Active Itemizing Assault & Defense

The “Active Itemizing Break Chain Assault & Defense” belief is a structured technique to figuring out the sequence of occasions or stages animated about an Active Itemizing (AD) attack and the corresponding defensive measures to counteract or prevent such attacks. Microsoft developed the provider Active Itemizing for Windows domain networks for person and resource administration in corporate settings.

You are going to be ready to also fetch the Incident Response Thought Template to forestall active itemizing-essentially based completely attacks.

Here’s a breakdown of a trendy Active Itemizing wreck chain attack and its protection:

Reconnaissance:

Assault: An attacker gathers knowledge concerning the aim community, structure, domain names, machine names, and person accounts.

Defense: Limit knowledge exposure. Use community segmentation and show screen itemizing visibility.

Initial Compromise:

Assault: The attacker exploits vulnerabilities to provide preliminary rep admission to. This could also fair be thru phishing, exploiting gentle passwords, or unpatched vulnerabilities.

Defense: Put into effect solid password policies, extra special patching, employee awareness coaching, and drawl of multi-element authentication.

Set up Foothold:

Assault: Once rep admission to is gained, the attacker establishes a foothold by creating backdoors, creating novel accounts, or putting in malware.

Defense: Use endpoint detection and response instruments, recurrently audit accounts and permissions, and show screen for unfamiliar actions.

Escalation of Privilege:

Assault: The attacker makes an attempt to provide larger-stage privileges, step by step targeting administrator accounts or exploiting system vulnerabilities.

Defense: Narrate the precept of least privilege, habits extra special privilege audits, and drawl privileged rep admission to administration solutions.

Inner Reconnaissance:

Assault: With larger privileges, the attacker explores the community more deeply to name excessive-price targets (esteem domain controllers).

Defense: Community segmentation, show screen community web site visitors, and drawl intrusion detection programs.

Switch Laterally:

Assault: The attacker strikes thru the community, gaining access to various programs and potentially spreading malware.

Defense: Put into effect strict rep admission to controls, show screen lateral movements, and employ community security instruments.
Retain Presence:

Assault: Attackers place tips on how to retain their presence all around the community, despite the indisputable truth that a number of of their rep admission to aspects are found and closed.

Defense: Continuous monitoring, extra special community scans, and incident response plans.

Full Mission:

Assault: The attacker achieves their intention, which could well even fair be knowledge exfiltration, knowledge encryption for ransom, or inflicting operational disruption.

Defense: Knowledge loss prevention instruments, extra special backups, and a comprehensive incident response method.

Figuring out and defending in opposition to every stage of the Active Itemizing wreck chain requires a aggregate of technical controls, security policies, and ongoing person training. Continuous monitoring, snappy incident response, and extra special experiences of security practices are principal in mitigating the dangers of such attacks.

Here, we’re elaborating on the tactics, ways, and procedures (TTPs) attackers leverage to compromise active itemizing and guidance to mitigation, detection, and prevention. And sign Active Itemizing Break Chain Assault and Standard Put up Exploitation Adversary Tradecraft Exercise.

Study the technique to True Active Itemizing Assaults

A thorough checklist is principal for securing Active Itemizing (AD) from threats. That is a methodical plot:

Substitute and Patch Most continuously: Catch that every person programs, namely those using Active Itemizing, are patched and up-to-date with basically the most most trendy security updates on a extra special foundation.

Domain Controllers (DCs) that are bodily stable and whose tasks are restricted to AD services are is named stable domain controllers. Steer clear of exchange makes drawl of for DCs.

Set up Sturdy Insurance policies With regards to Passwords: Passwords must be complicated and changed most continuously. To toughen security, you can take into accout using passphrases and multi-element authentication (MFA).

Retain an gaze on person accounts: Whenever you see any that aren’t being utilized, or have shameful rights, deactivate them.

Limit Privileged Accounts: Lowering the exchange of users with administrative rep admission to is a critical security measure. Limit person rep admission to to good what their job description requires by the belief that of least privilege.

Show screen and Audit Logins and Activities: Put into effect measures to show screen and audit all logins and actions, seriously those using privileged accounts. Retain an gaze out for anything else out of the extra special that would counsel an assault is underway.

True Community Catch admission to to AD: Safeguard Active Itemizing by Proscribing Catch admission to to Servers on the Community. Block all nonetheless critical users from gaining access to the community by utilizing firewalls and segmenting the community.

Use Organizational Models and Community Insurance policies: Narrate Community Insurance policies for security settings and space up sources in Organizational Models (OUs) to be distinct that the community’s security configurations are constant.

Knowledge backup and catastrophe restoration: Help up Active Itemizing recurrently and prepare for the worst. Most continuously evaluation your backup and restoration processes.

Person Education: Educate workers on easy programs to position and steer clear of phishing and various social engineering threats. Elevating awareness can drastically lessen the likelihood of a hit assaults.

Invent security audits of your Active Itemizing ambiance recurrently and take a look at for compliance with acceptable security requirements and finest practices.

Sing About Deploying Cutting-Edge Security Choices: Sing About Deploying Cutting-Edge Security Choices Cherish SIEM, IDS/IPS, and Endpoint Safety Platforms.

Fortify Active Itemizing configuration: Put into effect urged security measures for Active Itemizing setup, comparable to maintaining the Lightweight Itemizing Catch admission to Protocol (LDAP) and mandating Server Message Block (SMB) signature wherever feasible.

Physical Catch admission to Retain an eye on: Limit bodily rep admission to to servers and various community gear to licensed people easiest.

Retain Up-to-Date on Emerging Threats: Retain your self apprised of rising threats by reading up on novel attack vectors and vulnerabilities which could well even fair affect AD. Then, modify your security procedures precisely.

Whenever you wish to retain your Active Itemizing system stable, you wish to envision and exchange this checklist step by step to account for set apart spanking novel threats and organizational adjustments.

Discovery

SPN Scanning

Knowledge Mining

Person Searching

LAPS

AppLocker

Active Itemizing Federation Companies

Privilege Escalation

Abusing Active Itemizing Certificate Companies

PetitPotam

Zerologon

Passwords in SYSVOL & Community Policy Preferences

MS14-068 Kerberos Vulnerability

DNSAdmins

Kerberos Delegation

Unconstrained Delegation

Constrained Delegation

Resource-Basically essentially based Constrained Delegation

Frightened Community Policy Object Permission Rights

Frightened ACLs Permission Rights

Domain Trusts

DCShadow

RID

Microsoft SQL Server

Purple Forest

Substitute

NTLM Relay & LLMNR/NBNS

Lateral Scuttle

Scuttle The Hash

Blueprint Heart Configuration Supervisor (SCCM)

WSUS

Password Spraying

Automatic Lateral Scuttle

Defense Evasion

In-Memory Evasion

Endpoint Detection and Response (EDR) Evasion

OPSEC

Microsoft ATA & ATP Evasion

PowerShell ScriptBlock Logging Bypass

PowerShell Anti-Malware Scan Interface (AMSI) Bypass

Loading .NET Assemblies Anti-Malware Scan Interface (AMSI) Bypass

AppLocker & Tool Guard Bypass

Sysmon Evasion

HoneyTokens Evasion

Disabling Security Tools

Credential Dumping

NTDS.DIT Password Extraction

SAM (Security Accounts Supervisor)

Kerberoasting

Kerberos AP-REP Roasting

Windows Credential Supervisor/Vault

DCSync

LLMNR/NBT-NS Poisoning

Others

Persistence

Golden Impress

SID History

Silver Impress

DCShadow

AdminSDHolder

Community Policy Object

Skeleton Keys

SeEnableDelegationPrivilege

Security Fortify Provider

Itemizing Companies Restore Mode

ACLs & Security Descriptors

Tools & Scripts

  • Certify – Certify is a C# instrument to enumerate and abuse misconfigurations in Active Itemizing Certificate Companies (AD CS).
  • PSPKIAudit – PowerShell toolkit for auditing Active Itemizing Certificate Companies (AD CS).
  • PowerView – Situational Awareness PowerShell framework
  • BloodHound – Six Levels of Domain Admin
  • Impacket – Impacket is a assortment of Python courses for working with community protocols
  • aclpwn.py – Active Itemizing ACL exploitation with BloodHound
  • CrackMapExec – A swiss military knife for pentesting networks
  • ADACLScanner – A instrument with GUI or expose linte outdated to make stories of rep admission to control lists (DACLs) and system rep admission to control lists (SACLs) in Active Itemizing
  • zBang – zBang is a threat overview instrument that detects likely privileged account threats
  • SafetyKatz – SafetyKatz is a aggregate of a small bit modified model of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Loader.
  • SharpDump – SharpDump is a C# port of PowerSploit’s Out-Minidump.ps1 functionality.
  • PowerUpSQL – A PowerShell Toolkit for Attacking SQL Server
  • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • ADRecon – A instrument which gathers knowledge concerning the Active Itemizing and generates a chronicle which can provide a holistic picture of basically the most trendy negate of the aim AD ambiance
  • Mimikatz – Utility to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory nonetheless also rep movement-the-hash, movement-the-tag or construct Golden tickets
  • Grouper – A PowerShell script for serving to to rep inclined settings in AD Community Policy.
  • Powermad – PowerShell MachineAccountQuota and DNS exploit instruments
  • RACE – RACE is a PowerShell module for executing ACL attacks in opposition to Windows targets.
  • DomainPasswordSpray – DomainPasswordSpray is a instrument written in PowerShell to rep a password spray attack in opposition to users of a web page.
  • MailSniper – MailSniper is a penetration attempting out instrument for attempting thru electronic mail in a Microsoft Substitute ambiance for specific terms (passwords, insider intel, community architecture knowledge, and so forth.)
  • LAPSToolkit – Tool to audit and attack LAPS environments.
  • CredDefense – Credential and Purple Teaming Defense for Windows Environments
  • ldapdomaindump – Active Itemizing knowledge dumper by assignment of LDAP
  • SpoolSample – PoC instrument to coerce Windows hosts authenticate to various machines by assignment of the MS-RPRN RPC interface
  • adconnectdump – Azure AD Connect password extraction
  • o365recon – Script to retrieve knowledge by assignment of O365 with a sound cred
  • ROADtools – ROADtools is a framework to work alongside with Azure AD. I
  • Stormspotter – Stormspotter creates an “attack graph” of the sources in an Azure subscription.
  • AADInternals – AADInternals is PowerShell module for administering Azure AD and Sigh of job 365
  • MicroBurst: A PowerShell Toolkit for Attacking Azure – MicroBurst comprises capabilities and scripts that enhance Azure Companies discovery, gentle configuration auditing, and post exploitation actions comparable to credential dumping.

Ebooks

Cheat Sheets

Different Resources

Azure Active Itemizing

Defense & Detection

Tools & Scripts

  • Invoke-TrimarcADChecks – The Invoke-TrimarcADChecks.ps1 PowerShell script is designed to rep knowledge from a single domain AD wooded space to performed Active Itemizing Security Analysis (ADSA).
  • Plot-Tiers in AD – Project Title Active Itemizing Auto Deployment of Tiers in any ambiance
  • SAMRi10 – Hardening SAM Faraway Catch admission to in Windows 10/Server 2016
  • Derive Stop – Hardening Derive Session Enumeration
  • PingCastle – A instrument designed to evaluate hasty the Active Itemizing security stage with a methodology in maintaining with threat overview and a maturity framework
  • Aorato Skeleton Key Malware Faraway DC Scanner – Remotely scans for the existence of the Skeleton Key Malware
  • Reset the krbtgt account password/keys – This script will allow you to reset the krbtgt account password and linked keys while minimizing the likelihood of Kerberos authentication components being prompted by the operation
  • Reset The KrbTgt Myth Password/Keys For RWDCs/RODCs
  • RiskySPN – RiskySPNs is a assortment of PowerShell scripts centered on detecting and abusing accounts linked with SPNs (Service Major Establish).
  • Deploy-Deception – A PowerShell module to deploy active itemizing decoy objects
  • SpoolerScanner – Test if MS-RPRN is remotely available with powershell/c#
  • dcept – A instrument for deploying and detecting drawl of Active Itemizing honeytokens
  • LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • DCSYNCMonitor – Shows for DCSYNC and DCSHADOW attacks and make custom Windows Occasions for these occasions
  • Sigma – Generic Signature Structure for SIEM Systems
  • Sysmon – Blueprint Show screen (Sysmon) is a Windows system provider and machine driver that, as soon as put in on a system, stays resident across system reboots to show screen and log system assignment to the Windows event log.
  • SysmonSearch – Investigate suspicious assignment by visualizing Sysmon’s event log
  • ClrGuard – ClrGuard is a proof of belief project to to find instrumenting the Fundamental Language Runtime (CLR) for security capabilities.
  • Catch-ClrReflection – Detects memory-easiest CLR (.NET) modules.
  • Catch-InjectedThread – Catch-InjectedThread appears to be at every running thread to pick if it’s far the result of memory injection.
  • SilkETW – SilkETW & SilkService are versatile C# wrappers for ETW, they are intended to summary away the complexities of ETW and give of us a easy interface to rep be taught and introspection.
  • WatchAD – AD Security Intrusion Detection Blueprint
  • Sparrow – CISA’s Cloud Forensics team created Sparrow.ps1 to assist detect that that it’s likely you’ll well well presumably reflect compromised accounts and purposes in the Azure/m365 ambiance.
  • DFIR-O365RC – The DFIR-O365RC PowerShell module is a space of capabilities that allow the DFIR analyst to rep logs relevant for Sigh of job 365 Industry Electronic mail Compromise investigations.
  • AzureADIncidentResponse – Tooling to abet in Azure AD incident response
  • ADTimeline – The ADTimeline script generates a timeline in maintaining with Active Itemizing replication metadata for objects thought of of curiosity.

Sysmon Configuration

  • sysmon-modular – A Sysmon configuration repository for all people to customize
  • sysmon-dfir – Sources, configuration and easy programs to detect sinful things using Microsoft Sysmon.
  • sysmon-config – Sysmon configuration file template with default excessive-quality event tracing

Active Itemizing Security Tests (by Sean Metcalf – @Pyrotek3)

Regular Concepts

  • Predicament up native Administrator passwords (LAPS).
  • Put into effect RDP Restricted Admin mode (as wanted).
  • Eradicate unsupported OSs from the community.
  • Show screen scheduled projects on sensitive programs (DCs, and so forth.).
  • Catch distinct OOB administration passwords (DSRM) are changed recurrently & securely stored.
  • Use SMB v2/v3+
  • Default domain Administrator & KRBTGT password must be changed every year & when an AD admin leaves.
  • Eradicate trusts that assign not seem like any longer critical & allow SID filtering as acceptable.
  • All domain authentications must be space (when that that it’s likely you’ll well well presumably reflect) to: “Send NTLMv2 response onlyrefuse LM & NTLM.”
  • Block web rep admission to for DCs, servers, & all administration programs.

Shield Admin Credentials

  • No “person” or computer accounts in admin teams.
  • Be distinct all admin accounts are “sensitive & cannot be delegated”.
  • Add admin accounts to “Protected Users” neighborhood (requires Windows Server 2012 R2 Domain Controllers, 2012R2 DFL for domain protection).
  • Disable all inactive admin accounts and remove from privileged teams.

Shield AD Admin Credentials

  • Limit AD admin membership (DA, EA, Schema Admins, and so forth.) & easiest drawl custom delegation teams.
  • ‘Tiered’ Administration mitigating credential theft affect.
  • Be distinct admins easiest logon to licensed admin workstations & servers.
  • Leverage time-essentially based completely, non permanent neighborhood membership for all admin accounts

Shield Service Myth Credentials

  • Limit to programs of the the same security stage.
  • Leverage “(Community) Managed Service Accounts” (or PW >20 characters) to mitigate credential theft (kerberoast).
  • Put into effect FGPP (DFL =>2008) to amplify PW requirements for SAs and administrators.
  • Logon restrictions – prevent interactive logon & limit logon functionality to specific computers.
  • Disable inactive SAs & remove from privileged teams.

Shield Resources

  • Section community to give protection to admin & principal programs.
  • Deploy IDS to show screen the within corporate community.
  • Community machine & OOB administration on separate community.

Shield Domain Controller

  • Handiest urge tool & services to enhance AD.
  • Minimal teams (& users) with DC admin/logon rights.
  • Be distinct patches are applied earlier than running DCPromo (namely MS14-068 and various principal patches).
  • Validate scheduled projects & scripts.

Shield Workstations (& Servers)

  • Patch hasty, namely privilege escalation vulnerabilities.
  • Deploy security abet-port patch (KB2871997).
  • Predicament Wdigest reg key to 0 (KB2871997/Windows 8.1/2012R2+): HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersWdigest
  • Deploy workstation whitelisting (Microsoft AppLocker) to dam code exec in person folders – home dir & profile direction.
  • Deploy workstation app sandboxing technology (EMET) to mitigate utility memory exploits (0-days).

Logging

  • Allow enhanced auditing
  • “Audit: Force audit coverage subcategory settings (Windows Vista or later) to override audit coverage class settings”
  • Allow PowerShell module logging (“*”) & forward logs to central log server (WEF or various technique).
  • Allow CMD Task logging & enhancement (KB3004375) and forward logs to central log server.
  • SIEM or the same to centralize as principal log knowledge as that that it’s likely you’ll well well presumably reflect.
  • Person Behavioural Diagnosis system for enhanced knowledge of person assignment (comparable to Microsoft ATA).

Security Pro’s Tests

  • Establish who has AD admin rights (domain/wooded space).
  • Establish who can logon to Domain Controllers (& admin rights to digital ambiance web hosting digital DCs).
  • Scan Active Itemizing Domains, OUs, AdminSDHolder, & GPOs for substandard custom permissions.
  • Be distinct AD admins (aka Domain Admins) give protection to their credentials by not logging into untrusted programs (workstations).
  • Limit provider account rights that are currently DA (or the same).

Major Security Updates

CVE Title Description Link
CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability An elevation of privilege vulnerability exists when an attacker establishes a inclined Netlogon stable channel connection to a web page controller, using the Netlogon Faraway Protocol (MS-NRPC). An attacker who efficiently exploited the vulnerability could well urge a namely crafted utility on a machine on the community. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
CVE-2019-1040 Windows NTLM Tampering Vulnerability A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is ready to efficiently bypass the NTLM MIC (Message Integrity Test) protection, aka ‘Windows NTLM Tampering Vulnerability’. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040
CVE-2019-0683 Active Itemizing Elevation of Privilege Vulnerability An elevation of privilege vulnerability exists in Active Itemizing Forest trusts attributable to a default surroundings that lets an attacker in the trusting wooded space ask delegation of a TGT for an identity from the trusted wooded space, aka ‘Active Itemizing Elevation of Privilege Vulnerability’. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683
CVE-2019-0708 Faraway Desktop Companies Faraway Code Execution Vulnerability A far away code execution vulnerability exists in Faraway Desktop Companies formerly is named Terminal Companies when an unauthenticated attacker connects to the aim system using RDP and sends namely crafted requests, aka ‘Faraway Desktop Companies Faraway Code Execution Vulnerability’. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
CVE-2018-8581 Microsoft Substitute Server Elevation of Privilege Vulnerability An elevation of privilege vulnerability exists in Microsoft Substitute Server, aka “Microsoft Substitute Server Elevation of Privilege Vulnerability.” This affects Microsoft Substitute Server. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8518
CVE-2017-0143 Windows SMB Faraway Code Execution Vulnerability The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 enables far away attackers to construct arbitrary code by assignment of crafted packets, aka “Windows SMB Faraway Code Execution Vulnerability.” This vulnerability is various from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0143
CVE-2016-0128 Windows SAM and LSAD Downgrade Vulnerability The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 construct not effectively place an RPC channel, which enables man-in-the-middle attackers to rep protocol-downgrade attacks and impersonate users by enhancing the client-server knowledge movement, aka “Windows SAM and LSAD Downgrade Vulnerability” or “BADLOCK.” https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0128
CVE-2014-6324 Vulnerability in Kerberos May maybe well Allow Elevation of Privilege (3011780) The Kerberos Key Distribution Heart (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 enables far away authenticated domain users to construct domain administrator privileges by assignment of a forged signature in a tag, as exploited in the wild in November 2014, aka “Kerberos Checksum Vulnerability.” https://doctors.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068
CVE-2014-1812 Vulnerability in Community Policy Preferences could well allow elevation of privilege The Community Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 doesn’t effectively contend with the distribution of passwords, which enables far away authenticated users to construct sensitive credential knowledge and as a result produce privileges by leveraging rep admission to to the SYSVOL share, as exploited in the wild in May maybe well fair 2014, aka “Community Policy Preferences Password Elevation of Privilege Vulnerability.” https://enhance.microsoft.com/en-us/assist/2962486/ms14-025-vulnerability-in-neighborhood-coverage-preferences-could well-allow-elevati

Detection

Assault Occasion ID
Myth and Community Enumeration 4798: A person’s native neighborhood membership turned into enumerated
4799: A security-enabled native neighborhood membership turned into enumerated
AdminSDHolder 4780: The ACL turned into space on accounts that are members of administrators teams
Kekeo 4624: Myth Logon
4672: Admin Logon
4768: Kerberos TGS Study
Silver Impress 4624: Myth Logon
4634: Myth Logoff
4672: Admin Logon
Golden Impress 4624: Myth Logon
4672: Admin Logon
PowerShell 4103: Script Block Logging
400: Engine Lifecycle
403: Engine Lifecycle
4103: Module Logging
600: Provider Lifecycle
DCShadow 4742: A laptop account turned into changed
5137: A itemizing provider object turned into created
5141: A itemizing provider object turned into deleted
4929: An Active Itemizing reproduction provide naming context turned into eliminated
Skeleton Keys 4673: A privileged provider turned into known as
4611: A trusted logon assignment has been registered with the Native Security Authority
4688: A novel assignment has been created
4689: A novel assignment has exited
PYKEK MS14-068 4672: Admin Logon
4624: Myth Logon
4768: Kerberos TGS Study
Kerberoasting 4769: A Kerberos tag turned into requested
S4U2Proxy 4769: A Kerberos tag turned into requested
Lateral Scuttle 4688: A novel assignment has been created
4689: A assignment has exited
4624: An account turned into efficiently logged on
4625: An account did not dash surfing
DNSAdmin 770: DNS Server plugin DLL has been loaded
541: The surroundings serverlevelplugindll on scope . has been space to
150: DNS Server could well not load or initialize the dash-in DLL
DCSync 4662: An operation turned into performed on an object
Password Spraying 4625: An account did not dash surfing
4771: Kerberos pre-authentication failed
4648: A logon turned into tried using specific credentials

Resources

Source & Credits: @infosecn1nja