0xRob - InfoSec

Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 2 – Setting up Custom Queries and a Example Host Investigation Notebook

23rd March 2023 Uncategorised 0xrob 0

Welcome to part 2 of the threat hunting with jupyter notebook series, If you followed part 1 you should be setup and able to query MDE in a jupyter notebook using msticpy. Now lets do the exciting part, lets build some custom queries and use them to investigate a host for suspicious activity and put […]

Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 1 – Setting up Msticpy with MDE

11th January 2023 Uncategorised 0xrob 0

I plan on making this a 2 part blog series which will go through the following topics The Why When it comes to Threat Hunting how many times have you seen an analyst with a giant onenote or confluence page filled with queries that everyone just periodically runs or even adhoc and analyses the output, […]

Stopping Blue Teams From Obtaining Payloads Via Browser Based Virtualisation Detection and HTML Smuggling

8th August 2021 Uncategorised 0xrob 0

Introduction Red Teams and malicious actors will likely have faced the challenge of not only getting a user to click on a phishing link to deliver a payload but also ensuring that this stays undetected by blue teams. They will likely need to bypass proxy filetype based detections combined with utilising social engineering the user […]

Building a Custom Shellcode Loader with Syswhispers to Utilise Direct Syscalls

14th March 2021 Uncategorised 0xrob 0

This post is heavily similar to my previous post located here around designing a custom shellcode loader which will pull shellcode from a server and execute it into a process. This POC currently bypasses Windows Defender when used with Sliver C2 framework (and likely others) along with 2 tested but unnamed EDR products. The main […]

Building a Custom shellcode stager with process injection to Bypass Windows Defender

6th July 2020 Uncategorised 0xrob 0

This post is going to use the SLIVER C2 framework to configure a stager and bypass a current updated windows defender, using shellcode injection. Note that this is not the best OPPSEC as i’m just going to be running an arbitrary executable on disk, for a more realistic attack scenario e.g using a malicious document […]

Using Covenant and Excel 4.0 Macros to Bypass Windows Defender

26th June 2020 Uncategorised 0xrob 0

This methodology is a simple but effective way to bypass current windows defender using excel 4.0 macros. (and possibly some EDRs 😉 ) I’ve deliberately avoided obfuscation as much as possible in this macro to make it simple to follow but still bypass windows defender (most of the malicious activity occurs in a JS file […]

Using a Password Filter to Create a Banned Password List without Azure AD on Windows

21st October 2019 Uncategorised 0xrob 0

For SMEs or whatever the use case it may not be applicable to rely on azure AD for your banned password implementation to conform with the new NCSC baselines and NIST recommendations of a banned password list. Well good news there’s an password filter .dll implementation that does exactly what you are looking for which […]

Using a database of 100 million+ breached passwords to secure a Linux server/Endpoint for an SME

1st August 2019 Uncategorised 0xrob 0

With the NCSCs newly recommended best practices involving having a banned password list and Microsoft recommending and even implementing their own ability to do so for any users subscribed to azure Active directory this shows how important a banned password list can be to an organisation. See more about Microsoft new recommendations here and their […]

Creating a Malware Analysis Lab for Dynamic Analysis

1st July 2019 Uncategorised 0xrob 0

Any Cyber Analyst or InfoSec Researcher understands the importance of gathering proactive and actionable threat intelligence to protect critical customer assets from attacks. To do this To do this we need to collect and store IOCs and TTPs easily and effectively giving us the ability to create rules to detect these methodologies being used in […]