Jai Minton

@CyberRaiju

JPMinty | Infosec - Cyber | Aussie | | | Defender | Instructor and Mentor | All thoughts and opinions expressed here are my own.

XwkhWh9sd1BNcxIhUR9vdQJgZgM=
Vrijeme pridruživanja: travanj 2018.

Tweetovi

Blokirali ste korisnika/cu @CyberRaiju

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @CyberRaiju

  1. Prikvačeni tweet
    14. lip 2019.

    I've been compiling a Windows of common commands and areas of interest for including common tool-sets (more information to come). This can be found below, any comments or feedback is always welcome.

    Poništi
  2. 3. velj

    "Oh bother... think think think." Any other interesting adversary -> defender/researcher interactions they've seen play out?

    Poništi
  3. 1. velj

    More for Lateral Movement -> Evidence remove. mstsc net runas netsh wmiprvse (children) wsmprovhost (children) psexesvc (children) winrm winrs win shadow esentutl vssadmin del wevtutil taskkill klist ftp Hopefully that list helps as a start. For more:

    Prikaži ovu nit
    Poništi
  4. 1. velj

    Some extra process execution/command lines to monitor for hands on adversary situational awareness/recon. tasklist ver ipconfig systeminfo netstat whoami nbtstat set qprocess nslookup net type dir echo dsquery quser

    Prikaži ovu nit
    Poništi
  5. 1. velj

    Some essential process execution/cmd lines to monitor for initial access/persist. powershell cmd rundll32 control wscript javaw csc regsvr32 reg certutil bitsadmin schtasks wmic eqnedt32 msiexec cmstp mshta hh curl installutil regsvcs/regasm at msbuild sc cscript msxsl runonce

    Prikaži ovu nit
    Poništi
  6. 30. sij
    Poništi
  7. 29. sij

    Initial Access Methods: -Valid Accounts (Insider, Data Breach) -Replication (USB, CD) -External Services (VPN, Citrix, RDP) -Drive-by (Exploit Kits) -Application Exploit (SQLi, LFi etc) -Phishing (link,file,external) -Trusted Party/Supply Chain -Hardware add-ons -Quantum Insert

    Poništi
  8. 28. sij

    So they either fixed this script or removed it (Yes hello, thank-you for reading), but shortly after an IP range with changing User Agent (I hope they're not actually running XP) continued hitting so there you go, someone is interested in COM Hijacking.🤷‍♂️

    Poništi
  9. proslijedio/la je Tweet
    28. sij

    simple yara rule to detect suspicious windows servicedll, e.g. 2nd match is related to APT sample "mshlpsrvc.dll"

    Poništi
  10. 28. sij

    Some Lateral Movement Methods: -Pass the Hash/Relay ((Net-)NTLM) -Pass the Ticket (Silver/Golden) -RDP (Legit creds) -Remote Services (VNC/SSH) -(D)COM (Remote sched tasks, Services, WMI) -Remote Service Vuln (EB) -Admin Shares (PSExec) -Webshell (Chopper) -WinRM (PS Remoting)

    Poništi
  11. proslijedio/la je Tweet
    28. sij

    For today "side lolbin" let's say thanks to: ZOHO Corporation private Limited with their dctask64.exe. Keep injecting all the dll we want with: dctask64.exe injectDll <dllpath> <PID> bonus point: we have the outputs!!! cc

    Prikaži ovu nit
    Poništi
  12. proslijedio/la je Tweet
    25. sij

    If you're not retaining things like DHCP logs, DNS logs, RDP logs, some kind of internal network monitoring/visibility, you should do that. Trying to hunt through 2 month old traffic is hard when you can't correlate IP to Endpoint because DHCP.

    Poništi
  13. proslijedio/la je Tweet
    24. sij
    Poništi
  14. proslijedio/la je Tweet
    24. sij

    BGP,HJ,hijacked prefix AS136265 103.143.30.0/24, SPLUNKINC-AS-AP Splunk Inc., AU,-,By AS208420 LCL, GB,

    Poništi
  15. 24. sij
    Poništi
  16. 21. sij

    When you: "Can't disable Macros, PowerShell, WScript etc" Within your environment, but have no reason for these or half the other lolbins to connect to anything over the internet; at least put in host or network based firewall rules to block these pulling payloads.

    Poništi
  17. proslijedio/la je Tweet
    21. sij
    Odgovor korisniku/ci

    I would classify Sysmon as one of the logging interface building blocks to implementing HIDS-like behavior if you wanted to go that way, without making your own endpoint agent.

    Poništi
  18. proslijedio/la je Tweet
    20. sij
    Odgovor korisniku/ci

    Sysmon itself doesn’t even have detection signatures. Well configured it can provide a basis on which you can implement detection logic. Sysmon + config + centralized logging + Sigma : can be considered a HIDS

    Poništi
  19. 20. sij

    If you're looking for an excellent non-technical focus podcast: Look at the Show (e.g. ep 300 with ). This is an excellent listen with an excellent message. If you compare yourself to anyone else, take a listen and hopefully get something out of it.

    Poništi
  20. 20. sij

    I've heard Sysmon be called a free 'EDR' solution. Mentoring monday: how would you describe the difference between these to an average user? AV HIDS HIPS EDR At best Sysmon can be used 'like' a HIDS solution as it monitors the endpoint, but it is unable to prevent or respond.

    Poništi
  21. 19. sij

    A persistence method using Discord. Drop your own d3dcompiler_47.dll which exports a function: D3DCompile over the top of the real one contained at the below: C:\Users\*\AppData\Local\Discord\app-0.0*\ This will run when Discord runs, and have nil impact from what I've seen.

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·