Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

Nasreddine Bencherchali

@nas_bench

Feb 2, 2021 • 6 tweets • 7 min read • Read on X

@SwiftOnSecurity

Following @SwiftOnSecurity amazing thread (

https://twitter.com/SwiftOnSecurity/status/1312866698941300738

).

I’ve compiled some the tools mentioned in it with their corresponding links in the thread below (For reference and easy find).

1. Pressing the F5 key in notepad will insert a timestamp
2. RpcPing (docs.microsoft.com/en-us/windows-…)
3. Qwinsta (docs.microsoft.com/en-us/windows-…)
4. Log Parser Lizard (lizard-labs.com/log_parser_liz…)
5. Dependency Walker (dependencywalker.com)
6. Sysinternals (docs.microsoft.com/en-us/sysinter…)

7. Dependencies (github.com/lucasg/Depende…)
8. ngrep (github.com/jpr5/ngrep)
9. PowerToys (github.com/microsoft/Powe…)
10. Everything (voidtools.com)
11. clip.exe (docs.microsoft.com/en-us/windows-…)
12. CertAlert (certalert.net)
13. grepcidr

14. NirSoft Tools (nirsoft.net)
15. Joeware Tool (joeware.net/freetools/inde…)
16. mRemoteNG (mremoteng.org)
17. WinDirStat (bleepingcomputer.com/download/windi…)
18. topgrade (github.com/r-darwish/topg…)
19. ndiff (nmap.org/ndiff/)
20. natlas (github.com/natlas/natlas)

21. Araxis Merge (araxis.com/merge/index.en)
22. MobaXterm (mobaxterm.mobatek.net)
23. HTTPie (httpie.io)
24. debuggex (debuggex.com)
25. regex101 (regex101.com)
26. DocFetcher (docfetcher.sourceforge.net/en/index.html)

27. Jupyter Notebooks
28. Scoop (scoop.sh)
29. sift (sift-tool.org)

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @nas_bench

Nasreddine Bencherchali

@nas_bench

Jan 8

As we all know, true APTs and TAs avoid using "whoami" as its a sign of weakness.

So here is a thread of 14 examples of APTs and TAs executing it over the years.

MosesStaff By Checkpoint

1/🧵 research.checkpoint.com/2021/mosesstaf…

RATANKBA by TrendMicro

2/🧵 trendmicro.com/en_us/research…

OilRig by paloalto

3/🧵 unit42.paloaltonetworks.com/unit42-oilrig-…

Read 15 tweets

Nasreddine Bencherchali

@nas_bench

Jan 12, 2023

A lesser-known event log I recently found for tracking malicious AppX installations is the "Microsoft-Windows-AppXDeploymentServer/Operational". Here are a couple of ways how you can leverage it with some free SIGMA rules at the end. 🧵

EID 401 with ErrorCode "0x80073cff" (related to policy errors). This could indicate an attempt of installing unsigned packages that perhaps require sideloading to be enabled.

You can also use EID 400/401 with the field name "PackageFullName" similar to a hash. To potentially track known malicious package installations/attempts.

Read 6 tweets

Nasreddine Bencherchali

@nas_bench

Feb 6, 2022

EDRs/AVs sometimes trust certain locations or perform certain behavior when met with unexpected weirdness. Here are some ideas to check/test for, the next time you have some alone time with your solution

1/🧵

-EDRs often times are configured to send telemetry via a pulling mechanism or via batches that can't exceed certain sizes per X time. Generating a lot of benign events before starting the attack could temporarily blind the EDR console

2/

-Execution from the AV install/data location (programfiles/programdata) could be whitelisted by default
-Files exceeding a certain size or executed from certain depths might not get scanned
-A full "C:\" partition could yield weird behavior for an EDR/AV

3/

Read 5 tweets