|
Soren Fritzboger
@
fritzboger
Denmak
|
|
Consultant at @csis_cyber
Studying a master's degree in Computer Science and Engineering at @DTUtweet
Tweets are my own
|
|
|
31
Tweetovi
|
204
Pratim
|
64
Osobe koje vas prate
|
| Tweetovi |
| Soren Fritzboger proslijedio/la je tweet | ||
|
CSIS Security Group
@csis_cyber
|
21. sij |
|
Read CSIS Security Group's latest Threat Matrix Report and get an overview of the latest trends, news and real world scenarios in the cyber security industry.
gallery.mailchimp.com/c35aef82661dad… pic.twitter.com/mciIjhdbPV
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
21. sij |
|
Publish or it didn't happen
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
17. sij |
|
I know you care ❤️
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
17. sij |
|
Found my first two privilege escalations in Windows 🔥
|
||
|
|
||
| Soren Fritzboger proslijedio/la je tweet | ||
|
Mitja Kolsek
@mkolsek
|
16. sij |
|
Infosec twitter, apart from the currently popular CVE-2020-0601 patch, do you know of any other official vendor patch that uses CveEventWrite to record an attempt to exploit a patched vulnerability? I think it's an important and positive change.
Please RT for reach.
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
15. sij |
|
That's a very interesting observation. From my testing of AMSI with the grunts from Covenant C2, AMSI did both "dumb" string detection but also more in depth analysis of the IL itself. This was done through Powershell AMSI, and not .NET 4.8. Should behave the same though?
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
15. sij |
|
Not that it applies to your issue, just thinking about what the underlying problem could be for amsi not detecting the sample in a C# binary
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
15. sij |
|
I'm confused too now. When I played with amsi, it was through the amsi scan interface, and I remember there was a difference between using a byte-array input and string input. Maybe rhe sample only gets detected in the string version?
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
15. sij |
|
Not sure about the EICAR test string, but I did have success with the AMSI test sample inside a binary file.
@_RastaMouse put up a gist gist.github.com/rasta-mouse/5c…
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
14. sij |
|
Wrote a small post about embedding external DLLs into a Task in Covenant. Shout out to @cobbr_io for Covenant and his willingness to help in the #covenant BloodHound slack channel!
@csis_cyber
medium.com/csis-techblog/…
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
30. pro |
|
Calc or it's fake. Everybody knows that
|
||
|
|
||
| Soren Fritzboger proslijedio/la je tweet | ||
|
Carl Schou / vm
@vm_call
|
21. pro |
|
vmcall.blog/nc3-2019-write…
Merry christmas :-) Here's a (although partial) write-up of #nc3ctf2019 where I have published solution details to the categories: Reversing, Analysis and Boot2Root. The rest of the categories will be updated later on, but for now only contain the flags.
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
10. pro |
|
I have been searching for a way to do this. This is a very elegant solution, and will definitely be useful in the near future. Well done @m0rv4i ! twitter.com/m0rv4i/status/…
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
9. pro |
|
When did Mimikatz become a legitimate tool 🤔 pic.twitter.com/PlbgWwvgI5
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
13. stu |
|
This is a very interesting use of API Hooking. Well thought of @0x09AL! twitter.com/MDSecLabs/stat…
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
7. stu |
|
I see your point. For anyone interested in this behavior this post blog.cjwdev.co.uk/2011/06/28/per… explains it very well. Also includes a script to map the integer values to FileSystemRights (And the comments have it in PowerShell)
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
7. stu |
|
As for the FileSystemRights, one of the following combinations should be enough
ChangePermissions
CreateFiles + WriteData
TakeOwnership
Write
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
7. stu |
|
Doesn't this depend on your goals? If you want to do a full assessment of your AD, then yes you need to check all groups.
But if you just want a quick list of possible candidates AUTHORITY\Authenticated Users should do just fine.
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
6. stu |
|
Should be fairly easy to modify the script to check ACL for regular users instead of write access by the current user
|
||
|
|
||
|
Soren Fritzboger
@fritzboger
|
6. stu |
|
Yeah @wdormann's script is very useful. Ive used it a fair amount of times
|
||
|
|
||