Twitter | Pretraživanje | |
Soren Fritzboger
Consultant at Studying a master's degree in Computer Science and Engineering at Tweets are my own
31
Tweetovi
204
Pratim
64
Osobe koje vas prate
Tweetovi
Soren Fritzboger proslijedio/la je tweet
CSIS Security Group 21. sij
Read CSIS Security Group's latest Threat Matrix Report and get an overview of the latest trends, news and real world scenarios in the cyber security industry.
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 21. sij
Odgovor korisniku/ci @vm_call
Publish or it didn't happen
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 17. sij
Odgovor korisniku/ci @vm_call @PyroTek3
I know you care ❤️
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 17. sij
Odgovor korisniku/ci @PyroTek3
Found my first two privilege escalations in Windows 🔥
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger proslijedio/la je tweet
Mitja Kolsek 16. sij
Infosec twitter, apart from the currently popular CVE-2020-0601 patch, do you know of any other official vendor patch that uses CveEventWrite to record an attempt to exploit a patched vulnerability? I think it's an important and positive change. Please RT for reach.
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 15. sij
That's a very interesting observation. From my testing of AMSI with the grunts from Covenant C2, AMSI did both "dumb" string detection but also more in depth analysis of the IL itself. This was done through Powershell AMSI, and not .NET 4.8. Should behave the same though?
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 15. sij
Odgovor korisniku/ci @byt3bl33d3r @_RastaMouse
Not that it applies to your issue, just thinking about what the underlying problem could be for amsi not detecting the sample in a C# binary
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 15. sij
Odgovor korisniku/ci @byt3bl33d3r @_RastaMouse
I'm confused too now. When I played with amsi, it was through the amsi scan interface, and I remember there was a difference between using a byte-array input and string input. Maybe rhe sample only gets detected in the string version?
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 15. sij
Odgovor korisniku/ci @byt3bl33d3r @_RastaMouse
Not sure about the EICAR test string, but I did have success with the AMSI test sample inside a binary file. put up a gist
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 14. sij
Wrote a small post about embedding external DLLs into a Task in Covenant. Shout out to for Covenant and his willingness to help in the BloodHound slack channel!
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 30. pro
Odgovor korisniku/ci @vm_call @alert_insecure
Calc or it's fake. Everybody knows that
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger proslijedio/la je tweet
Carl Schou / vm 21. pro
Merry christmas :-) Here's a (although partial) write-up of where I have published solution details to the categories: Reversing, Analysis and Boot2Root. The rest of the categories will be updated later on, but for now only contain the flags.
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 10. pro
I have been searching for a way to do this. This is a very elegant solution, and will definitely be useful in the near future. Well done !
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 9. pro
When did Mimikatz become a legitimate tool 🤔
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 13. stu
This is a very interesting use of API Hooking. Well thought of !
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 7. stu
Odgovor korisniku/ci @NathanMcNulty @dooley_do i 3 ostali
I see your point. For anyone interested in this behavior this post explains it very well. Also includes a script to map the integer values to FileSystemRights (And the comments have it in PowerShell)
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 7. stu
Odgovor korisniku/ci @NathanMcNulty @dooley_do i 3 ostali
As for the FileSystemRights, one of the following combinations should be enough ChangePermissions CreateFiles + WriteData TakeOwnership Write
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 7. stu
Odgovor korisniku/ci @NathanMcNulty @dooley_do i 3 ostali
Doesn't this depend on your goals? If you want to do a full assessment of your AD, then yes you need to check all groups. But if you just want a quick list of possible candidates AUTHORITY\Authenticated Users should do just fine.
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 6. stu
Odgovor korisniku/ci @NathanMcNulty @dooley_do i 3 ostali
Should be fairly easy to modify the script to check ACL for regular users instead of write access by the current user
Reply Retweet Označi sa "sviđa mi se"
Soren Fritzboger 6. stu
Odgovor korisniku/ci @mkolsek @wdormann
Yeah 's script is very useful. Ive used it a fair amount of times
Reply Retweet Označi sa "sviđa mi se"