We’re diving into a classic but devastatingly effective exploit path. Many organizations leave their SQL Servers vulnerable through a combination of three simple misconfigurations: a database set to “trustworthy,” an owner with sysadmin rights (like SA), and a low-privilege user with db_owner permissions. By abusing these settings, an attacker can create a stored procedure that […]
The scenario is straightforward: a regular domain user has WRITE permissions on a shared folder. That’s enough to plant a malicious .lnk file pointing to an attacker-controlled SMB server. The moment another user browses that share in File Explorer, the system attempts authentication automatically – and the NETNTLMv2 response is captured. From there, the path […]
In active-duty security, time is your most valuable asset. Most hunters struggle because they try to write a brand-new query for every single alert. This creates a messy library of code that is hard to manage. Kajetan, one of our frontline experts, shows you how to use one “Base Query” as a launchpad for three […]
In active-duty threat hunting, time is the only currency that matters. Most IT professionals struggle with queries bogged down by excessive calculations or filtering applied far too late in the pipeline, creating a bottleneck that can obscure critical indicators of compromise. Kajetan, one of our frontline practitioners, walks through five practical techniques that immediately improve […]
In this episode, we start by verifying vulnerable configurations on SRV01 (10.10.10.20) and Windows 11 (10.10.10.40). Server and client SMB signing enforcement is false. Nmap confirms “enabled but not required,” and NetExec scans the network to list relay targets (/tmp/relay.txt). Responder (NetBIOS/LLMNR poisoner, SMB/HTTP disabled) listens on eth0. Impacket-ntlmrelayx (-i interactive, –target-file relay.txt) relays intercepted […]
The Experiment Setup Our test environment was configured for maximum network security, with both the server (SRV01) and the client (WIN11-01) explicitly set to support and require SMB signing. The Critical Finding Despite having SMB signing enforced on both endpoints, our packet capture yielded a critical, visible finding: the entire contents of the file, “SMB […]
We begin on the Domain Controller, where the Group Policy setting “Network security: Restrict NTLM: NTLM authentication in this domain” is initially set to Disabled. This allows NTLM-based authentication to proceed – opening the door for potential relay attacks. On the attacker machine (running Kali Linux), the Responder and Impacket’s ntlmrelayx tools are launched. Once […]
Setting up the Attack We start with three machines: On Kali, we enable packet forwarding and run the arpspoof tool to trick both the client and the domain controller into believing that Kali is the other host. This successfully poisons the ARP cache, redirecting their communication through our machine. Sniffing ICMP Traffic With ARP spoofing […]
Understanding Hidden Services Let’s learn how to hide and uncover a service. This is a very important technique for post-incident investigation, as manipulating a service’s security descriptor can be a powerful method for persistence. There’s no direct mechanism to hide a service in Windows, but we can manipulate the Security Descriptor Definition Language (SDDL). We […]
The threat is real – legitimate users can engineer malicious programs that deceive target systems into establishing authentication with a fake SMB server. This exploitation method delivers maximum system authority to attackers, granting them comprehensive dominance over the infiltrated machine. So, let’s see how granting this access looks like in practice. Before attempting exploitation, two […]
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
