Posts

An inside look at NSA (Equation Group) TTPs from China’s lense

-
Image
Since I reside in a Five Eyes country (Australia) and have publicly presented four cases I led on China’s APT41 attacking organisations in ASEAN , particularly concerning China’s cyber and political strategies, I was curious to explore what China publishes about Five Eyes operations. This led me down a rabbit hole of research into TTPs that Chinese cybersecurity entities have attributed to the NSA – or, as they coin “APT-C-40”. These insights stem from extensive research I did on Weixin containing intelligence reports published by China’s Qihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center (CVERC). It is important to note that the authenticity and extent of these allegations remain unverified by independent sources. My goal in writing this blog is simply to aggregate and share what Chinese sources are publishing about NSA’s cyber operations (APT-C-40) to see if I could learn any new detection techniques or offensive techniques to research for fun.  As I ...
Post a Comment
Read more

Understanding Tokens in Entra ID: A Comprehensive Guide

-
Image
Full blog post link: https://www.xintra.org/blog/tokens-in-entra-id-guide
Post a Comment
Read more

Detecting Lateral Movement in Entra ID: Cross Tenant Synchronization

-
Image
  Full blog post link: https://www.xintra.org/blog/lateral-movement-entraid-cross-tenant-synchronization
Post a Comment
Read more

Azure Command Line Forensics - Host Based Artifacts

-
Image
On most of the on-premises to cloud lateral movement compromises I’ve worked relating to Azure, threat actors typically leverage a bunch of different command-line focused tools. They use these tools to perform enumeration of the victim’s Azure environment, backdooring active directory, various persistence techniques and lateral movement. These are generally a combination or one of the following (this is not a comprehensive list... just examples): AADInternals Azure CLI AzureAD PowerShell Threat actors run these tools on servers and hosts of interest i.e. AD FS servers, AD CS servers to abuse pass-through authentication or abuse identity federation. The Azure CLI has also been leveraged by attackers to perform various enumeration / reconnaissance style attacks. If you want more detailed information around how to detect and perform attacks against Azure and Microsoft 365, check out my " Attacking and Defending Azure / M365 " course. High-Level Methodology First to perform t...
Post a Comment
Read more

Detecting Fake Events in Azure Sign-in Logs

-
Image
Threat actors can create and populate fake logs in the Azure sign-in logs that look like legitimate events The parameters they can spoof in the logs include (and are not limited to): Timestamp of when the events are generated User account IP addresses Network location type During forensic investigations, analysts may not be aware that some of the logs are not “legitimate” and start recording indicators of compromise that are not necessarily “real”. Further, this raises the question of “trust” regarding log sources – highlighting that during forensic investigations, it’s always best practice to utilise multiple sources rather than solely relying on one source. This technique has previously been written about by @DrAzureAD in his blog post here  and was also covered by Secureworks Counter Threat Unit here . As per @DrAzureAD’s blog, this attack can be conducted TWO ways; the second method being harder to detect than the first: Method 1: An attacker gains local admin / domain ad...
Post a Comment
Read more