Discover and read the best of Twitter Threads about #HuntingTipOfTheDay

Most recents (2)

Profile picture
John Lambert
@JohnLaTwC
#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.

Came across this interesting command. What is it doing? 🤔
It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
How can we find out more about this tool? The tool name (comrelg.exe) is faked🤥 and the hash didn't lead anywhere and I didn't have a copy of the sample. (set aside pivoting on imphash etc for now🧠)
Read 8 tweets
Profile picture
John Lambert
@JohnLaTwC
#HuntingTipOfTheDay
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)

(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE

Here's how you play🕹️:
👇👇👇
1⃣ Go to regex101.com and paste the regex in.
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻
This simulates an attack to dump the SAM database, but uses the HARDWARE keep to prevent you from flooding your SOC with benign alerts 😀
📎ired.team/offensive-secu…
Read 4 tweets

Related hashtags

#HuntingTipOfTheDay #DFIR #VirusTotal #infosec

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!