by frank | Feb 10, 2021 | AV, Blue Team, Security, Windows
Reading Time: < 1 minuteSysInternals, did promised it, and they delivered. Version 13 of Sysmon now comes with Id Event 25 which detects process hollowing and herpapining. This off course, would mainly be used by attackers when targeting systems which have a GPO...
by frank | Jan 8, 2021 | Blue Team, C2C, Security
Reading Time: < 1 minuteFollowing the really interesting article of Tek : https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/ Where he described how to get a valid URL for CobaltStrike, I tried to check if it was the same for...
by frank | Jan 5, 2021 | AV, Blue Team, Red team, Security, Windows
Reading Time: < 1 minuteDriver : SentinelMonitor Altitude 389040 Services: Name=LogProcessorService; DisplayName=SentinelOne Agent Log Processing Service; ServiceName=LogProcessorServiceName=SecurityHealthService; DisplayName=Windows Security Service;...
by frank | Jan 4, 2021 | AV, Blue Team, Red team, Security, Windows
Reading Time: 2 minutesYou can download this CSV file here <==== SHA256NameSignerDescription—————————04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162ADV64DRV.sys”FUJITSU LIMITED...
by frank | Dec 14, 2020 | Security
Reading Time: < 1 minuteLink for all options : https://beta.shodan.io/search/filters Negate searches can be done with ! Searching via the API is even more simpler and more powerfull. Small example of a script to generate IP list + certs of hosts that match...
by frank | Dec 14, 2020 | Security
Reading Time: < 1 minuteAdding this little extra check of JARM when checking a beacon alert (from RITA) Code can be found here :...
by frank | Dec 14, 2020 | Security
Reading Time: < 1 minuteThere are many sites who wrote about this TLS/SSL fingerprinting method. https://github.com/salesforce/ja3 https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a JA3 and JA3S are passive...
by frank | Nov 28, 2020 | Palo Alto, Red team, Security
Reading Time: < 1 minute With traps, there is the possibility to do Password Theft Protection against mimikatz. I’ve tested (on version 6.0.1.7362 ) and indeed, a dump of a lsass process can no longer be inspected by Mimikatz. Unfortunatly for clients, a good...
by frank | Nov 23, 2020 | Red team, Security, Windows
Reading Time: < 1 minutereg query HKLM\SYSTEM\CurrentControlSet\Services\regsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvcType REG_DWORD 0x10Start REG_DWORD 0x3ErrorControl REG_DWORD 0x1ImagePath REG_EXPAND_SZ “C:\Program Files\Insecure...
by frank | Nov 23, 2020 | AV, Red team, Security, Windows
Reading Time: < 1 minuteA few techniques to avoid AV or EDR detection rundll32 C:\windows\system32\comsvcs.dll MiniDump “[LSASS_PID] dump.bin full” 2. procdump <process id> instead of the word lsass Signed Executable which can be used also 3....
Recent Comments