Carbon Black On Prem EDR – Auto Install on VMware Workstation using Hashicorp Vagrant

Carbon Black On Prem EDR – Auto Install on VMware Workstation using Hashicorp Vagrant

Carbon Black On Prem EDR is a comprehensive endpoint security solution designed to detect, respond to, and prevent a wide range of cyber threats. EDR solutions focus on monitoring and analyzing endpoint activities to identify and mitigate potential security incidents.

This HashiCorp Vagrant script will automatically setup supported CentOS and then download and install Carbon Black On Prem EDR within 5 mins. (Word.)

This script is also a demonstration of how to automate installation using HashiCorp. I’ll work on this and use Terraform to deploy onto Azure.

This is also a good example script to use for installation on to Linux for your lab environments. Vagrant and Terraform have terrible documentation, so its good to have a working example script that works. You can use Ansible for configuration management, but that’s for another day.

Note: The Carbon Black EDR, RPM file and License is not included in the Git Repo, you need to request this via your SE.

Demo Vagrant Install

Increase youtube playback quality to see textI

If you are like me, I love spending hours installing Operating Systems. So, I decided to build my labs using Automation, it takes a lot of effort upfront, but saves a lot of effort down the track and opens up a lot of possibilities in the future.

So, this is a journey and takes a lot of effort, if anyone else wants to participate, I have some grand plans we can build.

Automation Options


There are a lot of ways to skin this cat, but, I am restricting my self to using HashiCorp Vagrant and Terraform, possibly convert to OpenTofu to support open source.

Vagrant and Terraform are ‘same same but different’, Vagrant is more for local labs and Terraform for Public Clouds (AWS, Azure, GCP.) thou, its possible to use Vagrant for Public Cloud as well, but has limited functionality compared to Terraform, Terraform has ‘provisioners’ that supports Cloud native ‘stuff’. I’ll convert this script to Terraform later.

Carbon Black On Prem EDR – Auto Install on VMware Workstation using Hashicorp Vagrant
Here is a Vagrant script to auto install Carbon Black On Prem EDR onto VMware Workstation.

You will need to make sure you install VMware Workstation Vagrant Utility and VMware Workstation Plugin, all free, from – Installation – VMware Provider | Vagrant | HashiCorp Developer

The following Vagrant Script, is a good base to 1) Copy a file from local to VM 2) execute shell commands within the VM.

Setup Instructions

  1. Create a folder for VM
  2. Put the carbonblack RPM file in the same directory as Vagrantfile
  3. Put the cbcinit.ini in the same directory – cbinit.ini from https://github.com/rstar13as/EDR_Install/blob/main/cbinit.ini
  4. Create the Vagrantfile from https://github.com/rstar13as/EDR_Install/blob/main/Vagrantfile
  5. run vagrant init
  6. run vagrant up
  7. run vagrant destroy
  8. Login to Carbon Black EDR – https://192.168.193.141:443

App Control Auto Install

https://github.com/rstar13as/AppControl_install
# Carbon Black App Control Install
# Example Microsoft Vagrantfile - https://github.com/microsoft/azure_arc/blob/main/azure_arc_servers_jumpstart/local/vagrant/windows/Vagrantfile
# Carbon Black App Control Pre-requesits script - https://github.com/rstar13as/AppControl_install/blob/main/AppControl_Preres.ps1
# Operating System Architecture Service Pack Additional Notes/Requirements
# Windows Server 2012 R2 x64 Use Latest If virtual, HVM only
# Windows Server 2016 x64 Use Latest If virtual, HVM only
# Windows Server 2019 x64 Use Latest If virtual, HVM only
# Windows Server 2022 x64 Use Latest If virtual, HVM only
# Vagrant - Window Server - https://app.vagrantup.com/StefanScherer

Vagrant.configure("2") do |config|
  config.vm.box = "StefanScherer/windows_2022" # This image bluescreens on first boot, but, I don't care.
  config.vm.provider "vmware_desktop" do |v|
    v.gui = true
  end

  # https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/services/cb-ac-announcements/GUID-63037C41-25EA-4BD1-A53A-EABAA2F87711.html
  # 8.10.0 Server Download Link
  # IMPORTANT: Before using the download link, make sure you have logged into the Carbon Black User Exchange (UEX).
  # Files put inside C:\Users\vagrant\Documents
  config.vm.provision "file", source: "Servers_CB App Control Server_8.10.0.485.zip", destination: "Servers_CB App Control Server_8.10.0.485.zip"

  config.vm.provision "shell", inline: <<-SHELL, privileged: true
    # Set Execution Policy, enable TLS 1.2, and install Chocolatey
    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
    choco feature enable -n allowGlobalConfirmation
    choco install vscode -y

    # Invoke-WebRequest -Uri https://raw.githubusercontent.com/rstar13as/AppControl_install/main/AppControl_Preres.ps1 -OutFile .\AppControl_Preres.ps1; .\AppControl_Preres.ps1

    #Open "Windows PowerShell ISE" as Administrator
    Set-ExecutionPolicy Bypass -Scope Process

    #Disable Windows Defender 
    Set-MpPreference -DisableRealtimeMonitoring $true
    #Uninstall Windows Defender
    Remove-WindowsFeature Windows-Defender

    #Install IIS
    Install-WindowsFeature -name Web-Server -IncludeManagementTools

    #Enable IIS options
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerRole
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServer
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-CommonHttpFeatures
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpErrors
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpRedirect
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ApplicationDevelopment
    Enable-WindowsOptionalFeature -online -FeatureName NetFx4Extended-ASPNET45
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-NetFxExtensibility45
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HealthAndDiagnostics
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpLogging
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-LoggingLibraries
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-RequestMonitor
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-HttpTracing
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-Security
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-RequestFiltering
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-WebServerManagementTools
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ManagementConsole

    # OER: https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/8.10/cb-ac-oer.pdf
    # You must disable Basic Authentication and Windows Authentication so that the App Control Server handles authentication:
    Disable-WindowsOptionalFeature -Online -FeatureName IIS-BasicAuthentication
    Disable-WindowsOptionalFeature -Online -FeatureName IIS-WindowsAuthentication

    Enable-WindowsOptionalFeature -Online -FeatureName IIS-StaticContent
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-DefaultDocument
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ISAPIExtensions
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ISAPIFilter
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ASPNET45
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-CGI
    Enable-WindowsOptionalFeature -Online -FeatureName IIS-ManagementScriptingTools


    # Install SQL Server Express 2019.

    function Install-SQLServerExpress2019 {
        Write-Host "Downloading SQL Server Express 2019..."
        $Path = $env:TEMP
        $Installer = "SQL2019-SSEI-Expr.exe"
        $URL = "https://go.microsoft.com/fwlink/?linkid=866658"
        Invoke-WebRequest $URL -OutFile $Path\$Installer

        Write-Host "Installing SQL Server Express..."
        Start-Process -FilePath $Path\$Installer -Args "/ACTION=INSTALL /IACCEPTSQLSERVERLICENSETERMS /QUIET" -Verb RunAs -Wait
        Remove-Item $Path\$Installer
    }

    Install-SQLServerExpress2019


    # https://docs.vmware.com/en/VMware-Carbon-Black-App-Control/services/cb-ac-announcements/GUID-63037C41-25EA-4BD1-A53A-EABAA2F87711.html
    # 8.10.0 Server Download Link
    # IMPORTANT: Before using the download link, make sure you have logged into the Carbon Black User Exchange (UEX).
    # I just copied the link from the corresponding download link, I am not sure if this link expires, so you may need to update this link as required, or download it to local first.
    # Invoke-WebRequest -Uri "" -OutFile .\8.10.0.485.zip
  
    # Expand-Archive -Path "C:\Users\vagrant\Documents\Servers_CB App Control Server_8.10.0.485.zip" -DestinationPath "C:\Users\vagrant\Documents"
    # "C:\Users\vagrant\Documents\ParityServerSetup.exe"
    # This doesnt work yet
  
    SHELL
end

HowTo: Install MacOS Sonoma 14  with XCode and iPhone Simulator inside a Windows using VMware Workstation

HowTo: Install MacOS Sonoma 14  with XCode and iPhone Simulator inside a Windows using VMware Workstation

Here is a step by step guide to create a MacOS Sonoma (Intel) virtual machine on VMware Workstation, so that you can run Xcode with iPhone Simulator. It’s nice to have a MacOS virtualised for development and testing.

If you want to test or use MacOS ARM, there are different methods. It does not work.

If you have a Apple Laptop, the EULA allows you to virtualise one copy of the OS

MacOS Intel on VMware Workstation

Creates Empty Disk: hdiutil create -o /tmp/Sonoma -size 16384m -volname Sonoma -layout SPUD -fs HFS+J

Mounts created disk: hdiutil attach /tmp/Sonoma.dmg -noverify -mountpoint /Volumes/Sonoma

Creates install media: sudo /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/createinstallmedia –volume /Volumes/Sonoma

Unmounts disk image: hdiutil eject -force /Volumes/Install\ macOS\ Sonoma

Creates CDR file: hdiutil convert /tmp/Sonoma.dmg -format UDTO -o ~/Desktop/Sonoma

Converts CDR to ISO: mv -v ~/Desktop/Sonoma.cdr ~/Desktop/Sonoma.iso

Cleans up files: rm -fv /tmp/Sonoma.dmg

  • Download and Install VMware MacOS unlocker from – https://github.com/DrDonk/unlocker/releases
  • Create a VM with LSI and NVMe, “Virtualize Intel VT-x or AMD-V/RVI”
  • Install VMwae Tools with Unpacker Darwin ISO.
  • Enable VMware Tools under Privacy

MacOS ARM on UMT

Reference

Rambo: Making Virtual Machines on Any Provider

Making Virtual Machines on Any Provider

Rambo: Making Virtual Machines on Any Provider

In the fast-paced world of software development, the ability to quickly provision and configure virtual machines (VMs) is invaluable. Whether for local testing or cloud deployment, having a tool that simplifies this process can greatly enhance productivity. This is where Rambo comes in.

What is Rambo?

Rambo is a provisioning and configuring framework developed by Terminal Labs. It allows for the creation of VMs on any provider in a simple, predictable, and highly reproducible way. By leveraging Vagrant and its various plugins for different providers, Rambo enables users to spin up new local instances and nearly identical cloud instances with ease.

Key Features

  • Provider Agnosticism: Rambo is designed to be provider-agnostic, meaning it is not tied to specific cloud or virtualization platforms. This flexibility allows for seamless VM creation across different environments.
  • Compatibility with Provisioners: Rambo is compatible with various provisioners, with SaltStack being supported out of the box. This makes it easy to integrate Rambo into existing infrastructure setups.
  • Quick Start: The framework offers a quick start guide and basic usage examples for creating VMs on different providers, including VirtualBox, LXC, DigitalOcean, and AWS EC2.

Why Use Rambo?

Rambo is particularly useful for expediting project setup and ensuring consistency between development and production environments. By automating the provisioning of VMs, it helps streamline development, identify bugs, and facilitate smoother production releases.

Getting Started with Rambo

To get started with Rambo, you can refer to the official documentation available at Rambo Documentation. The documentation provides detailed instructions, code examples, and commands for installing, customizing, and using Rambo to create VMs on various providers.

Code Examples

Here are some basic code examples to demonstrate the simplicity of using Rambo:

Creating a Virtual Machine on VirtualBox

bash

vagrant up

Creating a Virtual Machine on DigitalOcean

bash

vagrant --target=digitalocean up

These commands showcase how easy it is to create VMs on different providers using Rambo and Vagrant.In conclusion, Rambo is a powerful tool for streamlining the process of VM provisioning and configuration.

Its flexibility, compatibility, and ease of use make it a valuable asset for developers and system administrators alike.I

If you’re looking to enhance your workflow by simplifying VM management, give Rambo a try and experience the efficiency it brings to your development process.

Install Carbon Black Cloud Sensor via API and Python

Introducing a Quick Script to Download and Install Carbon Black Cloud Sensor via API and Python

Are you looking for a streamlined way to download and install the Carbon Black Cloud Sensor? Look no further! We are excited to introduce a quick and efficient script .

This script is designed to automate the process of acquiring and installing the Carbon Black Cloud Sensor, making it easier and faster for you to get up and running with this essential security tool.

The script is tailored to simplify the download and installation process by leveraging the Carbon Black Cloud API. By using this script, you can seamlessly obtain the necessary sensor kit and configuration links, and then proceed to download and install the sensor with just a few simple steps.

The script also provides the flexibility to download the sensor to a specific location using urllib or wget, and to install the sensor within the same script using OS subprocess.To use the script, you will need to manually identify the required sensor and update the variables with your APIs.

The script references the official Carbon Black Cloud documentation, providing links to the sensor kit and configuration, as well as the sensor versions, to ensure that you have access to the most relevant and up-to-date information.

Key Features:

  • Automates the download and installation of the Carbon Black Cloud Sensor via API.
  • Provides flexibility to download the sensor to a specific location and install it within the same script.
  • References the official Carbon Black Cloud documentation for accurate and current information.

To get started with the script, visit the GitHub repository at rstar13as/cbc_sensor_request and follow the instructions provided.

We believe that this script will be a valuable addition to your toolkit, enabling you to expedite the process of deploying the Carbon Black Cloud Sensor within your environment.For more details and to access the script, please visit the GitHub repository.

If you have any feedback or questions, we would love to hear from you. Thank you for considering this resource from Detectx.com.au.

Happy securing!

Note: The provided script is not affiliated with or endorsed by Carbon Black Cloud.

Please ensure that you have the necessary permissions and comply with the terms of use when utilizing the Carbon Black Cloud API and related resources. 

Visit the GitHub repository for more information and emphasizes the importance of complying with the terms of use when using the Carbon Black Cloud API.

##   Written by Roshan Ratnayake @detectx.com.au
##
##   Purpose: 
##
##    Automatically download Carbon Black Cloud Sensor and install the sensor.
##
##   Usage;
##    
##     You will need to manaualy identify the requred Sensor and update the variables with your APIs below.
##
##   Reference:
##     - Get Sensor Kit and Configuration Links - https://developer.carbonblack.com/reference/carbon-black-cloud/workload-protection/latest/sensor-lifecycle-management/#get-sensor-kit-and-configuration-links
##     - Check Sensor versions here - https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/index.html
##     - Use the following URL
##       EAP01: https://defense-eap01.conferdeploy.net
##       Prod 01: https://dashboard.confer.net
##       Prod 02: https://defense.conferdeploy.net
##       Prod 05: https://defense-prod05.conferdeploy.net
##       Prod 06: https://defense-eu.conferdeploy.net
##       Prod NRT: https://defense-prodnrt.conferdeploy.net
##       Prod Syd: https://defense-prodsyd.conferdeploy.net
##       Prod UK: https://ew2.carbonblackcloud.vmware.com
##       AWS GovCloud (US): https://gprd1usgw1.carbonblack-us-gov.vmware.com
##    - Postman - https://www.postman.com/vmware-carbon-black/workspace/vmware-carbon-black/request/28313458-9ac920b7-ee83-4125-965d-b45baf6480b5?ctx=documentation
##
##   Improvements;
##
##     - Download the file to a specific location using urllib or wget
##     - Install the sensor within the same script us using OS subprocess
##            import os
##            os.system(‘terraform plan’)
##     - Run the Carbon Black installer
##         https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Perform-an-Unattended-Installation-of/ta-p/65874
##         Replace 'your_msi_file.msi' with the actual MSI file name
##         msi_file = 'your_msi_file.msi'
##         Replace '/qn' with the actual silent installation switch
##         silent_switch = '/qn'
##         Run the MSI executable with the silent installation switch
##         subprocess.call(['msiexec', '/i', msi_file, silent_switch])
##         msiexec.exe /q /i <Sensor Installer Path> /L*v msi.log COMPANY_CODE="XYZABC" CLI_USERS=<UserGroupSid> POLICY_NAME="<NAME Virtual Policy>" CONFIGFILE="C:\Path\To\config-blob.ini"
##     - Automatically detect the Operating System and download the correct sensor using  the platform libary.
##        import platform
##        platform.system(),platform.architecture()
##     - Set the expiry automatically + 30 mins
##
##     Version Control
##
##     28.12.2023 - Basic version 




import requests
import webbrowser
import json

def download_sensor(url, org_id, x_auth_token, device_type, architecture, sensor_type, version, expires_at):
    headers = {
        'x-auth-token': x_auth_token,
    }

    data = {
        "sensor_types": [
            {
                "device_type": device_type,
                "architecture": architecture,
                "type": sensor_type,
                "version": version
            }
        ],
        "expires_at": expires_at
    }

    files = {
        'sensor_url_request': (None, json.dumps(data), 'application/json'),
    }

    endpoint = f'{url}/lcm/v1/orgs/{org_id}/sensor/_download'

    response = requests.post(endpoint, headers=headers, files=files)

    if response.status_code == 200:
        response_data = response.json()

        sensor_url = response_data['sensor_infos'][0]['sensor_url']
        sensor_config_url = response_data['sensor_infos'][0]['sensor_config_url']

        return sensor_url, sensor_config_url
    else:
        return f"Error: {response.status_code} - {response.json()}"

# Example usage:
url = 'https://defense-prodsyd.conferdeploy.net'
org_id = ''
x_auth_token = '' # This is tricky, this is a combination of your API ID and API Secret Key with / in between, eg. XXX/XXXX
device_type = 'WINDOWS'
architecture = '64'
sensor_type = 'WINDOWS'
version = '4.0.0.1292'
expires_at = '2024-06-05T23:39:52Z'

sensor_url, sensor_config_url = download_sensor(url, org_id, x_auth_token, device_type, architecture, sensor_type, version, expires_at)

print("Sensor URL:", sensor_url)
print("Sensor Config URL:", sensor_config_url)

webbrowser.open(sensor_url)
webbrowser.open(sensor_config_url)

Here is the script

Reference

Transfer MSDN to another email address

Transfer MSDN to another email address

Transferring subscriptions is a self-service customer process and I have provided the steps below for you, however, please do be aware that per the offer policy, this offer is limited to one per subscriber. So, this means you would not be able to have two Visual Studio Enterprise – MPN Subscriptions per subscriber.

These are steps for transferring a subscription:
https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer

These are steps to move resources from one subscription to another subscription.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-resource-group-and-subscription#use-the-portal

In addition, if transferring your subscription to different tenant here are important considerations.

-Co-admins, Service Admin and RBAC permissions will get removed during the transfer procedure however you can manually add them back after the transfer has been completed.

-Any services or deployments that are tied to, or are dependent upon, the specific Azure Active Directory (AAD) tenant will be interrupted during a cross-tenant transfer and you would need to manually re-configure them. We have some detailed documentation that will help guide you in identifying your AAD dependencies: https://learn.microsoft.com/en-us/azure/active-directory/

-Azure AD Domain Services – Cannot be transferred or migrated, as this is a feature tied to a specific AAD tenant.

-Azure Key Vaults – Could be impacted by a SOT if the tenant ID for these resources is not updated. For more information, go t0
https://learn.microsoft.com/en-us/azure/key-vault/general/move-subscription

-SQL-related users and databases – Could be impacted, especially if you are using an AAD-related authentication. For more information, go to
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell

-App Services – Could be impacted, as these are configured with AAD authentication.
https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/billing-subscription-transfer

https://learn.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription#understand-the-impact-of-transferring-a-subscription

Enhancing Cybersecurity Defenses: The Mathematical Imperative of Application Allowlisting

IMPORTANT: I have rewritten this blog based on original Linkedin Post by Timothy R – https://www.linkedin.com/in/timrohrbaugh/ , https://www.linkedin.com/posts/timrohrbaugh_cybersecurity-allowlisting-applicationwhitelisting-activity-7132859242478219264-plO1/ I am not claiming authorship and I have approval from Timothy for this blog

In the ever-evolving landscape of cybersecurity, the role of Allowlisting, specifically application whitelisting for computing devices, has transformed from being a mere option to an absolute necessity. Operating without this critical defense mechanism not only exposes vulnerabilities but also poses substantial threats to both human and financial resources. To emphasize the urgency of this matter, let’s explore the mathematical perspective of Allowlisting and its impact on the endpoint surface area—a crucial consideration in the battle against malware.

At the core of this mathematical analysis is the concept of the attack surface (S), representing the myriad potential entry points for malware into a system. This surface is influenced by several variables, each playing a distinct role in shaping the overall security posture:

  • E: The number of types of executable files a system can process.
  • A: The number of application files currently permitted to run.
  • D: The daily influx of new executable files, originating from updates or other sources.
  • T: The time elapsed since the last system rebuild.

The formula encapsulating this concept is defined as follows:

S = (E × A) + (D × T)

Breaking down this formula:

  • S: Represents the expanding attack surface over time.
  • E × A: Signifies the baseline attack surface derived from the system’s capabilities.
  • D × T: Illustrates the growth of the attack surface due to the daily addition of new files.

Consider the scenario of a standard Windows 11 x64 Pro desktop, starting with nearly 60,000 potential entry points on the C drive alone. Routine updates contribute around 25,000 new files monthly, averaging about 833 daily. This calculation doesn’t even account for files from less secure sources such as email attachments, drive-by downloads, or shared drives.

Without the implementation of Allowlisting, every one of these files could potentially execute, placing the burden on Endpoint Detection and Response (EDR) systems—a strategy that has proven inadequate over the past decade, as evidenced by the surge in ransomware attacks.

Allowlisting, which involves predefining each file that can run based on factors such as Publisher’s signing Cert, HASH, or location, offers a strategic solution. By significantly narrowing down the number of executable files (A) and controlling the growth of the attack surface (S), this proactive approach not only slows the expansion of potential threats but also ensures that only vetted files can execute.

In essence, for those serious about safeguarding their enterprises from the ever-present threat of malware, Allowlisting is not merely beneficial—it’s imperative in today’s dynamic cybersecurity landscape. Embracing this approach empowers organizations to take a proactive stance against evolving cyber threats, ultimately fortifying their defenses and securing the longevity of their digital infrastructure.

Reference

Fipped

Fipped

Flipper zero

  • https://www.redteamtools.com/rfid-electronic-access-control
  • https://shop.redteamalliance.com/collections/2021-classes/products/1-day-defcon-special-event-flipping-out-about-pacs-applied-modern-hacking-tools-and-techniques
  • https://flipc.org/

Lora – Long Range Protocols

  • Meshtastic
  • https://www.youtube.com/watch?v=vxF1N9asjts
  • https://www.youtube.com/watch?v=7NxgD22amCQ
  • https://www.allaboutcircuits.com/news/asset-tracker-test-proves-efficacy-zeta-new-lpwa-network/
  • https://www.szanysecu.com/en/h-pr–0_526_3.html?complexStaticUrl=true

Car Hacking Village

  • https://github.com/nonamecoder/FlipperZeroHondaFirmware
  • https://medium.com/@naoumine/vehicle-hacking-with-icsim-part-1-f4bd632cac9e
  • https://www.carhackingvillage.com/talks
  • https://forum.flipperzero.one/t/car-key-emulation/1094
  • https://forum.flipperzero.one/t/car-key-emulation/1094/7
  • https://www.reddit.com/r/flipperzero/comments/u922ur/car_key_cloning/
  • https://gigazine.net/gsc_news/en/20221227-flipper-zero-car-key/
  • https://www.youtube.com/watch?v=1RipwqJG50c

Microsoft Windows Defender Bypass (Research)

Microsoft Windows Defender Bypass (Research)

GMER

  • http://www.gmer.net/

Fancy Defender evasion? RegLoadKey, RegUnloadKey or NtLoadKey, NtUnloadKey

1. Export CurrentControlSet to a file
2. Edit path in a file
3. Import a file as new ControlSet
4. Change “Select” values to new one
5. Reboot

https://www.linkedin.com/posts/grzegorztworek_fancy-defender-evasion-yet-another-method-ugcPost-7090917993022443520-YXY9?utm_source=share&utm_medium=member_desktop

CrowdStrike Bypass

  • https://www.horangi.com/blog/bypassing-crowdstrike-falcon
  • https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/
  • https://www.bleepingcomputer.com/news/security/alleged-source-code-of-cobalt-strike-toolkit-shared-online/
  • https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
  • https://twitter.com/NinjaParanoid
  • https://bruteratel.com/tabs/features/

Red Team Tools

  • Siliver – https://github.com/BishopFox/sliver
  • Mystic – https://github.com/its-a-feature/Mythic
  • Covenant – https://github.com/cobbr/Covenant

Reference

  • http://www.detectx.com.au/bypass-av-edr-remoting/
  • http://www.detectx.com.au/bypassing-av/
  • https://securitytrails.com/blog/red-team-tools
  • https://securitytrails.com/blog/red-team-tools
  • https://cybersecuritynews.com/red-team-tools/
  • https://github.com/A-poc/RedTeam-Tools
  • https://www.pluralsight.com/paths/red-team-tools
  • https://bishopfox.com/blog/9-red-team-tools
  • https://www.techtarget.com/searchsecurity/tip/5-open-source-offensive-security-tools-for-red-teaming

National CyberWatch Center

CLARK is the largest platform that provides FREE cybersecurity curriculum. It is home to high-value, high-impact cyber curriculum created by top educators and reviewed for relevance and quality. Whether you’re looking to teach something new tomorrow, align with curriculum guidelines and standards, or refine your current course, CLARK has free resources ready for you to use!

https://clark.center/details/cobrien/0e116db4-cf8d-409b-adf8-9744f62ebc27