By Troy Wojewoda During a recent Breach Assessment engagement, BHIS discovered a highly stealthy and persistent intrusion technique utilized by a threat actor to maintain Command-and-Control (C2) within the clientβs [β¦]
The post The Curious Case of theΒ Comburglar appeared first on Black Hills Information Security, Inc..
One tool that I can't live without when performing a penetration test in an Active Directory environment is called NetExec. Being able to efficiently authenticate against multiple systems in the network is crucial, and NetExec is an incredibly powerful tool that helps automate a lot of this activity.
The post Getting Started with NetExec: Streamlining Network Discovery and Access appeared first on Black Hills Information Security, Inc..
In my journey to explore how I can use artificial intelligence to assist in penetration testing, I experimented with a security-focused chat bot created by Jason Haddix called Arcanum Cyber Security Bot (available on https://chatgpt.com/gpts). Jason engineered this bot to leverage up-to-date technical information related to application security and penetration testing.
The post Augmenting Penetration Testing Methodology with Artificial Intelligence β Part 3: Arcanum Cyber Security Bot appeared first on Black Hills Information Security, Inc..
Espanso is a powerful cross-platform and open-source text replacement (or text expander) tool. At a simple level: it replaces what you type with something else.
The post Espanso: Text Replacement, the Easy Way appeared first on Black Hills Information Security, Inc..
A common use case for LLMs is rapid software development. One of the first ways I used AI in my penetration testing methodology was for payload generation.
The post Augmenting Penetration Testing Methodology with Artificial Intelligence β Part 2: Copilot appeared first on Black Hills Information Security, Inc..
Engaging with the C-suite is not just about addressing security concerns or defending budget requests. It's about establishing and maintaining an ongoing discussion that aims to align security objectives with the interests of the business.Β Β
The post Communicating Security to the C-Suite: A Strategic ApproachΒ appeared first on Black Hills Information Security, Inc..
In the most recent revision of the OWASP Top 10, Broken Access Controls leapt from fifth to first.1 OWASP describes an access control as something that βenforces policy such that [β¦]
The post Finding Access Control Vulnerabilities with Autorize appeared first on Black Hills Information Security, Inc..
Risk is real. To better understand cybersecurity risk, letβs compare cyber risks to risks in the natural world from hurricanes. We can learn lessons from hurricanes and unnamed storms in [β¦]
The post Cyber Risk Lessons We Can Learn From Hurricane Preparedness appeared first on Black Hills Information Security, Inc..
In this video, experts delve into the intricacies of desktop application penetration testing methodologies.
The post Intro to Desktop Application Testing Methodology appeared first on Black Hills Information Security, Inc..
Patterson Cake // In PART 1 of βWrangling the M365 UAL,β we talked about the value of the Unified Audit Log (UAL), some of the challenges associated with acquisition, parsing, [β¦]
The post Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3) appeared first on Black Hills Information Security, Inc..
Patterson Cake // When it comes to M365 audit and investigation, the βUnified Audit Logβ (UAL) is your friend. It can be surly, obstinate, and wholly inadequate, but your friend [β¦]
The post Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3) appeared first on Black Hills Information Security, Inc..
moth // Recently, BHIS penetration tester Dale Hobbs was on an Internal Network Penetration Test and came across an RPC-based arbitrary command execution vulnerability in his vulnerability scan results.Β I [β¦]
The post Exploit Development β A Sincere Form of Flattery appeared first on Black Hills Information Security, Inc..
Michael Allen // Every year around the holidays I end up having a conversation with at least one friend or family member about the importance of choosing unique passwords for [β¦]
The post The Paper Password Manager appeared first on Black Hills Information Security, Inc..
Craig Vincent// This all started with a conversation I was having with a few other BHIS testers. At the time, I was testing a web application that used WebSockets. The [β¦]
The post Command and Control with WebSockets WSC2 appeared first on Black Hills Information Security, Inc..
BB King // BB King looks at testing modern web apps in that βenterprise environmentβ so many of us inhabit. Taking the perspective of the Lonely Application Security Person in [β¦]
The post WEBCAST: Web App Assessments for Non-Majors appeared first on Black Hills Information Security, Inc..
Jordan Drysdale// tl;dr Vulnerability management is a part of doing business and operating on the public internet these days. Include training as part of this Critical Control. Users should be [β¦]
The post Small and Medium Business Security Strategies: Part 4 appeared first on Black Hills Information Security, Inc..
Brian Fehrman// Microsoft Lync servers have been a staple of my external engagements for the past six months or so. I have found a Lync server on all of those [β¦]
The post PSA: Itβs 10PM, Do You Know Where Your Lync Servers Are? appeared first on Black Hills Information Security, Inc..
Jordan Drysdale// HERE IT IS! Finally! For the vsagent from SANS SEC504 (only the finest InfoSec course the world has ever seen!): this is a Q&D deployment guide for the [β¦]
The post 504 VSAgent Usage Instructions appeared first on Black Hills Information Security, Inc..
BB King//* The state of Ohio recently validated a webapp pentest finding that sometimes goes overlooked. It relates to the details of administrative functions, how they can be abused, and [β¦]
The post When Infosec and Weed Collide: Handling Administrative Actions Safely appeared first on Black Hills Information Security, Inc..
Carrie Roberts*Β // (Updated, 2/11/2019) Trying to figure out the password for a password protected MS Office document? This free solution might do the trick. It attempts to guess the password [β¦]
The post How to Crack Passwords for Password Protected MS Office Documents appeared first on Black Hills Information Security, Inc..
Login