BLOG
JARM for XSOAR (demisto)
Adding this little extra check of JARM when checking a beacon alert (from RITA) Code can be found here : https://github.com/k4nfr3/xsoar-demisto-scripts
JA3 and JA3S or the new JARM
There are many sites who wrote about this TLS/SSL fingerprinting method. https://github.com/salesforce/ja3 https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a JA3 and JA3S are passive fingerprints where are JARM...
Password Theft Protection
With traps, there is the possibility to do Password Theft Protection against mimikatz. I've tested (on version 6.0.1.7362 ) and indeed, a dump of a lsass process can no longer be inspected by Mimikatz. Unfortunatly for clients, a good red team would use pypykatz...
Privilege Escalation via the registry
reg query HKLM\SYSTEM\CurrentControlSet\Services\regsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvcType REG_DWORD 0x10Start REG_DWORD 0x3ErrorControl REG_DWORD 0x1ImagePath REG_EXPAND_SZ "C:\Program Files\Insecure Registry...
Dumping LSASS different ways
A few techniques to avoid AV or EDR detection rundll32 C:\windows\system32\comsvcs.dll MiniDump "[LSASS_PID] dump.bin full" 2. procdump <process id> instead of the word lsass Signed Executable which can be used also 3. CiscoJabber : CiscoJabberProcessDump.exe (ps...
Volatility 3
git clone https://github.com/volatilityfoundation/volatility3.git Then download symbol table packs for the operating systems you need to analyze: https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip...