Nasreddine Bencherchali Profile picture
Feb 2, 2021 6 tweets 7 min read Read on X
Following @SwiftOnSecurity amazing thread ().

I’ve compiled some the tools mentioned in it with their corresponding links in the thread below (For reference and easy find).
1. Pressing the F5 key in notepad will insert a timestamp
2. RpcPing (docs.microsoft.com/en-us/windows-…)
3. Qwinsta (docs.microsoft.com/en-us/windows-…)
4. Log Parser Lizard (lizard-labs.com/log_parser_liz…)
5. Dependency Walker (dependencywalker.com)
6. Sysinternals (docs.microsoft.com/en-us/sysinter…)
7. Dependencies (github.com/lucasg/Depende…)
8. ngrep (github.com/jpr5/ngrep)
9. PowerToys (github.com/microsoft/Powe…)
10. Everything (voidtools.com)
11. clip.exe (docs.microsoft.com/en-us/windows-…)
12. CertAlert (certalert.net)
13. grepcidr
14. NirSoft Tools (nirsoft.net)
15. Joeware Tool (joeware.net/freetools/inde…)
16. mRemoteNG (mremoteng.org)
17. WinDirStat (bleepingcomputer.com/download/windi…)
18. topgrade (github.com/r-darwish/topg…)
19. ndiff (nmap.org/ndiff/)
20. natlas (github.com/natlas/natlas)
21. Araxis Merge (araxis.com/merge/index.en)
22. MobaXterm (mobaxterm.mobatek.net)
23. HTTPie (httpie.io)
24. debuggex (debuggex.com)
25. regex101 (regex101.com)
26. DocFetcher (docfetcher.sourceforge.net/en/index.html)
27. Jupyter Notebooks
28. Scoop (scoop.sh)
29. sift (sift-tool.org)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nasreddine Bencherchali

Nasreddine Bencherchali Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nas_bench

Jan 8
As we all know, true APTs and TAs avoid using "whoami" as its a sign of weakness.

So here is a thread of 14 examples of APTs and TAs executing it over the years.

MosesStaff By Checkpoint

1/🧵 research.checkpoint.com/2021/mosesstaf…
Image
RATANKBA by TrendMicro

2/🧵 trendmicro.com/en_us/research…
Image
Read 15 tweets
Jan 12, 2023
A lesser-known event log I recently found for tracking malicious AppX installations is the "Microsoft-Windows-AppXDeploymentServer/Operational". Here are a couple of ways how you can leverage it with some free SIGMA rules at the end. 🧵
EID 401 with ErrorCode "0x80073cff" (related to policy errors). This could indicate an attempt of installing unsigned packages that perhaps require sideloading to be enabled.
You can also use EID 400/401 with the field name "PackageFullName" similar to a hash. To potentially track known malicious package installations/attempts.
Read 6 tweets
Feb 6, 2022
EDRs/AVs sometimes trust certain locations or perform certain behavior when met with unexpected weirdness. Here are some ideas to check/test for, the next time you have some alone time with your solution

1/🧵
-EDRs often times are configured to send telemetry via a pulling mechanism or via batches that can't exceed certain sizes per X time. Generating a lot of benign events before starting the attack could temporarily blind the EDR console

2/
-Execution from the AV install/data location (programfiles/programdata) could be whitelisted by default
-Files exceeding a certain size or executed from certain depths might not get scanned
-A full "C:\" partition could yield weird behavior for an EDR/AV

3/
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(