Showing posts from October, 2021

Hunting for Citrix Netscaler API Abuse: Reconnaissance, SSO and Session Manipulation

I worked a case recently where unauthenticated threat actors were able to access and perform reconnaissance and session manipulation in Citrix via API requests. These threat actors proceeded to abuse single-sign-on (SSO) for access. As such, I wrote this blog post to highlight some of the things to be aware of when hunting through Citrix logs that can hopefully help some security analysts when they're performing their threat hunts / investigations. Please note, how and whether this works depends on your clients Citrix configuration and settings. The reason why this is interesting to someone in a blue team is because an unauthenticated attacker could potentially (depending on the Citrix configuration) do the following: Enumerate resources available to a user i.e. what hosts they have access to and what method Force sessions to last longer without signing the attacker out Detect what methods of authentication are utilised (5 documented) and if SSO is enabled Abuse SSO for access to r

Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more - PART II

In my previous blog post, I detailed an attack matrix for Microsoft 365 (M365), documenting the various attacks and actions on objectives that can be taken by threat actors. My original matrix did not touch on some other hybrid attacks that can happen on Azure AD which are relevant to the Microsoft Cloud environment. As such, I have modified and updated the attack matrix below to show all the various attacks collated into one matrix. For those of you who are not familiar with M365 or Azure AD (AAD), the reason I built this matrix is because the Mitre O365 matrix did not include a comprehensive list of all the various attack vectors. To be a good responder / defender, it’s important to understand the different types of attacks that your organisation or client may be plagued with. Attacks on Azure AD and M365 are not limited to simple business email compromise cases (BECs) but are now actively being exploited by nation-state APT groups. The reason that these actors choose the cloud as