Showing posts from June, 2021

RDP, cmdkey, Canary (and thee)

Last month Florian Roth (cyb3rops) reacted to the news of Mimikatz dumping RDP credentials by asking how we could easily inject fake credentials into machines. Markus Neis pointed out that on Windows, cmdkey allows you to do this: This is pretty awesome. Mimikatz is used by attackers the world over and having control of the data a Mimikatzer will see is a powerful tool to have. One route to looking for Mimikatz usage is injecting false credentials into lsass and watch for their usage in Active Directory, but tracking that credential usage will require some work on your domain controllers (or your SIEM). With the RDP service back on version 3 Canaries, we can use cmdkey to point attackers at our Canaries, and not have to worry about Active Directory integration. Let’s start by setting up a Canary as a Windows Server (called \\02-FINANCE-02 ). This will take all of 1 minut

Would you know if your phone was hacked?

Would you know if your phone was hacked? Even the most powerful people in the world ( if you use wealth as a proxy for power ) don’t. The problem is that much like your networks there are an almost unlimited number of ways for attackers to break into them, so this problem seems intractable at first blush.  But (just like when they break into your networks) attackers who break into your phones are looking to achieve certain objectives, and you can use these objectives to reliably detect them. Today we released our new version of Canary , and with it, customers also get the shiny new WireGuard Canarytoken appearing on their consoles. What’s a WireGuard? WireGuard is the incredible VPN built by Jason Donenfeld. We love it. We use it. People smarter than us think you should too. What’s a WireGuard Canarytoken? Once a serious attacker gets onto your device, they have a certain set of objectives. Grab salacious data; Grab access to other services; Ensure repeat access or spread their compro