Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Ophir Harpaz in Vegas 🎩 Profile picture
@OphirHarpaz
Sep 6, 2020 5 tweets 3 min read Read on X
There's a tricky way to create a new user on a Windows host without it being displayed by the "net" utility. This is something @Ben0xA tweeted about very recently.
I wanted to find out why a user named "$" is not shown, and here's what I learned :) [1/5]
net.exe checks if the username contains a dollar sign. If it does, *and* the dollar sign appears at the end -- the username is not printed but simply skipped. This is probably because ending an account name with "$" may indicate a computer name, and not a human user. [2/5]
In Powershell, usernames ending with $ *do* show in the output of Get-LocalUser cmdlet, although Powershell uses the same source - SAM's (Security Account Manager) user enumeration. It simply doesn't use the "$-at-the-end" heuristic, and displays all user objects returned. [3/5]
Attackers know this nice, silent backdoor (@PashaGur, this should answer your question); @Guardicore's sensors captured 30 different usernames ending with $ created as part of attacks, 5 of them this year.
Here's one example of such an attack - threatintelligence.guardicore.com/ip/14.241.36.30 [4/5]
There are more thorough ways - Powershell is just one of them - to list user accounts on your host than running "net user". Choose them :) [4/5]

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ophir Harpaz in Vegas 🎩

Ophir Harpaz in Vegas 🎩 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @OphirHarpaz

Ophir Harpaz in Vegas 🎩 Profile picture
Sep 5, 2021
I swear I couldn't find one place in the internet where #PetitPotam is explained in a way that I can truly understand it. So I'm dumping the attack flow here as a future reference for myself. If any of you finds it useful - good. If any of you wishes to add - comment. 1/7
The attack starts when an attacker, from her controlled machine, triggers a (possibly privileged) Windows host to authenticate to *her*. She does it by requesting EFS-RPC - Encrypted File System service - to open a remote file on her own machine. No domain creds are needed! 2/7
Technically speaking, the attacker invokes EfsRpcOpenFileRaw, specifying a file path that points to her remote machine:
'\\<attacker_address>\test\Settings.ini'
(from @topotam77's PoC
github.com/topotam/PetitP…)
This is basically the essence of #PetitPotam.
3/7
Read 8 tweets
Ophir Harpaz in Vegas 🎩 Profile picture
Aug 4, 2021
Our @BlackHatEvents talk is over (and went great!) and now's a good time to share everything about our research!
Our research process is detailed in this blog post, go give it a read and let @peleghd and I know if you have any questions & thoughts!
guardicore.com/labs/hafl1-our…
Information about the RCE vulnerability we found with #hAFL1 can be found here >>
guardicore.com/labs/critical-…
Last but not least - today we open sourced #hAFL1! It's there for you to experiment with. Feel free to reach out to @peleghd or me for technical support 😛
github.com/SB-GC-Labs/hAF…
Read 4 tweets
Ophir Harpaz in Vegas 🎩 Profile picture
Jan 1, 2020
I wanted to write a blog post but Twitter is more fun so let's do it here.
Here's my 2019.
I left a job and started a new one at @Guardicore, which is today a true home to me.
I joined a team of professionals. and friends. People whose faces I just love seeing every day >>
I gave talks in 4 different countries on 3 different topics.
Taught a Threat Hunting workshop.
Co-organized @Baot_IL's technical blogging events, making tens of technical blog posts written by women reach the internet.
Pushed women to submit their first abstract to conferences >>
I reversed binaries,
Analyzed procmon traces and pcaps,
Parsed MSIs,
Hacked whatever,
Did data analysis (yes, me, I swear)
Wrote hell lot of code (compared to what I usually tolerate),
Got better at coding, debugging, scaling, designing, reversing, hunting, investigating >>
Read 7 tweets
Ophir Harpaz in Vegas 🎩 Profile picture
Oct 16, 2019
[1/4] Ok this is really funny, check this out.
I was in the process of booking a flight via @OneTravel. Trying to make me book ASAP, they claimed: "38 people are looking at this flight".
Whoa, 38 is a lot, I have to hurry up. But first I have to check how they came up with 38 >>
[2/4] Right click and a quick "inspect" on the number, I found out the element's class name is "view_notification_random".
Awesome variable naming guys.
So you're _randomly_ trying to freak me out. Alright >>
[3/4] So what's your sophisticated pseudo-random algorithm?
Apparently, OneTravel are choosing a number between 28 and 45.
Because as you all know, based on serious psychological research, these numbers tend to make people book their flights fast #sarcasm #not42 >>
Read 4 tweets
Ophir Harpaz in Vegas 🎩 Profile picture
Jul 3, 2019
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(