Jai Minton
@CyberRaiju
Followers
7,009
Following
1,199
Media
256
Statuses
1,038
An Australian researcher who does cyber things | Defender @HuntressLabs | Former Principal @CrowdStrike | | Posts = own views.
XwkhWh9sd1BNcxIhUR9vdQJgZgM=
Joined April 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#บางกอกคณิกาep3
• 221011 Tweets
#WeAreSeriesEP7
• 206329 Tweets
PondPhuwin WeAre EP7
• 77881 Tweets
Robert Fico
• 52866 Tweets
#Aぇヤンタン
• 49556 Tweets
サーティワン
• 43623 Tweets
Slovakia
• 41672 Tweets
バッカーノ
• 22542 Tweets
よくばりフェス
• 18556 Tweets
PIERROT
• 16712 Tweets
$MISTY
• 15355 Tweets
松本健吾
• 15326 Tweets
キダ・タローさん
• 15314 Tweets
Bコース
• 13327 Tweets
#水曜日のダウンタウン
• 12644 Tweets
トネリコ
• 12490 Tweets
スロバキア
• 11898 Tweets
Aコース
• 10393 Tweets
リリムハーロット
• 10270 Tweets
FGOフェス
• 10207 Tweets
水銀体温計
• 10005 Tweets
Pinned Tweet
Just released 🎉: Wasabi Wallet users are being targeted by a fake Wasabi Wallet MSI installer. Upon installing and running the trojanised client, it drops a Java Archive that acts as a malware downloader.
Let's reverse engineer this.
Enjoy!
1
9
38
Red Team Tip:
'explorer.exe /root' can be run from the command line - similar to 'cmd.exe /c', only it breaks the process tree and makes its parent a new instance of explorer
For blue team: keep an eye on multiple instances of explorer.
explorer.exe /root,"D:\CyberRaiju.exe"
13
570
2K
When it comes to DFIR, Reverse Engineering, and performing security analysis in general, there's a number of useful, hidden gems out there. Here's some sites which you may, or may not know about, including some of the best in the industry👇
26
384
1K
Some essential process execution/cmd lines to monitor for initial access/persist.
powershell
cmd
rundll32
control
wscript
javaw
csc
regsvr32
reg
certutil
bitsadmin
schtasks
wmic
eqnedt32
msiexec
cmstp
mshta
hh
curl
installutil
regsvcs/regasm
at
msbuild
sc
cscript
msxsl
runonce
9
324
1K
Regarding CVE-2021-44228 AKA Log4Shell.
A quick and dirty way to find jar files that have a JndiLookup.class in PowerShell (change drive).
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
1/3
15
277
827
I've been compiling a Windows
#cheatsheet
of common commands and areas of interest for
#DFIR
including common tool-sets (more information to come). This can be found below, any comments or feedback is always welcome.
35
364
806
No SIEM? Sick of manually sifting through Windows event logs? Just want to know who has logged in remotely? Let's use some PowerShell to assist with that.
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='10'} | FL TimeCreated,Message
You're welcome. 🛡️
13
180
754
Forensics Tip: If you have live access to a system and want to know what's been plugged into it, or what it has been connected to throughout it's life, run the following:
pnputil /enum-devices
pnputil /enum-interfaces
You'll get a wealth of knowledge
12
162
752
It took me almost 3 years, but I finally restructured the Practical Malware Analysis section of my site. This is now broken up into more digestible sections, and I've also revamped the MITRE ATT&CK tests to come with appropriate categories and tagging.
5
173
585
Some binaries which have known UAC bypass techniques.
wusa
WSReset
winsat
tzsync
TpmInit
taskhost
SystemPropertiesAdvanced
sysprep
svchost
slui
setupsqm
sdclt
schtasks
rstrui
recdisc
pkgmgr
osk
oobe
msconfig
mmc
migwiz
mcx2prov
iscsicli
inetmgr
GWXUXWorker
fodhelper
EventVwr
2
184
583
Here's some Forensics Resources.
Windows Forensic Artifacts:
1.
2.
3.
Linux Forensic Artifacts:
1.
MacOS X Forensic Artifacts:
1.
2.
1
210
539
My Powershell 1-liner to show the unique hash of every executable running.
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A
9
163
528
Looking for that Emotet dropper? Not sure what file triggered it? Take a look at this reg key to find documents the user has 'trusted' and whether they ran macros.
\Software\Microsoft\Office\[version]\Word\Security\Trusted Documents\TrustRecords
FF FF FF 7F = Macro Enabled
7
217
520
Some Lateral Movement Methods:
-Pass the Hash/Relay ((Net-)NTLM)
-Pass the Ticket (Silver/Golden)
-RDP (Legit creds)
-Remote Services (VNC/SSH)
-(D)COM (Remote sched tasks, Services, WMI)
-Remote Service Vuln (EB)
-Admin Shares (PSExec)
-Webshell (Chopper)
-WinRM (PS Remoting)
6
159
504
Quick 1-liner to get the location and file hash of Service DLLs. These should only be known Microsoft DLLs as svchost is OS Reserved
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
4
110
386
MITRE ATT&CK Mind Maps!
I've mapped the latest MITRE ATT&CK techniques, sub-techniques and IDs to a mind map and made it available.
Freemind (no colour) and XMind formats + PNG download.
Colours mapped to
@olafhartong
's "The ATT&CK Rainbow of Tactics"
4
134
379
Forensics Tip: NTFS by default doesn't track the last time a file was accessed. If you want to keep a record of this, you'll need a reg key as 0. The below will help.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f
2
85
297
Reminder: Kerberos tickets aren't invalidated when you reset a users password or disable their account. If there's active sessions these can persist beyond the reset unless they're purged from the system or expire.
Extra Reading:
1
104
289
Some RDP keys to keep an eye on:
Enable RDP/Multiple User Sessions:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
- fDenyTSConnections
- fSingleSessionPerUser
Change of Port Number:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- PortNumber
2
96
283
Remote Procedure Calls (RPC) are extremely common for lateral movement. If you're looking into hardening and have no need for it, this can be disabled. Stops psexec, etc
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1
3
85
265
Some easy ways of finding running processes which import network functions. May find an injected process this way.
Windows Socket API: e.g. TCP/IP
》tasklist /m WSock32.dll
》tasklist /m Ws2_32.dll
Windows Internet API: e.g. HTTP, FTP, NTP.
》tasklist /m Wininet.dll
1
92
262
7-Zip is by far one of the most ubiquitous free Windows archivers. It also has some nice registry artifacts which may assist in locating evidence of exfil. Such keys include.
CopyHistory
FolderHistory
PathHistory
ArcHistory
reg query HKU\{SID}\Software\7-Zip\ /s /f History
2
62
261
Want to know whether a user opened a word document?
Try querying the "pick up where you let off" registry keys.
Just load in the hives and use some PowerShell, or check your own with HKCU not HKU\*
gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"
3
75
245
A PowerShell 1-liner using Windows Jump Lists to find files opened. Very rough so mileage will vary.
$Files=$(cat C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations\*.*Destinations-ms);$Files.Split("``")|Select-String "Storage" | findstr -v "1SPSU"|findstr -v "?"
4
68
225
Let's use MITRE ATT&CK™ as a learning tool.
I threw together MITRE ATT&CK Wheel of Fortune. This is a spreadsheet which uses NO macros and helps select an ATT&CK method to learn, and track your progress.
#MentoringMonday
This can be downloaded below:
1
87
222
For all your non-tech savvy friends, please just block PowerShell outbound via the Firewall, it'll prevent a lot of issues...
netsh advfirewall firewall add rule name="PSPrevent" dir=out action=block program="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe"
9
48
217
My Powershell 1-liner to show the hash of some DLLs loaded by processes (1/2).
$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea ig|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A
4
69
215
For those using Sysmon or MITRE in their analysis, I'm going to point you in the direction of
@nader_shalabi
and the excellent tools he's created for working with these.
This includes Sysmon View and ATT&CK™ View as shown below.
0
83
207
Over a couple of months I spent time learning about game hacking concepts and putting these into practice to complete the challenges of Pwn Adventure 3: Pwnie Island ().
The write-up is now available, enjoy:
1
37
202
Knowing what is normal will help you to find abnormal.
Example; All of the below processes require assembly or a specified DLL (take note of extensions) when invoking:
regsvcs
regasm
rundll32
regsvr32
Yet this doesn't happen if they're just being used to inject or hollow into
3
76
197
10th Chapter (Kernel Debugging) of Practical Malware Analysis (No Starch Press) complete. Just about hit the half way mark of this write-up.
Write-ups take significantly longer than just reading content, but if it helps someone learn, then it's worth it.
3
59
183
My analysis on a recent Remcos RAT sample is now available. This is wrapped in 4 layers of reflectively loaded code. I step through unraveling this to get the final Remcos RAT payload and showcase how it all establishes persistence on the system.
Enjoy!
3
66
181
Practical GPO Mitigations:
I've created persistence under a users context using a startup link, logon script, and run key, yet after a restart none of these work.
This is because as a defender I've also got a policy setup to automatically remove these on startup if they exist
4
44
177
China Chopper:
Let's take a look at a .NET variant of the webshell, the associated client, how it (and other webshells) can be defeated through .NET Trust Levels hardening, and how it looks from both ends in my lab environment. Not new, but someone may find it interesting.
1/9
2
72
176
Let's look at the default behavior of Cobalt Strike.
The scripted web delivery is at URI '/a'.
It spawns to rundll32 (which should have a cmd line associated).
We can often get the C2 and UA using only CyberChef.
Samples:
-
-
1
66
175
A few years dated, but I know how you all love lists so here's 411 Windows Security Event IDs complete with their summary and security messages, direct from Microsoft.
3
51
174
If you want to create a shadow copy in Windows 7 via cmd (There's no vssadmin create function) you can by using the below with System privileges. This is what happens when a System Restore Point is created.
%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
2
66
169
When using the prtsc key on Windows, taskhost/taskhostw will attempt to get read access to a non-existent file:
➡️%windir%\System32\SnapShot
By creating a null byte file and auditing access, we can log any time a user has taken a screenshot via this key. Only works for this key
4
59
167
Technology detection methods/frameworks/formats:
Suricata
Snort
JA3
Sigma
Yara
Netflow
Static IOC:
- Hash
- Domain
- IP
- User Agent
Process Behavior:
- Parent > Child Relationship
- LOLBAS usage
- Suspended Process
User Behavior:
- Unusual file reads
- Website browsing
- USBs
3
45
165
Just a reminder, Event ID 24 from:
Microsoft-Windows-TerminalServices-LocalSessionManager\Operational
For an RDP disconnect will still give you the source IP which made the initial connection. So even covering tracks you may be able to nab them on the way out.
4
37
160
🔥 Free MITRE ATT&CK mind maps!🧠
These are based off of the latest Enterprise v14 matrix which was released a couple of weeks ago.
All are freely available on my Github, with lower quality versions available on my site.
Enjoy!
2
59
158
Chapter 18 (Packers and Unpacking) of PMA complete. This covers off on automated / manual methods of unpacking, the Unpacking Stub, repairing the Import Table, the Tail Jump, and how you can find the Original Entry Point (OEP) of malware which use packers
1
47
156
Malware such as Ursnif/Gozi may run invisible Internet Explorer COM Objects to try and make C2 traffic look like web browsing. We should all be using a different browser now, so go and disable it.
Samples:
6
63
145
Found a service running as SYSTEM from the public folder. This by default grants permissions to everyone. Makes it trivial to use for privesc and persistence. May want to check, will show MS FW rules also.
reg query HKLM\SYSTEM\CurrentControlSet\services /s /f "C:\Users\Public"
2
43
145
USB Rubber Ducky's and HID emulators allow pentesters or other determined actors to emulate keystrokes and run malicious commands. This can be prevented by blocking their associated Vendor and Product IDs from being installed. The default ducky firmware uses the Atmel corp ID.
7
42
146
Created a copy of the MsMpEng.exe (Windows Defender Antimalware Service), renamed it to 'Invoke-Mimikatz', and Windows Defender is now a "Trojan". Defender doesn't like seeing Invoke-Mimikatz in a command line. Even the signed Defender executable isn't safe. Beware the
#mimikatz
.
18
58
137
A small video to help analysts extract relevant information from a PowerShell based Cobalt Strike stager using CyberChef, and then go more in-depth using a Python script.
4
33
139
Just released 🎉: A look at Scheduled Tasks, and how malware such as Tarrask hides these from being seen, even through tooling such as Autoruns. Included is a link to some PowerShell scripts designed to find hidden tasks using this technique. Enjoy!
3
30
130
This may seem rudimentary, but you may want to stop service accounts from being able to logon locally or via RDP, just like you may want to stop users being able to run scheduled tasks under their account, or logging on as a service.
Setup those GPOs.
1
31
132
Keep an eye on the below. When it is set wdigest keeps credentials in memory. This is often modified by malware to allow credential harvesting.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
2
36
127
Let's talk about static, network-based IOCs and analysis.
Network-based IOCs such as Domains and IPs are both temporal and contextual. If a network sec device has alerted on a static IOC and you cannot ascertain when that IOC was added, or context on why, then it's a waste. 1/15
4
33
125
MITRE ATT&CK™ T1171 - LLMNR/NBT-NS Poisoning and Relay
- Can steal Net-NTLM hashes and relay them to dump NTLM hashes
- Look for service installations
This example uses responder and smbrelayx to dump hashes from a remote machine using a Net-NTLM hash
1
42
121
dismhost
dccw
credwiz
consent
computerdefaults
CompMgmtLauncher
clipup
cliconfg
BitlockerWizardElev
May want to keep an eye on children processes of these binaries.
More details on common known methods and current patching status can be found:
1
29
111
Brief update, given the popularity, the Windows
#DFIR
and
#IncidentResponse
#Cheatsheet
has been updated including additional header highlighting for readability and will no doubt continue to grow. This is now on a custom domain with a redirect setup.
1
46
106
MITRE ATT&CK™ T1028 - Windows Remote Management
- Post exploitation tactic useful for Lateral Movement
- Look out for child processes of wsmprovhost and evidence of service enabling.
Below I use PowerShell to run commands on a remote machine through WinRM
1
34
104
@GossiTheDog
Here's some of the analysis one of my bright colleagues
@sneakymonk3y
has done in his own research.... lots of methods.
2
34
101
More evidence of binaries running can sometimes be found in Windows 10 based on taskbar metrics.
HKU\*\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\
Using these you can see the number of times opened apps have been clicked, right clicked. More info below:
2
35
102
When looking at running processes, a number of useful items to examine:
- Name(s)
- Path
- Description
- Signing
- Version
- Company
- Comments
- Language
- Hash
We can get info on all exe/dll running using PowerShell.
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name
2
35
101
MITRE ATT&CK™ T1191 - CMSTP
- Another Windows Utility which can be abused to evade detection.
- Look for suspicious CMSTP processes
This example uses a fake picture (inf) file to execute our malicious DLL and spawn calc as a way of avoiding detection.
2
41
97
Just released 🎉: Malware analysis of IDAT (Hijack) Loader, its injection from IDAT (PNG file) streams, and how it uses Process Doppelganging
This covers both dynamic and static analysis techniques which can be used to unravel the final payload
Enjoy!
1
15
97
For a different artifact gathering tool, take a look at 'Meta-Blue' by newhandle.
It implements concurrent PowerShell remoting sessions to pull artifacts in csv format from remote hosts. Also incorporates a number of elements from the DFIR Cheat Sheet.
4
34
90
More for Lateral Movement -> Evidence remove.
mstsc
net
runas
netsh
wmiprvse (children)
wsmprovhost (children)
psexesvc (children)
winrm
winrs
win
shadow
esentutl
vssadmin
del
wevtutil
taskkill
klist
ftp
Hopefully that list helps as a start.
For more:
4
18
89
MITRE ATT&CK™ T1179 - Hooking
- Capture API calls
- Used by rootkits, malware, and AV software
In this example we create a keyboard hook to log keystrokes, and use a custom DLL to log any calls to the Windows Socket 2 API.
H/T
0
28
88
Chapter 19 of PMA Write-up complete: Shellcode Analysis
This covers off on debugging and disassembling shellcode, some nuances on Position-Independent Code (PIC), Identifying Execution Locations, Manual Symbol Resolution/Imports, encoding and NOP Sleds.
0
20
89
MITRE ATT&CK V7.0 (July 2020) Mind Map now available with minor changes including new sub-techniques added since the V7.0 beta.
The update can be found (So long as Github isn't down):
Changelog:
MITRE ATT&CK Mind Maps!
I've mapped the latest MITRE ATT&CK techniques, sub-techniques and IDs to a mind map and made it available.
Freemind (no colour) and XMind formats + PNG download.
Colours mapped to
@olafhartong
's "The ATT&CK Rainbow of Tactics"
4
134
379
0
35
88
Defender tip: Many pieces of malware will try and create a rule for the Windows FW. Keep an eye on the below event log
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
2004 - Added
2005 - Modified
2006 - Deleted
Can parse it like so to view unique processes
1
24
86
I've just made my
@KringleCon
#Holidayhack
Challenge Write-up public.
Or for those who want the direct PDF:
This is 150 picture-filled pages detailing every challenge and how they can be solved.
Enjoy, hope you learn something.
5
26
85
I've been doing a poor job with updates, but Chapters 14 and 15 of Practical Malware Analysis (No Starch Press) write-up now complete. No new page layout yet, sorry😅.
14: Malware-Focussed Network Signatures
15: Anti-Disassembly
1
27
84
Hi all, long time no tweet.
My latest blog post is now released ✍️
- Takes a look at a persistent browser hijacker ☠️
- Malware leverages kernel drivers which act as a rootkit 🪝
- Manual steps for remediation 🩹
- Yara rules provided👊
Happy Holidays.
0
27
81
Just released 🎉: What starts as an ISO file, ends in a RAT. Join me in diving into some ISO file forensics via the Windows Event Log, and how the configuration of a RAT that gets loaded into memory can be decrypted using CyberChef.
Enjoy!
3
31
118
If you enable AMSI Debug logs, a quick and dirty way to output all of the event log 'content' including scanned strings is below.
((Get-WinEvent -Log 'AMSI/Debug' -Oldest).Properties | select -exp value | ForEach-Object ToString X2 -ea 0) -join ''
1
28
79
Analysis of MITRE ATT&CK™ T1197 - BITS Jobs .
- Bypasses Autoruns Detection
- Event ID 64 is useful
- Revealed on hosts using: bitsadmin /list /allusers /verbose
In my example below whenever the bitsadmin job copies a file I pop calc, even after a reboot.
0
41
79
Some extra process execution/command lines to monitor for hands on adversary situational awareness/recon.
tasklist
ver
ipconfig
systeminfo
netstat
whoami
nbtstat
set
qprocess
nslookup
net
type
dir
echo
dsquery
quser
1
12
77
Just released 🎉: I discuss the basics of DLL Side-Loading and DLL Search Order Hijacking, and then compare a legitimate and malicious DLL which is loaded by a legitimate piece of AV software. This is the first part to more in-depth analysis of IDAT Loader
0
17
80
MITRE ATT&CK™ T1183 - Image File Execution Options
- Can launch payload whenever a process is run or closed
- Look for suspicious WerFault child processes and IFEO reg keys.
This example uses 3 registry keys to spawn our payload whenever mspaint closes.
0
48
76
Windows Pentesting/DFIR Tip: It's all too common to see the 'find' command used on Windows and linux, but what is less known and far more useful is 'where.exe' to recursively search. Use this and find what you're looking for with wildcards natively on Windows.
2
10
77
Running the following in PowerShell as Admin on Windows should mitigate the issue for any instances >=2.10
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")
2/3
4
18
75
Let's look back at injecting into rundll32. Another telltale sign may be the version (32 or 64 bit) of rundll32 being injected into.
If your normal processes use 64-bit version (\System32), but then the 32-bit version runs (\SysWoW64) e.g. spawnto_x86, this may be worth flagging
Let's look at the default behavior of Cobalt Strike.
The scripted web delivery is at URI '/a'.
It spawns to rundll32 (which should have a cmd line associated).
We can often get the C2 and UA using only CyberChef.
Samples:
-
-
1
66
175
1
25
77
Mountable image files (e.g. .iso/.vhd) present challenges because phishing and fake software installers both use these to host malware inside of them as a form of defense evasion. These are normally mounted on double click. To protect against this or detect it afterwards🧵👇
2
17
74
Happy to be proven wrong, or get some examples of false positives, but when you migrate a standard Meterpreter Reverse TCP Shell into a new process (tested x86), it loads the Winsocket DLL with a lowercase name and uppercase extension, different to normal applications which vary.
2
19
72
Now in blog format, a quick read of my research into the relatively new 'FeatureUsage' registry key and some potential DFIR use cases.
In addition to event logs, a number of other artifacts can provide valuable information, such as registry keys. In this blog, we discuss a new registry artifact called “FeatureUsage,” found in builds of Windows 10 version 1903 and later. via
@CyberRaiju
0
21
74
4
18
70
Part 2 of my STRRAT Malware write-up is now available:
Learn how to decrypt the STRRAT configuration file, gather context on how it is being used, persistence involved, extract Host and Network IOCs, and I've now made a decrypter for the config available.
1
25
69
To help combat imposter syndrome, this year for
@KringleCon
I've created videos showing my failures and success in an edutaining way. I also recreated KringleCon as a JRPG playable game for my write-up. Enjoy!
Game🎮:
YouTube📺:
7
14
69
MITRE ATT&CK™ T1113 - Screen Capture
- See what your victim sees
- Monitor Admin tools or API usage if possible
Below I show 3 methods of taking a screen capture remotely on Windows. PowerShell, 3rd party binaries, and inbuilt in Meterpreter.
0
28
67
Final result: Approx 80% of the Lab environment and 90% of the exam environment compromised.👨💻
Today I received my confirmation.
Officially OSCP certified!🎉
Now I can return to Twitter after a bit of a hiatus for some more research and tech related tweets.
✌️
So as it currently stands:
➡️25 root/system shells.
➡️All networks unlocked.
🥳
It's nice to be able to look at how these were popped including the different techniques used, and know that each of them have ways to detect, prevent, or respond.
Onward and upward.
3
3
30
10
1
69
As admin get the hash of scheduled tasks from System32 dir:
$a=((gci tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
0
18
67
MalAPI:
Created by
@mrd0x
, this website aims to map Windows APIs to common techniques used by malware. Useful for reverse engineers as this helps to map functions which are used within a binary to possible malicious capability.
1
8
64
Chapter 20 of PMA Write-up complete: C++ Analysis
Covers off on OOP, some nuances on how it appears disassembled, the 'this' pointer, inheritance, overloading/mangling, virtual/non-virtual functions (Polymorphism), vtables, and exception handler objects.
1
22
64
Using DHCP logs you can get the name, SSID and MAC address your Windows device used to connect to a particular Wifi network. In this instance Invoke-Mimikatz was the SSID 😅
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DHCP*'; Id='50067';}|FL TimeCreated,Message
1
15
66
Although there's a known workaround, you may want to keep an eye on the below registry key to help detect privesc by misuse of Kerberos Ticket Granting Tickets. Modification should be a rarity.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v allowtgtsessionkey
1
30
64
Delete something by accident? Never looked into Shadow Copies? In addition to VSCMount, you can also interact with these using a command prompt. Just find the Shadow Copy Volume and symlink.
vssadmin list shadows
mklink /d shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
2
23
65
Someone, somewhere may find this useful.
DETECTION
"Known-Good" Comparison
"Web Traffic Anomaly Detection"
"Signature-Based Detection"
"Unexpected Network Flows"
1/2
2
37
65
For tunneling, view cons listening on localhost who also have a con to a remote address. In this example I have tunneled RDP cons. Our process is connected to a C2, and we can see via '::1' we have an active RDP con. Event logs give us the remote host from network address '::'.
1
11
63
What's the difference between running a link to a file, and running the file directly?
Explorer.exe has 5 more calls on the stack during process creation through a link (.lnk) file due to a temporary property being set.
May be useful to hunt for those malicious .lnk files.
0
22
63
If you're not across MSIX installers you need to be! The
@Huntress
SOC hunting operations is seeing this malicious sample which has been active for 2 weeks and has near 0 on VT.
Masquerading as Calendly, Bitwarden, Vmware, TradingView, Notion, and Asana.
2
26
61
MITRE ATT&CK™ T1088 - Bypass UAC
- Lots of methods documented
- Look for suspicious parent processes
This example uses a reg key to make EventViewer spawn a payload with elevated privileges. We can see this activity in Spunk.
2
13
59
I quite like process trees (as opposed to lists) which show parent child relationships. As such I forked a PowerShell module from
@raboof
and made some minor adjustments to add support for file hashes, signing certs, command line execution. May be useful.
2
24
60
Today I learned -
Based on the Outlook .msg file specs: you can rip an email apart using 7-Zip to get the attachment and email content in streams without using any other tools.
Demonstrated with one of many spam emails I find myself facepalming at 🤦♂️
2
14
59
For those looking at different
#Security
#Certifications
, this is a nice way of presenting a lot of information by SinecureLife. Just don't forget the benefit of a home lab and hands on experience...
User:
()
Reddit:
0
30
58