In this video, Kent Ickler and Jordan Drysdale discuss Attack Tactics 9: Shadow Credentials for Primaries, focusing on a specific technique used in penetration testing services at Black Hills Information Security

The post Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan appeared first on Black Hills Information Security, Inc..

Here we go again, discussing Active Directory, hacking, and detection engineering. tl;dr: One AD account can provide you with three detections that if implemented properly will catch common adversarial activities […]

The post One Active Directory Account Can Be Your Best Early Warning appeared first on Black Hills Information Security, Inc..

by Jordan Drysdale and Kent Ickler tl;dr: BHIS does a lot of penetration testing in both traditional and continuous penetration testing (CPT) formats. This top ten style list was derived […]

The post The Top Ten List of Why You Got Hacked This Year (2023/2024)  appeared first on Black Hills Information Security, Inc..

Changes to the msds-KeyCredentialLink attribute are not audited/logged with standard audit configurations. This required serious investigations and a partner firm in infosec provided us the answer: TrustedSec.  So, credit where […]

The post Enable Auditing of Changes to msDS-KeyCredentialLink  appeared first on Black Hills Information Security, Inc..

tl;dr: Install Wifiphisher on Kali and run a basic attack.  This crappy little copy/paste-able operation resulted in a functional Wifiphisher virtual environment on Kali (as of January 22, 2024).   Two […]

The post How to Install and Perform Wi-Fi Attacks with Wifiphisher  appeared first on Black Hills Information Security, Inc..

tl;dr  Implement this ACL using whatever network gear, cloud ACL config, or uncomplicated firewall you use to protect your networks. Our IOT devices are on 10.99.99.0/24 for this example. Also, […]

The post The Simplest and Last Internet-Only ACL You’ll Ever Need  appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // Tl;dr: Many parsers have been written and several are referenced here. This blog describes a simple parser for Sysmon logs through Event ID (EID) 28 for Microsoft […]

The post Parsing Sysmon Logs on Microsoft Sentinel appeared first on Black Hills Information Security, Inc..

The post Webcast: Attack Tactics 8 – Poison the Well – Jordan Drysdale & David Fletcher appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the code. […]

The post Impacket Defense Basics With an Azure Lab  appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // Overview The following description of some of Impacket’s tools and techniques is a tribute to the authors, SecureAuthCorp, and the open-source effort to maintain and extend the […]

The post Impacket Offense Basics With an Azure Lab appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // Summary! There are tons of security event management (SIEM) solutions available these days, but this blog will focus on Microsoft Sentinel. Sentinel is easy to deploy, logs […]

The post Geopolitical Cyber-Detection Lures for Attribution with Microsoft Sentinel  appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // Azure has replaced AWS in my personal development pipeline. This may sound crazy but hear me out. Microsoft has solidified its offerings, done nothing but improve its […]

The post The Azure Sandbox – Purple Edition  appeared first on Black Hills Information Security, Inc..

Jordan and Kent have heard from a lot of people that the past Black Hills Information Security (BHIS) webcasts: “Group Policies That Kill Kill Chains” and “Active Directory Best Practices […]

The post Webcast: The Quest for the Kill Chain Killer Continues appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // UPDATES! October 30, 2023There’s been an additional update for Sysmon! Event ID 29! Another Event ID (EID) was added to the Sysmon service. This event ID followed […]

The post A Sysmon Event ID Breakdown – Updated to Include 29!! appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // tl;dr SILENTTRINITY (ST) is one of our favorite C2 tools at BHIS. It’s multiplayer, modern, and multiserver. The code has been revised significantly of late, especially the […]

The post Joyriding with SILENTTRINITY – UPDATES appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // tl;dr Sentinel is easy! Especially when using Azure Sentinel To-Go. So, let’s do some threat research by deploying Sentinel To-Go and executing a Cobalt Strike beacon. Link: […]

The post Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike! appeared first on Black Hills Information Security, Inc..

Jordan Drysdale // TL;DR The problem with a pentester’s perspective on defense, hunting, and security: Lab demographics versus scale.  If it costs $15 bucks per month per server for me […]

The post Azure Security Basics: Log Analytics, Security Center, and Sentinel appeared first on Black Hills Information Security, Inc..

Jordan Drysdale & Kent Ickler // tl;dr Ubuntu base OS, install AZCLI, unpack terraform, gather auth tokens, run script, enjoy new domain.  https://github.com/DefensiveOrigins/APT-Lab-Terraform For those of you who have been […]

The post How To: Applied Purple Teaming Lab Build on Azure with Terraform (Windows DC, Member, and HELK!) appeared first on Black Hills Information Security, Inc..

Jordan Drysdale & Kent Ickler // Jordan and Kent are back again to continue strengthening organizations’ information security human capital (That’s all you folks!). Organization Leadership and Security Practitioners can […]

The post Webcast: Atomic Purple Team Framework and Life Cycle appeared first on Black Hills Information Security, Inc..

Jordan Drysdale & Kent Ickler // TL;DR Look for links, download them. Look for GPOs, import them. Look for screenshots, for guidance. Sysmon + Windows Audit Policies + Event Collectors […]

The post How To Deploy Windows Optics: Commands, Downloads, Instructions, and Screenshots appeared first on Black Hills Information Security, Inc..