Tweetovi
- Tweetovi, trenutna stranica.
- Tweetovi i odgovori
- Medijski sadržaj
Blokirali ste korisnika/cu @CyberRaiju
Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @CyberRaiju
-
Prikvačeni tweet
I've been compiling a Windows
#cheatsheet of common commands and areas of interest for#DFIR including common tool-sets (more information to come). This can be found below, any comments or feedback is always welcome. https://jpminty.github.io/cheatsheet/DFIR/ …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
"Oh bother... think think think." Any other interesting adversary -> defender/researcher interactions they've seen play out?https://twitter.com/ydklijnsma/status/1224452588747124737 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
More for Lateral Movement -> Evidence remove. mstsc net runas netsh wmiprvse (children) wsmprovhost (children) psexesvc (children) winrm winrs win shadow esentutl vssadmin del wevtutil taskkill klist ftp Hopefully that list helps as a start. For more: https://lolbas-project.github.io/#
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Some extra process execution/command lines to monitor for hands on adversary situational awareness/recon. tasklist ver ipconfig systeminfo netstat whoami nbtstat set qprocess nslookup net type dir echo dsquery quser
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Some essential process execution/cmd lines to monitor for initial access/persist. powershell cmd rundll32 control wscript javaw csc regsvr32 reg certutil bitsadmin schtasks wmic eqnedt32 msiexec cmstp mshta hh curl installutil regsvcs/regasm at msbuild sc cscript msxsl runonce
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Initial Access Methods: -Valid Accounts (Insider, Data Breach) -Replication (USB, CD) -External Services (VPN, Citrix, RDP) -Drive-by (Exploit Kits) -Application Exploit (SQLi, LFi etc) -Phishing (link,file,external) -Trusted Party/Supply Chain -Hardware add-ons -Quantum Insert
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
So they either fixed this script or removed it (Yes hello, thank-you for reading), but shortly after an IP range with changing User Agent (I hope they're not actually running XP) continued hitting https://www.jaiminton.com/Mitreatt&ck/T1122 … so there you go, someone is interested in COM Hijacking.
https://twitter.com/CyberRaiju/status/1213649314418814976 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
simple
#threathunting yara rule to detect suspicious windows servicedll, e.g. 2nd match is related to#Konni APT sample "mshlpsrvc.dll"pic.twitter.com/VN6vtcPYpj
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Some Lateral Movement Methods: -Pass the Hash/Relay ((Net-)NTLM) -Pass the Ticket (Silver/Golden) -RDP (Legit creds) -Remote Services (VNC/SSH) -(D)COM (Remote sched tasks, Services, WMI) -Remote Service Vuln (EB) -Admin Shares (PSExec) -Webshell (Chopper) -WinRM (PS Remoting)
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
For today "side lolbin" let's say thanks to: ZOHO Corporation private Limited with their dctask64.exe. Keep injecting all the dll we want with: dctask64.exe injectDll <dllpath> <PID> bonus point: we have the outputs!!! cc
@Oddvarmoe@Hexacorn https://www.virustotal.com/gui/file/a1b55abba46db5836ab3050bd754aed462e7361744e7f9f6ab55427ecb35d761/relations …pic.twitter.com/x1B6bNQk6J
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
If you're not retaining things like DHCP logs, DNS logs, RDP logs, some kind of internal network monitoring/visibility, you should do that. Trying to hunt through 2 month old traffic is hard when you can't correlate IP to Endpoint because DHCP.
#infosecHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
3 new Mac forensic tools
https://twitter.com/unkn0wnbit/status/1220721938714243076 …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
BGP,HJ,hijacked prefix AS136265 103.143.30.0/24, SPLUNKINC-AS-AP Splunk Inc., AU,-,By AS208420 LCL, GB, http://bgpstream.com/event/224746
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
#Emotet getting political and sending messages as opposed to trying to stay hidden....
New: https://www.virustotal.com/gui/file/754b0cd8afbaa502ee635474ea3660daf41a97fa766921e07f2da5a26aac34c8/detection …
vs
Old: https://www.virustotal.com/gui/file/7ae91f32cdca7d854d19439bcff58e2707cfa3cabe1483a16892464dddd3adfe/detection …pic.twitter.com/LYsfJVh25e
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
When you: "Can't disable Macros, PowerShell, WScript etc" Within your environment, but have no reason for these or half the other lolbins to connect to anything over the internet; at least put in host or network based firewall rules to block these pulling payloads.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
I would classify Sysmon as one of the logging interface building blocks to implementing HIDS-like behavior if you wanted to go that way, without making your own endpoint agent.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jai Minton proslijedio/la je Tweet
Sysmon itself doesn’t even have detection signatures. Well configured it can provide a basis on which you can implement detection logic. Sysmon + config + centralized logging + Sigma : can be considered a HIDS
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
If you're looking for an excellent non-technical focus podcast: Look at the
@JordanHarbinger Show (e.g. ep 300 with@simonsinek). This is an excellent listen with an excellent message. If you compare yourself to anyone else, take a listen and hopefully get something out of it.Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
I've heard Sysmon be called a free 'EDR' solution. Mentoring monday: how would you describe the difference between these to an average user? AV HIDS HIPS EDR At best Sysmon can be used 'like' a HIDS solution as it monitors the endpoint, but it is unable to prevent or respond.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
A persistence method using Discord. Drop your own d3dcompiler_47.dll which exports a function: D3DCompile over the top of the real one contained at the below: C:\Users\*\AppData\Local\Discord\app-0.0*\ This will run when Discord runs, and have nil impact from what I've seen.pic.twitter.com/G32Zs4a4jV
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
run...