This past year was a bit less hectic, and I managed to take things a bit more easy. However I still participated in some interesting trainings and joined some conferences along the way, so I’ll try to share a bit on the more interesting ones below.
I’d like to spend at least a little more time writing on this blog this upcoming year and start adding smaller entries on experiments I run or tools that I am trying out. Lets’ see how that will go.🤞
Conferences
X33fcon
Unfortunately I only got to join this Poland-based conference remotely online. I didn’t let that spoil my fun though, and I managed to view a lot of excellent talks (although it did mean missing the certified hacker pirate ship 🏴☠️).
Topics ranged from M365 phishing campaigns and EDR internals to funny but valuable mishaps during Red Team Operations. Some of my favorite talks were:
- “A Smooth Sea Never Made a Skilled Phisherman” - A talk by the developer of EVILGINX about EVILGINX. See the presentation on YouTube here.
- “Analyzing and Executing ADCS Attack Paths with BloodHound” - A talk by some of the SpecterOps guys on their developed tradecraft against Microsofts’ PKI suite. See also their excellent whitepaper on the topic.
PowerShell Conference EU
Recently I have been trying to get more hands-on experience with PowerShell so that I would start using it as a default scripting/programming engine, whenever new ideas or tasks come up. This conference has some very interesting PowerShell-related talks that are also hitting on security topics, making some of the talks naturally interesting to me.
It took place around the same time as x33fcon, but I managed to watch enough recordings of this conference warranting an entry in this years’ overview. Some interesting presentations were about MS Graph API Attacks (and the new MicrosoftGraphActivityLogs-telemetry source to detect them) as well as a lightning talk about userland API Hooking in Powershell.
Some other talks that I engaged with a lot:
- “Introducing Maester your Microsoft 365 test automation framework” - An overview of Maester by Fabian Bader.
- “AMSI and Constrained Language mode” - This talk provided a great overview on AMSI and discussed some changes in its behavior for Windows 11.
DE&THCon
I cannot say enough good things about this conference, its community driven mission and the long list of interesting talks that were hosted again this year. So far I have been joining remotely, but perhaps this coming year will be my debut attending physically 🤞.
One workshop that’s worth going over and was published online was “Kusto Graph Semantics Explained” by Fabian Bader.
Training
XINTRA
The “Attacking and Defending Azure & M365” course is structured along MITRE ATT&CKs’ high-level tactics, starting from recon to persistence techniques. One thing that adds a lot of value to this course is that it not only focuses on attack surface of M365 environments or specific attacker tradecraft, but also supplements each chapter with a Defenders’ guide to recommended logging, alerting and incident response actions (something that I find often lacking in other such resources).
The course also does not assume full knowledge on all things Microsoft, EntraID or Azure and provides a lot of background information on this technology stack, as well as available log sources (e.g., EntraID Audit logs, Azure ARM logs, Graph API logs and the Unified Audit Log).
The authors clearly have a lot of practical experience with forensics and incident response in Microsoft Cloud environments which informs the course a lot. If you have the training budget at your disposal I can definitely recommend the course, however since a lot of the course is built around open-source research by other people and organizations (like those below), you can definitely do some studying by yourself to get a head start.
- Dr.Azure AD - Dr. Nestori Syynimaa produces a lot of thought-provoking and relevant research on EntraID/Azure (for example on PRTs and other token types in M365: Tokens, everywhere!)
- Netspi - They produce all sorts of research, including on abusing Automation Accounts, Azure Arc and more.
- SpecterOps - As the developers for Bloodhound, SpecterOps focuses a lot on Identity-based Attack Paths, but also many other related topics like Intune abuse.
- Dirk-Jan Mollema - Author of ROADTools and other offensive tooling.
- SecureWorks - They publish on all sorts of things like Log Tampering and Microsoft breaking the OAuth2.0 standard: Abusing Family Refresh Tokens.
Sektor7 - Windows Persistence
This course was one of the best things I managed to finish this year and touches on many classic Windows Persistence techniques, ranging from well-known Auto Start Extensibility Points (ASEP) and Scheduled Tasks to DLL Hijacking/Proxying.
The course itself hasn’t been updated in a while, but a lot of these basic techniques have not fundamentally changed while providing me with a great way to get more familliar with Windows APIs, DLLs, COM, WMI and many more Windows Internals that are discussed along the way.