Hello Reader,
Tonight we continued to expand our usage of Claude 3.7 in Cursor to see if we can see can have the cursor rules files to get our model to behave better. Check out the video below:
Daily Blog #761: Forensic Test Kitchen with more Claude 3.7!
Hello Reader,
Tonight Evan Anderson and I went back into the world of AI code development with Claude 3.7. This time we decided to see if we could make it fix its prior error and add asynch downloads. It didn't end well but it reinforced to us that in the next stream we need to implement .cursorrules! You can watch below:
Daily Blog #760: Forensic Lunch Test Kitchen adding role based discovery to our cloudtrail discovery tool
Hello Reader,
Today we are continuing our exploration of Claude 3.7 and Cursor to add support for AWS role testing for CloudTrail location and access to our CloudTrail discovery tool! It did actually work and we only found one thing that it broke! Watch it below.
Daily Blog #759: Forensic Lunch Test Kitchen with Claude 3.7 and Cursor!
Hello Reader,
Today Evan Anderson and I got together and tested out the new Claude 3.7 Sonnet model with Cursor to build an application that finds AWS logs and then transfers them, with some bells and whistles added on. I think you'll be impressed if you see what this new version can do! You can watch it below:
Daily Blog #758: Sunday Funday 2/23/25
Hello Reader,
It's Sunday! This week's challenge is all about the windows search index! While we have parsers that support its contents its unclear to me when the database is updated/cleared when a file is deleted. Let's see what you all can do!
The Prize:
$100 Amazon Giftcard
The Rules:
- You must post your answer before Friday 2/28/25 7PM CST (GMT -5)
- The most complete answer wins
- You are allowed to edit your answer after posting
- If two answers are too similar for one to win, the one with the earlier posting time wins
- Be specific and be thoughtful
- Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
- In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
- AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize.
On a Windows 11 or Windows 10 system:
1. Make sure windows search is enabled
2. Create files with unique phrases such as "This is the smoking gun"
3. Make sure the files are indexed and present in the windows search db
4. Delete the document and determine what the trigger method is and the timing for the contents to be deleted from the search database
Bonus: Determine if the deleted records are recoverable
Daily Blog #757: Solution Saturday 2/22/25
Hello Reader,
This week the real question is, can anyone stop Ilya Kobzar's winning streak? Here again is he back with another winning answer and some very thorough research all about what happens when credentials are taken via IMDS on AWS.
The Challenge:
AWS IAM Roles are often targeted by threat actors after they get access to a running virtual machine. While AWS IMDS v2 may prevent some attacks the functionality is still there and is being actively exploited to get credentials and act as a service or role. In this challenge I want you to try the following and document what logs are left that could be used to detect or determine these actions occurred.
1. Retrieve a temporary AWS access key credential from IMDS v1
2. Retrieve a temporary AWS access key credential from IMDS v2
3. Use the temporary access key within an AWS vm
4. Use the temporary access key from outside of AWS
From all four scenarios determine what logs are created.
bonus: Try and document other scenarios of theft and use and additional sources of evidence.
The winning answer:
https://www.ilyakobzar.com/p/ec2-iam-role-sts-credentials-compromise
Daily Blog #756: Forensic test kitchen, using the AWS CloudTrail Downloader v2!
Hello Reader,
Today I decided to do a live demonstration of how the AWS CloudTrail Downloader v2 from our FOR509 class works! So I fired it up and showed off all the new features like AWS profile support and most importantly resume functionality! I hope you like it!
Daily Blog #755: A new blog is born!
Hello Reader,
It's always great when new people start blogging, and Evan Anderson has started a new blog! His blog Offensive Context is all about offensive security techniques and applied leanings. Evan and I have known each other for a long time and have done National CCDC redteaming together for over 15 years. So if you are looking to learn more about how threat actors actually work Evan's blog is a great place to learn!
https://www.offensivecontext.com/abusing-dns-part-1-how-does-dns-do-what-it-do/
Subscribe to:
Posts
(
Atom
)
