Blogs by Ashwin

  To know more about it, you can go through my detailed document by clicking  here PsExec It's a free Microsoft tool that can be used to execute processes on other systems with full interactivity without even installing a client software manually. Hence, it is widely used by both IT administrators and attackers.  PsExec is extremely versatile as well as capable due to its compelling characteristics and easy to use functionality which also makes it popular among Windows administrators for remote command execution. Prerquisites These include: PsExec is a Windows-only solution that works between Windows computers. A Windows host computer is required to connect to the target Windows host. Admin share should be available on the target Windows system.  Proper connectivity should be maintained between the host you are running PsExec, and the target computer you want to manage.  How does PsExec works? Its workflow is as follows: Firstly, it extracts an embedded Windows service called Psexe

  To know more about it, you can go through my detailed document by clicking  here Mimikatz Mimikatz is a credential dumper that can obtain plaintext Windows account logins, passwords, and other features which also helps the users to view as well as save authentication credentials like Kerberos tickets. It was created by Benjamin Delpy in order to prove Microsoft that their authentication protocols are vulnerable to attacks. This toolset is still works with the Windows to include the latest attacks techniques.  However, attackers also use Mimikatz to steal credentials and escalate privileges; although most of the attacks are detected by antivirus systems as well as endpoint protection software and deleted. Researchers commonly use Mimikatz to test the level of security of the networks.  Common Features of Mimikatz Mimikatz can demonstrate the following techniques: Pass-the-Hash- Attackers use this technique to steal the hash string for a computer login which enables them to hack a syst

  To know more about it, you can go through my detailed document by clicking  here Cobalt Strike Cobalt Strike introduced first time in 2012,  is commonly known as a commercial adversary simulation software which is often stolen and used by various threat groups. Its payloads used for intrusion have been detected by many network defenders. It is widely used as a post-exploitation tool containing various malware droppers like IcedID, ZLoader, Qbot, Bazar, Hancitor, etc. Threat actors use Cobalt Strike as it is easy to use and accessible.  How does Cobalt Strike Work? As stated above, Cobalt Strike is highly popular among threat actors because it is stealthy and customizable. First of all, it sends beacons to detect the vulnerabilities of a system and then execute the actual attack. Its beacon can also execute PowerShell scripts, carry out Keylogging activities, take screenshots, spawn other payloads, etc.  Special Features of Cobalt Strike Cobalt Strike also provides the following featu

  To know more about it, you can go through my detailed document by clicking  here Cyber Attacks associated with APT-28 APT-28 or Fancy Bear is a Russian cyber threat group, widely known for hacking Democratic National Committee in order to affect the Presidential elections of the USA. Some its common victims are German parliament, the Norwegian parliament, the French TV station, the White House, NATO, etc... It has been classified as an Advanced persistent Threat (APT-28) by FireEye. Malware Tools of Fancy Bear Fancy Bear generally uses the software like ADVSTORESHELL, CHOPSTICK, JHUHUGIT, XTunnel, etc., along with a wide variety of implants like Foozer, WinIDS, X-Agent, Sofacy, etc... Vulnerabilities Exploited by APT-28 In order to compromise their targets, it takes the help of zero-day exploits, spear phishing, malware, etc... Protection against APT-28 The following techniques may be of great help in the defense against APT-28 as well as the other similar threats: Identifying the di

  To know more about it, you can go through my detailed document by clicking  here APT37 It's a North-Korean state-sponsored cyber threat group, hence it mainly targets the South-Korean public and private sectors including Japan, Vietnam, and the Middle East. It has targeted many industries like chemicals, electronics, manufacturing, aerospace, healthcare, etc.  Cyber Attacks associated with APT37 This cyber threat group APT37 have targeted various South Korean sectors with RokRat Trojan, targets journalists using Chinotto multi-platform malware, etc. while focusing on the various sophisticated organizations of the attacked country. Malware Tools used by APT37 APT37 is laced with a wide variety of malicious tools like NavRAT, CORALDECK, Karae, DOGCALL, ROKRAT, ScarCruft, SOUNDWAVE, ZUMKONG, MILKDRO, etc. which is capable of causing a big damage to any system or organization.  Vulnerabilities Exploited by APT37 Exploits vulnerabilities in Hangul Word Processor (HWP), and Adobe Flash

  To know more about it, you can go through my detailed document by clicking  here APT3 APT3 also known as Gothic Panda, Pirpi, UPS Team, Buckeye, etc. is a Chinese threat group discovered in 2010 which is responsible for various espionage campaigns, like Operation Clandestine Wolf (2015), Clandestine Fox (2014), Double Tap (2014), etc. mainly targeting the countries like South Korea, Hong Kong, and the USA.   Cyber Attacks Associated with APT3 This infamous threat group have targeted various sectors like Aerospace, Defense, Transportation, Construction Engineering, High Tech, etc. The targeted US-based organizations are Moddy's Analytics, Siemens AG, Timble Inc., etc. as well as others in Hong Kong and Winter Olympics in Pyeongchang inSouth Korea.  Malware Tools used by APT3 There are a wide variety of malicious tools and techniques used by APT3 ranging from spearphishing attacks, zero-day exploits to custom-built malware as well as the other sophisticated hacking tools linked wit

  To know more about it, you can go through my detailed document by clicking  here Cyber Attacks Associated with APT29 It's widely believed that Cozy Bear is a Russian-based highly-advanced hacker group, classified by the USA as an Advanced Persistent Threat APT29. Although a varied list of all the discovered malware has been given by western governments, it's still actively deploying the malware.  Some of the victims of their attacks are- Japanese firms, various IT and Cloud services providers, Denmark National Bank, etc. who doesn't even know about the breach till months.  Malware Tools of Cozy Bear APT29 generally uses the malware tailored according to the victim's IT environment with regular upgrading of its components. Cozy Bear builds and distributes its components loosely based on Fancy Bear's APT 28 toolkit, along with CHOPSTICK and CORESHELL.  Critical Vulnerabilities Exploited by APT29 to Gain Access Some of the exploited vulnerabilities are: CVE-2018-1337