Pinned
New blog post is up, exploring detection options for some recent In- the- Wild Windows LPE 0- days
elastic.co/security-labs/…
Samir
2,841 posts
Samir
@SBousseaden
Joined January 2013
- #threathunting mindmap to help getting familiar with some of windows core processes (whish I can add more but its already crowded)
- #redteam quick tip: if you want to execute stuff via WMI (local/remote) without bringing much attention, stage your scripts, payloads etc. in c:\windows\ccmcache\<number>\ folder and you will be fine, below a live legit exec on my laptop (and I see this a lot in # env)
- want to bypass Startup folder file write monitoring ? 1) rename "Startup" folder 2) drop the target file in the renamed startup folder 3) rename it back to "Startup"
- Hunting with Windows Security EventID 5145 summarized in one mindmap #threathunting 4648, 4624 are next
- #redteam tunning tip: if you plan to drop a dll and load directly via macro from within office (winword or excel), use the following path %localappdata%\assembly\tmp\<rand>\a.b.c.dll (it's a busy tmp folder and I doubt EDRs will notify on every file creation in that folder)
- opening a pwd protected zip file using Windows Explorer generate a credman event 5379 with Target "Microsoft_Windows_Shell_ZipFolder:filename=zip_fil_path".
- high likely its already out there, a cool backdoor opsec feature is to embeds a VT free API key and checks (once a day) for its hash if more than x matches automatic uninstall
- just a little mindmap summarizing this great write-up of several ways that can be used to elevate privs from sensitive-priv to system: github.com/hatRiot/token-…
- most difficult thing to learn in infosec is focus on one thing (including resisting unplanned/unexpected things you encounter while working on that one thing) :D
- Elastic Security Labs has discovered a new method for initial access and evasion in the wild, termed #GrimResource, which involves arbitrary execution in mmc.exe through a crafted MSC file. elastic.co/security-labs/… gist.github.com/joe-desimone/2…
00:00
