BLOG
EDR Userland Hooking detection / Unhooking test
Updated on 2 Nov 2021 with new SentinelOne version 21.6.2.272 A very small little post, of a little experiment I did in my lab. I've used the nice and interesting code of Ausurusrex ( https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker ) which is a C++...
Sysmon Processhollowing and Herpapining detection
SysInternals, did promised it, and they delivered. Version 13 of Sysmon now comes with Id Event 25 which detects process hollowing and herpapining. This off course, would mainly be used by attackers when targeting systems which have a GPO App Locking policy in place...
Metasploit valid URL checksum8 ?
Following the really interesting article of Tek : https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/ Where he described how to get a valid URL for CobaltStrike, I tried to check if it was the same for Metasploit as he mentionned....
Sentinel One EDR misc information
Driver : SentinelMonitor Altitude 389040 Services: Name=LogProcessorService; DisplayName=SentinelOne Agent Log Processing Service; ServiceName=LogProcessorServiceName=SecurityHealthService; DisplayName=Windows Security Service;...
IOC Vulnerable Drivers
You can download this CSV file here <==== SHA256NameSignerDescription---------------------------04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162ADV64DRV.sys"FUJITSU LIMITED...
Shodan searches
Link for all options : https://beta.shodan.io/search/filters Negate searches can be done with ! Searching via the API is even more simpler and more powerfull. Small example of a script to generate IP list + certs of hosts that match CobalStrike JARM signature. It will...