This is bi-weekly dispatch is brought to you by the team at Black Harbor. Every other week we share three things. One offensive technique, one defensive technique and some random snippet of something that piqued our interest. It may be a motivational quote, some piece of news or a slice of a product review.

Offense – Persistence using Task Scheduler without a Scheduled Task

While not an entirely new concept this is one to bring back to the front of the brain. Scheduled task is a a very, very common persistence tactic. However the blue team counter is usually simply looking for scheduled tasks. What if the scheduled task did not exist? By overwriting the WptsExtensions.dll with your own file with “evil intent” task scheduler will execute that code without creating a task.

Defense – A Tale of the Windows Login

Steve Syfuhs walks through what happens during a Windows login. Windows uses credential providers to accept credential types and transform them into data to make a call to LSA. LSA loops through each authenticate package until it finds one that accepts the credential it has. This led me down the rabbit hole of looking into various steps of Authentication that affect logon which helped me better understand the complexity that goes into a Windows login.

Snippet – Cyber Threat Intel FAQ

Cyber Threat Intel (CIT) is a grey area. For most it seems paths to enter are through Government and Department of Defense Channels. College courses or certifications are few and far between. So how do you get into a CTI role? Katie Nickels wrote a fantastic article on just that.

If you find value in this newsletter please consider sharing it to your friends and colleagues. Signup at https://newsletter.blackharbor.io/

View our past dispatches at https://blackharbor.io/category/dispatch/