Detecting Lateral Movement in Entra ID: Cross Tenant Synchronization

-

 


Comments

Post a Comment

Popular posts from this blog

An inside look at NSA (Equation Group) TTPs from China’s lense

-
Image
Since I reside in a Five Eyes country (Australia) and have publicly presented four cases I led on China’s APT41 attacking organisations in ASEAN , particularly concerning China’s cyber and political strategies, I was curious to explore what China publishes about Five Eyes operations. This led me down a rabbit hole of research into TTPs that Chinese cybersecurity entities have attributed to the NSA – or, as they coin “APT-C-40”. These insights stem from extensive research I did on Weixin containing intelligence reports published by China’s Qihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center (CVERC). It is important to note that the authenticity and extent of these allegations remain unverified by independent sources. My goal in writing this blog is simply to aggregate and share what Chinese sources are publishing about NSA’s cyber operations (APT-C-40) to see if I could learn any new detection techniques or offensive techniques to research for fun.  As I ...
Read more

How to Reverse Engineer and Patch an iOS Application for Beginners: Part I

-
Image
So you want to reverse and patch an iOS application? I got you >_< If you’ve missed the blogs in the series, check them out below ^_^ Part 1: How to Reverse Engineer and Patch an iOS Application for Beginners Part 2: Guide to Reversing and Exploiting iOS binaries: ARM64 ROP Chains Part 3: Heap Overflows on iOS ARM64: Heap Spraying, Use-After-Free  This blog is focused on reversing an iOS application I built for the purpose of showing beginners how to reverse and patch an iOS app. No fancy tools are required (IDA O.o), it's just you, me & a debugger <3 The app is a simple, unencrypted Objective-C application that just takes in a password and the goal of this is to bypass the password mechanism and get the success code. This blog post will focus on reversing/debugging the application and will not cover aspects of static analysis. The reason I wanted to write this is because I realised this topic is confusing for a lot of people and I wanted to try and write a blog t...
Read more

Forensic Analysis of AnyDesk Logs

-
Image
Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer.  There are two locations for where AnyDesk logs are stored on the Windows file system: %programdata%\AnyDesk\ad_svc.trace %appdata%\Anydesk\ad.trace The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed. Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log: Remote IP where the actor connected from File transfer activity Locating the Remote IP Connecting to AnyDesk Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake: info 2021-02-04 23:25:10.500       lsvc   9988 ...
Read more