Other day I asked for large repos of detection rules here is the running list of responses.
Elastic - https://t.co/OwVwhHU3nZ
Sigma - https://t.co/LygEgGSBeB
Chronicle - https://t.co/4QqDyzJCWC
Splunk - https://t.co/csHzWFCpLE
Falcon Force -https://t.co/9cOd5elj3U
Bye-bye botnets👋 Huge global operation brings down the world's most dangerous malware.
Investigators have taken control of the Emotet botnet, the most resilient malware in the wild.
Get the full story: https://t.co/NMrBqmhMIf
a good #dfir remainder (CLR Usage Logs) of Lateral Movement via WinRM using .NET script to execute stuff on a target host (opsec wise won't harm to add this to cleanup routine after execution if any)
Got to see my favourite type of Incident Ticket today.
User got suspicious email, reported it because when they followed the link it went to a sign in page but "none of their corporate credentials worked"
For added value, service desk closed ticket cos it wasn't a supported site
PEzor v2 — New Output Formats and Cobalt Strike Integration
Cobalt Strike's execute-assembly lets operators run .NET assemblies without touching the disk. But wouldn’t be nice if we could execute arbitrary executables too with the same ease?
https://t.co/BbW5LyM6E8
People are sharing lolbin POCs.
here goes from my side :)
Open MSPaint
Navigate to below mentioned functional path:
File -> Open -> "File name" (All Files)
Specify the file HTTP file path URL. wait for error message.
And get the download file path in error message :)
I decided to write a new shellcode self-injector (Injector.Win64.HellsGate) in x64 Microsoft Macro Assembler (MASM) to learn the language.
If you are interested you can have a look here: https://t.co/vHAUjan0XX
'Removing Kernel Callbacks Using Signed Drivers' - I just released a write-up and tool to blind all EDRs on a system. Many thanks to @matterpreter@gentilkiwi@Jackson_T@SpecterOps@FuzzySec for previous excellent work. Writeup at https://t.co/Sij8hfKLiw
Built some automation to help with DLL hijack discovery and found hijacks in Microsoft Teams, Slack, and VSCode. I dig into building the automation, the root cause of shared DLL hijacks b/t applications, and an interesting discovery in the NetShare* APIs!
https://t.co/RVA9lWBnzT
Check out a new tool I just released! An asynchronous password spraying tool in C# for Windows environments that takes into consideration fine grained password policies and can be ran over Cobalt Strike's execute-assembly. https://t.co/5xNkmGvcdr
Releasing another side-project: CursedChrome. A Chrome-extension implant that turns victim Chrome browsers into HTTP proxies. Using these proxies you can browse the web authenticated as your victims for all of their websites. Setup takes only 5-10 mins 👍
https://t.co/CskjvN0vLE