids in early threat detection.
  3. Effective tools improve DNS traffic scrutiny.
  4. Familiarity with DNS behavior is crucial for cybersecurity.
  5. Proactive DNS inspection strengthens network defenses.

Autoswagger: Open-source tool to expose hidden API authorization flaws

Source: Help Net Security

Author: Help Net Security

URL: https://www.helpnetsecurity.com/2025/07/24/autoswagger-open-source-tool-expose-hidden-api-authorization-flaws/

ONE SENTENCE SUMMARY:

Autoswagger is a free tool that scans APIs for broken authorization vulnerabilities by analyzing OpenAPI documentation and endpoint responses.

MAIN POINTS:

  1. Autoswagger scans APIs for broken authorization vulnerabilities.
  2. It detects API schemas in various formats across organization domains.
  3. Scans for OpenAPI and Swagger documentation pages to find valid schemas.
  4. Automatically generates endpoints list for testing based on API specifications.
  5. Tests endpoints for authorization flaws by sending valid requests.
  6. Flags endpoints with unexpected valid responses instead of HTTP errors.
  7. Highlights endpoints with missing or ineffective authentication.
  8. Can simulate bypassing validation checks with a –brute flag.
  9. Analyzes responses for exposed sensitive data like PII or credentials.
  10. Available for free on GitHub to enhance API security practices.

TAKEAWAYS:

  1. Autoswagger helps identify broken authorization in API endpoints effortlessly.
  2. Publicly exposing API documentation increases risk; avoid unless necessary.
  3. Regular API scanning is critical after each development iteration.
  4. Simulating bypass checks can uncover deeper security flaws.
  5. Tool emphasizes importance of not exposing APIs unnecessarily.