Offensive Cybersecurity Operations

Fortalice Solutions

Discover the significance of comprehensive application security assessments in identifying and addressing software vulnerabilities. Learn about the different types, including manual code reviews, automated vulnerability scanning, penetration testing, and security architecture reviews. Fortalice blog offers valuable insights to help you choose the right assessment for your organization.

Fortalice Solutions

API security protects an API’s confidentiality, integrity, and availability. Securing your API is essential as it helps protect your application and your data from malicious attacks, such as data theft, malicious code injection, and denial of service attacks. Prioritizing API security today will protect your business and customers from the devastating consequences of cyberattacks tomorrow.

Fortalice Solutions

Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.

Kallen Curtis

To exploit Active Directory (AD) whether to get domain admin or reach target systems, Kallen Curtis highlights five common attack paths and how to prevent them.

Fortalice Solutions

Fortalice Solutions released a white paper, The Privacy Pitfalls and Security Dangers of Internet Trackers, which details the privacy concerns surrounding an organization’s use of internet trackers. For the last 10 months, Fortalice has completed more than 40 investigations related to third-party tracking technologies in the healthcare field. To that end, our team has provided the following update based on our experience.

Kallen Curtis

Threat intelligence is an important tool in developing a mature security infrastructure. Discover the importance of threat intelligence and how it can help you stay ahead of cybersecurity threats. We explore the different types of threat intelligence, the benefits of implementing it, and how to use it effectively. Stay informed and keep your organization safe with the latest threat intelligence insights.

Matthew Creel

Discussion of environments susceptible to lateral movement through resource-based constrained delegation (RBCD) attacks, prompting me to take a deeper dive into the topic

Matthew Creel

Last month Fortalice open-sourced BOFHound, an offline BloodHound ingestor for raw ldapsearch results. Along with BOFHound, we released a companion tool for it, pyldapsearch, and submitted a pull request to TrustedSec's CS-Situational-Awareness-BOF modifying the ldapsearch BOF to include the nTSecurityDescriptor attribute. Adam Brown wrote a post accompanying the release, which covered much of the tool's background, including blue team strategies for detecting BloodHound useful and the red team's reversion to more manual LDAP querying techniques. This blog will serve as a follow-up to that post, covering some usage strategies for ldapsearch + BOFHound and going into the updates that were recently pushed to BOFHound in version 0.1.0.

Adam Brown

BloodHound has helped offensive and defensive teams since then conduct efficient and thorough auditing of Active Directory environments. For a while, reviewing Active Directory environments without BloodHound became almost unimaginable, and certainly unattractive. As the tool has evolved and grown, it has become a staple of the offensive tester's toolkit while simultaneously becoming an increasingly desired detection point for defensive teams. Several detection strategies have surfaced over the past 7 years. This post will cover a few helpful detection strategies. Some you may know of, and others, maybe not. Then we'll wrap by introducing two new tools which aim to give red teams a chance at avoiding detection when necessary.

Matthew Creel

Back in when I was getting started as a junior pentester, I vividly remember reading @byt3bl33d3r's 2017 post: Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). I still recommend checking this out if you haven't already - it will cover the basics of NTLM relaying and background on some of the confusing pieces ([Net]NTLMv1/2 anyone?) that there's no need for me to repeat here. There's also a plethora of other great NTLM relay blogs and resources that I'll try to link to throughout this post, while I attempt to touch on the ever growing library of NTLM relay uses after 2021 introduced several new relay vectors.

Matthew Creel

ADCS has been a treasure trove for recent offensive operations while organizations are still catching up to the research released by Will Schroeder and Lee Christensen back in June. Amazingly, enough escalation vectors were dropped that 5 months later I still haven't found time to test and explore every one of them (suppose that means I'm still catching up too). Luckily, an ESC4 scenario prompted some digging into abusing ACL permissions to create vulnerable template states.

Matthew Creel

Active Directory Certificates and PKINIT are hot topics these days and our operators at Fortalice have been doing their best to stay on top of the new research and tools. My previous blog touched on PyWhisker and referenced one of its resources available on https://thehacker.recipes. While reading through the documentation there, a note near the bottom caught my eye, which stated: User objects can't edit their own msDS-KeyCredentialLink attribute while computer objects can.

Matthew Creel

On a recent red team engagement, our team was tasked with focusing on Active Directory Certificate Services (ADCS) exploitation. The objective was to identify certificate template misconfigurations and potentially achieve privilege escalation by abusing them. The concepts and attacks used were based around the work and whitepaper by Will Shroeder (@harmj0y) and Lee Christensen (@tifkin_).

Adam Brown

Domain fronting is a generic technique based on HTTPS that allows an actor to hide the true destination of a communication from network equipment in the path. While domain fronting has been used in offensive engagements for several years now, the number of frontable cloud services continues to dwindle. Today, Fortalice is publicly adding another service to that list: Azure Front Door.

Fortalice Solutions

Fortalice Director of Offensive Cybersecurity Operations (OCO) Matt Shirley talks the red team's perspective on addressing cyber threats on behalf of our clients.