Illusive Labs Blog

Technical cybersecurity perspectives focusing on deceptions, threat trends, incident response, advanced attacks and new technologies

MailSniper – You Can Teach an Old Dog New Tricks: Pwn O365-based Organizations by Leveraging PRT-based SSO

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.

This blog post will describe how we upgraded the notorious penetration testing tool. The upgrade allows red teamers to use a stealthier attack approach on O365 users without the need for admin credentials or knowing the victim’s password.
Read More

When Everyone’s Dog Is Named Fluffy

How the new Security Questions feature in Windows 10 can be used as a backdoor to establish domain-wide persistence.
Read More

Externalizing deception: The creation and use of deceptive Open Source Intelligence

Open Source Intelligence (OSINT) is widely used by attackers every day. Information they find through publicly available sources can be valuable, both in learning about how to go after their target, and in actually executing a compromise.  Read More

Deconstructing a Modern Bank Heist: the [not] Carbanak source code leak

An analysis of reconnaissance and lateral movement in the recent [not] Carbanak source code leak.

A rare learning opportunity

Earlier this month news spread of a source code leak, that was initially identified as Carbanak, the infamous trojan that has been used to steal hundreds of millions of dollars from various banks. Read More

Why and How to Extract Network Connection Timestamps for DFIR Investigations

For as long as I have been doing forensics, or more specifically, live response, there has been a lot of value in reviewing a Windows system’s network connections during an investigation--in fact this is recognized as standard practice. There are many reasons to do so, however, this work is essentially done to find an anomaly, something suspicious. Read More

Improving Cyber Investigation Outcomes through Better Visualization of Historic Process Execution Events

Incident response investigation usually involves the collection and analysis of a vast amount of evidence, including analysis of processes being executed. Looking at their timing and their ancestors provides researchers an initial understanding of what happened on the machine being investigated. Read More

Windows Console Command History: Valuable Evidence for Live Response Investigation

Note:  This blog is an updated version of a piece originally published in the March 2017 edition of eForensics Magazine As a security researcher and part-time Incident Response (IR) analyst, I know that fine details are of paramount importance. The role requires ongoing research to understand an attacker’s actions on compromised machines. A typical research process requires examining hundreds, or even thousands, of artifacts to find the needle in the haystack. Read More

Phishing the Phishers: Using Attackers’ Own Tools to Combat APT-style attacks

As a deceptions researcher, part of my job is to design deceptions against attackers by manipulating or reverse-engineering the common toolkits attackers use. Deceptions are pieces of false information that are planted across the organization and appear as real, relevant information to the attacker. For example, browser deceptions — pieces of information specifically planted in browser history, saved forms, etc. — can be created to lure malicious hackers and insiders to deceptive web servers. In this article, we will show how phishing can be used to catch attackers and how phishing kits can be used for defensive purposes. Read More

A Deception Researcher’s Take-Aways from the 2017 Black Hat Arsenal

Most people in cybersecurity are familiar with the Black Hat conference. But whether you know about Black Hat Arsenal depends on how involved you are in the bits and bytes of information security. Some regard Arsenal as one of the best features of the conference. According to the web site, Arsenal allows “independent researchers and the open source community [to] showcase their latest open-source tools and products” in a relaxed, demo-style setting. Read More