Monthly summary of interesting articles, reports and tools for tech experts, covering both offensive and defensive topics.
🔴 Red Team
📝 FileFix – A ClickFix Alternative
The article discusses FileFix, a social engineering technique using HTML <‘input type= »file »‘> elements to invoke File Explorer and execute OS commands. It tricks users into executing a malicious command by copying it to the clipboard when prompted to open a file dialog. A proof-of-concept shows how JavaScript can block file selection and ensure the payload executes when Enter is pressed. A variant may bypass SmartScreen protections. The author advises monitoring child processes like cmd.exe, powershell.exe, or mshta.exe during file uploads to detect misuse of FileFix.
📌 Source: https://mrd0x.com/filefix-clickfix-alternative/
📝 Unmasking the Infrastructure of a Spearphishing Campaign
The article confidently discusses a spearphishing campaign that employs obfuscated Visual Basic Script (VBS) files named « sostener.vbs. » This robust three-stage malware system deploys Remote Access Trojans (RATs) such as Remcos and AsyncRAT, utilizing dynamic DNS services like « duckdns.org » for command-and-control. It clearly links to the Colombian threat actor APT-C-36. The article thoroughly outlines the stages of malware deployment, hosting services, and specific domains involved, concluding with definitive indicators of compromise (IOCs) for effective threat detection and mitigation.
📌 Source: https://censys.com/blog/unmasking-the-infrastructure-of-a-spearphishing-campaign
📝 Dragging Secrets Out of Chrome: NTLM Hash Leaks via File URLs
The article confidently addresses a vulnerability in Chromium-based browsers that leaks NTLM hashes via file URLs. It clearly demonstrates how a social engineering attack can exploit the drag-and-drop feature to capture NTLM hashes by deceiving users. The author thoroughly explains the setup of a malicious webpage and the use of tools like Responder to capture hashes, outlining the conditions for a successful attack and providing a compelling demonstration through an online tool and GitHub repository.
📌 Source: https://trustedsec.com/blog/dragging-secrets-out-of-chrome-ntlm-hash-leaks-via-file-urls
🔵 Blue Team
📝 Detection Pitfalls You Might Be Sleeping On
The article discusses five flaws in detection engineering that let attackers bypass robust rules. It shows how minor variations, like alternative flag prefixes (-EncodedCommand, /e, etc.), can evade string-based detections, and how command chaining and redirection (|, &) can fragment logs, bypassing correlation rules. It also covers edge cases like double spaces and obfuscation techniques that undermine pattern-based detections. Additionally, it warns that unaudited CMD commands may not generate logs, creating blind spots. The author suggests using resilient, behavior-oriented patterns—like regex and event correlation—to create robust detection rules.
📌 Source: https://detect.fyi/detection-pitfalls-you-might-be-sleeping-on-52b5a3d9a0c8
📝 The Cyber Deception Maturity Model: Where Does Your Organization Stand?
This article presents a Cyber Deception Maturity Model that empowers organizations to evaluate and enhance their deception capabilities across five maturity levels. It details advancements in personnel, processes, technology, and strategies, showcasing the evolution from basic honeypots to advanced techniques for detecting and understanding adversaries. The guidance for transitioning between levels emphasizes the necessity of strategic planning and continuous improvement, establishing deception as a strategic advantage in security.
📌 Source: https://deceptiq.com/blog/cyber-deception-maturity-model
📝 Why is no one talking about maintenance in detection engineering?
The article emphasizes the critical importance of maintenance in detection engineering, despite its perceived lack of glamour compared to new development. It discusses challenges like false positives and deprecated tuning, categorizing maintenance into corrective, adaptive, perfective, and preventive types with relevant examples. The author argues for maintenance as a proactive process and calls for more industry dialogue to improve detection resilience and reduce alert fatigue.
Never trust, always check
