Certified Azure Red Team Professional (CARTP) review

Introduction Certified Azure Red Team Professional (CARTP) is Altered Security’s offering for aspiring red teamers in the Azure environment. With no need for prior subject wisdom, it offers an overview of tactics, techniques and procedures used within the Microsoft cloud. In this review I’ll share, based on my experience, the pros and cons of certification, along with some tips and tricks discovered during the course. Course the topics covered are many, from Azure Active Directory to the most common Azure resources used in enterprise environments and every topic is covered in a stand-alone video with some having a learning objective (twenty-six in total but a few are instructor only) at the end $449 ($359 during Black Friday sales) is an attractive price, both for individuals and companies interested in skilling their employees. It includes life-time access to the course material (slides, videos, walk-throughs, etc.) plus one month of lab access and one exam attempt I had some technical issues during the lab (especially with the users’ simulation scripts e.g. illicit consent grant) but the support, both on Discord or via e-mail, quickly solved every problem even considering the time zone difference (it’s based in India) they sometimes answered outside working hours. Also, in case of scheduled maintenance they extended the lab duration I would appreciate a greater focus on the part of mitigations to put in place to prevent a vulnerability, queries to detect a specific pattern or built-in security solutions (since, from my experience, there are a lot) that the cloud provider makes available to protect its work-loads, in order to convey a more holistic approach as a working student, 30 days of lab access feels a bit tight to complete all the learning objects and the additional CTF, especially if you need to repeat some lessons or you lose time on some topics, maybe due to technical problems. However, subject to a non-cheap increase, it is possible to extend the duration of the lab up to three months is perhaps the most recognized and popular certification in the Azure red team panorama although Altered Security is not as recognized as other providers in the market e.g. Offensive Security Exam The exam consists of a 24 hours non-proctored hands-on assessment (plus an extra hours to make up for the time lost due to the setup of the environment) whose goal is to compromise all resources (including users and applications) and obtain the final flag. In addition, you’re provided with a blank virtual machine (where you can upload any tool of choice) to access the environment. If you’ve followed each lesson and completed each learning objective, you should have no problem owning all the resources. After that you’ve 48 hours to submit the final report and, if passed, you’ll receive the digital certificate via e-mail within one working week. ...

November 25, 2024 · 4 min · Me

DIY Rubber Ducky clone with a DigiSpark ATTiny85, 2K24 revamp

DigiSpark ATTiny85 is a compact AVR-based architecture micro-controller, available for a few bucks on Amazon, which can be programmed to simulate an input device, such as a keyboard, making an interesting alternative to Hak5’s rubber ducky. Unfortunately, the board’s vendor discontinued support a few years ago and the official site hosting the configuration package is still offline, making the manual installation the only way to setup the board. Over the years some projects, such as Spence Konde’s ATTinyCore, tried to fill the void but installation of additional libraries is still required. ...

April 13, 2024 · 3 min · Me

Click me to the moon: counterfeit invoice archive contains JavaScript dropper and leads to host compromise

Introduction During my daily blue-team operations I stumbled across a lightning fast infection chain, all started with a suspicious attachment received via e-mail through a compromised supplier address. Since the installed security solution blocked only the first stage payload, I took charge of the alerts and decided to deep dive and analyze the sample. Analysis The initial access vector is a .zip archive, downloaded from the web, containing the following files: ...

October 26, 2023 · 3 min · Me

The dark side of Vimeo: video meta-data contains PowerShell script and leads to host compromise

Introduction During my daily blue-team operations I stumbled across a series of similar infection chains, all started with an infected thumb drive. Since the installed security solution detected with a generic signature the threat but didn’t block it, I took charge of the alerts and decided to deep dive and analyze the sample. Analysis The initial access vector is an infected USB stick, used to transfer files to a copy shop, containing the following files: ...

October 10, 2023 · 3 min · Me