7MS #502: Building a Pentest Lab in Azure

This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more. In today's episode we talk more about eating the security dog food (following the best practices we preach!). Specifically, we focus on keeping that bloated email inbox a little more lean and mean. There are lots of tools/services to help with this, but we had a blast playing with MailStore (not a sponsor but we'd like them to be:-).

14 Loka 202228min

SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit SafePass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount! Today we talk about configuring your Active Directory with MFA protection thanks to AuthLite. In the tangent department, we give you a short, non-spoilery review of the film Smile.

7 Loka 202235min

Today we're excited to kick off a new series all about blue team bliss - in other words, we're talking about pentest stories where the blue team controls kicked our butt a little bit! Topics include: The ms-ds-machineaccount-quota value is not an "all or nothing" option! Check out Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Add workstations to domain. We installed LAPS on Twitch last week and it went pretty well! We'll do it again in an upcoming livestream. Defensive security tools that can interrupt the SharpHound collection! EDRs are pretty awesome at catching bad stuff - and going into full "shields up" mode when they're irritated!

30 Syys 202258min

Today we revisit a series we haven't touched in a long time all about eating the security dog food. TLDL about this series is I often find myself preaching security best practices, but don't always follow them as a consultancy. So today we talk about: How the internal 7MS infosec policy development is coming along Why I'm no longer going to be "product agnostic" going forward Some first impressions of a new tool I'm trying called ITGlue (not a sponsor) How to start building a critical asset list - and how it shouldn't overlook things like domain names and LetsEncrypt certs Also, don't forget we are doing weekly livestreams on security topics!

23 Syys 202247min

Hey friends! Today we're giving you a first impressions episode all about Airlock Digital, an application allowlisting solution. They were kind enough to let us play with it in our lab with the intention of exploring its bells and whistles, so we're excited to report back our findings in podcast form. TLDL: we really like this solution! It is easy to deploy (see this YouTube video for a quick walkthrough). Once I had it going in the lab, I tried administering it without reading any of the documentation, and figured out most of the workflows with ease. I just ran into a couple questions that the Airlock folks were great about answering quickly. I want to better understand the "Microsoft way" to do application allowlisting - using their standard offering or something like AaronLocker. But several colleagues have told me they had "OMG moments" where a C-level staff member suddenly needed to run something like ringcentral.exe and they weren't able to because of app blocklisting. It then becomes difficult to quickly allow that .exe to run without pushing GPO updates or having someone log in as local admin or something like that. But Airlock has a cool, killer feature to address this need...take a listen to today's program to learn more!

16 Syys 202236min

In today's episode we share some tips we've picked up in the last few weeks of pentesting, with hopes it will save you from at least a few rounds of smashing your face into the keyboard. Tips include: If you find yourself with "owns" rights to a bajillion hosts in BloodHound, this query will give you a nice list of those systems, one system per line: cat export-from-bloodhound.json | jq '.nodes[].label' | tr -d '"' Then you can scan with nmap to find the "live" hosts: nmap -sn -iL targets.txt For resource based constrained delegation attacks, check out this episode of pwnage for some step-by-step instructions. If you have RBCD admin access to victim systems, don't forget that CrackMapExec support Kerberos! So you can do stuff like: cme smb VICTIM-SYSTEM -k --sam or cme smb VICTIM-SYSTEM -k -M wdigest -M ACTION=enable Take the time to search SMB shares with something like PowerHuntShares. If you have write access in places, drop an SCF file to capture/pass hashes! Looking to privilege escalate while RDP'd into a system? You owe it to yourself to check out KrbRelayUp! Ever find yourself with cracked hashcat passwords that look something like '$HEX[xxxx]'? Check this tweet from mpgn for a great cracking tip!

9 Syys 202250min

Today we're so excited to welcome Amanda Berlin, Lead Incident Detection Engineer at Blumira, back to the show (did you miss Amanda's first appearance on the show?  Check it out here)!  You might already be familiar with Amanda's awesome Defensive Security Handbook or her work with the Mental Health Hackers organization.  Today we virtually sat down to tackle a variety of topics and questions, including: What if HAFNIUM2 comes out today and only affects 2 specific versions of Exchange?  Does Blumira buy every software/hardware thingy out there and have an evil scientist lab where they test out all these different exploits, and then create detections for them? Can an old, out-of-touch security guy like me still find a place at the Vegas hacker conferences (even though I hate lines, heat, crowds and partying)?  Spoiler alert: yes. Are security vendors more likely to share their software/hardware security services with a defensive security group like Blumira, rather than pentesters like 7MinSec? Does Amanda think there's a gender bias in the security industry? Besides being aware of it happening, what can we do to cut down the bullying/secure-splaining/d-baggery/etc. in the industry?

2 Syys 20221h 5min

Today's episode covers three remediation-focused topics that kind of grind my gears and/or get me frustrated with myself. I'm curious for your thoughts on these, so reach out via Slack or Twitter and maybe we'll do a future live stream on this topic. How do you get clients to actually care when we explain the threats on their network that are a literal 10/10 on the CVSS scale? Password policies - they're not just as easy as "Have a password of X length with Y complexity." Fixing the various broadcast traffic and protocol issues that give us easy wins with Responder and mitm6 - it's more nuanced than just "Disable LLMNR/NETBIOS/MDNS and shut off IPv6." This article discusses these challenges in more detail.

27 Elo 202240min