Dear PenTest Readers,
In 2021 we celebrated our 10th anniversary. Once again, we would like to express how grateful we are for your company on our journey. Such a very special occasion requires an exclusive edition, doesn’t it? :)
That’s why we asked our most trusted contributors to provide top-notch articles in their areas of expertise, and believe us - the results are just marvelous! We would like to say a loud “THANK YOU” to each and every one of them for taking part in this initiative and making it happen.
The issue starts with an article by Chrissa Constantine, who talks about Ransomware-as-a-Service, with a case study of XingLocker. This ransomware may be one of the first to use APIs to perform reconnaissance and to leverage them to spread to other devices. A truly fascinating read that must not be missed.
Next, Eva Prokofiev provides great insight into the realm of cryptocurrencies and related security concerns. Crypto Fraud Investigation scenarios illustrate what kind of metadata can be linked to threat actors and fraudsters. As we haven’t presented materials on this topic before, we’re extremely happy to have it featured now.
Paul Mellen, who is also our reviewer of many years, brought in a wonderful, thorough write-up on RFID long range credential capture. Every offensive security professional should get familiar with this sophisticated technique.
Filipi Pires, our regular contributor and course instructor, definitely keeps up with his own high-set standards. This time, he discusses a Keylogger Malware investigation with PowerShell. Those of you who don’t know Filipi’s articles just yet, should definitely change that as soon as possible.
Are you interested in OSINT & Cyber Threat Intelligence? Don’t fret (bad pun intended), as we have great treats for you too!
Aaron Roberts wrote an excellent article on utilizing OSINT to target organizations with the most useful tools - Spiderfoot and Maltego. A lot of practical knowledge awaits, combined with great writing!
EPCyber talks about the importance of Threat Intelligence for future cybersecurity programmes. The article provides both theoretical background on TI, as well as valuable practical examples of using the resources in practice, like domain investigation or using Shodan for your IoT reconnaissance.
Moving further, Alexandros Pappas comprehensively explains what are the best Threat Hunting practices, such as asset management or Long Tail analysis. The author underlines the importance of focusing on the application level. Don’t miss this read and enhance your skills of hunting for malicious activities.
Interested in IoT? Looking for some fresh tools? Pedro Gonzalez Perez and Fran Ramirez have you covered! They present their new tool named “on-the-fly”, dedicated for IoT and ICS pentesting. A great opportunity to discover a new addition to your lab.
Bruce Williams discusses the best approach to defending a start-up. This is particularly important these days, as the new start-ups are massively emerging on the market. We all know that they need efficient protection, but this aspect is very often not a priority. Bruce’s article is a step towards changing this.
Last but not least, Harpreet Singh takes a closer look at Active Directory attacks. With top 10 methods for AD’s pentesting, the author shows how partial or complete control of it can be gained. A very valuable set of scenarios for every ethical hacker.
As usual, we would like to thank every reviewer and proofreader involved in creation of this special edition.
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
Ransomware-as-a-Service: Enterprise-level Hunting Operations
by Chrissa Constantine
In July 2021, XingLocker emerged as a personalized version of Mount Locker, a Mount Locker ransomware variant that uses enterprise Windows Active Directory API to worm the infected network. XingLocker may be one of the first instances of using APIs to perform reconnaissance and to leverage them to spread to other devices. The newer lightweight version of this malware is often combined with AdFind to perform network reconnaissance. Cobalt Strike is also used to spread the malware laterally once installed.
The Era of Crypto and Fraud Investigations
by Eva Prokofiev
Although cryptocurrency is intended to be secure, it leaves a lot of information and metadata that may be linked, requiring threat actors and fraudsters to be more cautious in their illegal actions and activities, and allowing investigators to connect the dots in an attempt to uncover useful and valuable information. Users who do not understand how to store, use and maintain cryptocurrency may be misled into disclosing their private key rather than a public address in order to obtain "free" cryptocurrency. Fraudsters believe that by using Bitcoins, they can regain control of their digital footprint.
Hidden Benefits of Social Distancing, Shut That Door!
by Paul Mellen
There are many attack surfaces with RFID based access control systems. This article focuses on “long range RFID credential capture”. This technique leverages a long-range RFID reader, the fact that no crypto is used, cards just transmit the “unique” identifier, and the formatting of the “unique” identifier is most likely “protected” (a note of sarcasm) by security through obscurity.
Keylogger Malware by RAT Remcos using PowerShell
by Filipi Pires
The purpose of this document is to investigate a file that was received to perform some investigation. The idea is to find some IOCs from the same and understand the impact behind them. This report was based on one of the pillars of Threat Hunting using IOCs (Indicators of Compromise). Usually, IOCs are identified as virus signatures and IP addresses, MD5 hashes of malware files, or URLs or domain names of botnet command and control servers. We performed some research, and analysis was carried out regarding the appropriate behaviors. With the final product, the front responsible for the product will have an instrument capable of guiding a process of mitigation and/or correction, as well as optimized improvement, based on the criticality of risks.
ICS and IoT Environments Pentesting with “on-the-fly” Tool
by Pablo Gonzalez Perez and Fran Ramirez
The 'on-the-fly' tool intends to give the pentester an 'all-in-one' tool by deploying different functionalities applicable across the three domains of work: IoT, ICS & IT. The presented work introduces a new framework that provides enough functionalities to discover, evaluate, and audit technologies from the three mentioned domains.
Using OSINT to Target Organisations
by Aaron Roberts
It won't be a surprise that most methods of getting into a company usually require some level of human interaction, something that we introverted nerds in cyber are not very comfortable with. However, you may not need to craft the perfect phishing email or plot the old "engineer with a clipboard" routine, when you can passively obtain information on the people that work for a company and what goodies they may have already leaked to the world.
Threat Intelligence of Future Cybersecurity Programs
Organizations in the service and delivery sectors are especially concerned about new and unknown cybersecurity threats because they affect their reputation, revenue, and business integrity. As a result, CISOs and security teams are increasing awareness and consuming threat data on a variety of levels in order to understand the "next move" a threat actor would take against them and how to protect themselves. Knowing what you're up against is, after all, half the battle.
Threat Hunting Best Practices
by Alexandros Pappas
In terms of identification, like finding the bad guys, this normally happens across multiple levels, and we want to be able to connect those levels together and gain more visibility across our environments. It is true that a lot of detection is heavily invested on edge firewalls (e.g. Next Generation) and network, on host perimeter like IDSs/IPSs, but the big deal and the real focus should be on the application level. Focusing on the application level, the richness of logs showing everything that is happening on the system, the processes that are running, what type of network communications are happening, can provide us a clear view and can direct our hunting actions. Application level is the place we can see the most value during a threat hunting activity.
Defending a Start-up
by Bruce Williams
I have worked with technology startups and found myself in their risk management discussions as an analyst. One title was Corporate Development Manager which allowed me to ask all sorts of strange questions. One time I was not involved in this role and the company database was hacked losing client details including emails etc. This hurt both my pride and the company in which I had investments. When there is such an attack the company suffered loss of reputation and closed within six months, mainly from management differences but this loss of IP was a trigger and a sore point with the venture capitalists. Why invest in a leaky boat?
Top 10 Active Directory Attacks [FULL ARTICLE AVAILABLE IN THE FREE PREVIEW VERSION]
by Harpreet Singh
In this article, we will be discussing a few cases of attacking Active Directory and see how we can gain partial or complete control of it. We will start with the technology and the features it has, followed by a bit of the architecture in general terms. Next we will be discussing the attack scenarios and the attack tree covering various AD attack methods and the mitigation strategies.