Category: Defense

The Dangers of Client Probing on Palo Alto Firewalls

While performing a routine internal penetration test, I began the assessment by running Responder in analyze mode just to get an idea of what was being sent over broadcast. Much to my surprise, I found that shortly after running it, a hash was captured by Responder’s SMB listener. This hash belonged to an account named…


Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs

CrackMapExec is a popular tool that is used by attackers to move laterally throughout an environment. I use it personally on my penetration tests, as I’ve found that it does a really good job at moving from system to system without detection.  My goal with this blog post is to give defenders some techniques on…


Securing a default installation of MacOS

  This was originally written as the basis for a GIAC Gold paper.  Ultimately, it was not unique enough to warrant a research paper, but will provide an overview of the security features of MacOS.   As of mid 2016, MacOS captures nearly 10% of the global market for desktop PC software.  While Apple computers…


Removing Backdoors – Powershell Empire Edition

                  I’m a big fan of Powershell Empire for penetration testing.   If you haven’t heard of it, it is a post-exploitation framework which uses powershell agents to run post-exploitation scripts on a target system.  This blog post is meant to address a small subset of the…