#HuntingTipOfTheDay
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)
(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE
Here's how you play🕹️:
👇👇👇
1⃣ Go to regex101.com and paste the regex in.
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻
This simulates an attack to dump the SAM database, but uses the HARDWARE keep to prevent you from flooding your SOC with benign alerts 😀
📎ired.team/offensive-secu…
Extra credit:
5⃣ Improve the regex to catch your bypass
6⃣ Repeat
🟥Redteaming your rules helps the 🟦blueteam which is real 🟪purpleteaming 💪🧠
• • •
Missing some Tweet in this thread? You can try to
force a refresh
"The best way to show that a stick is crooked is not to argue about it or to spend time denouncing it, but to lay a straight stick alongside it"
― D.L. Moody
Pacific Northwest: If you look closely at this panoramic view of Gold Creek Valley (Cascades in WA state), notice the downed trees at left and the bare mountainside with waterfalls at right.
In 2007 there was a massive avalanche on the right side. The force was so strong it carried across Gold Creek and up the left side of the valley causing the trees to fall UPHILL.
Aside, when you’re hiking along the side of a mountain and periodically exit the forest for some open bouldery views and then re-enter the forest, that open area was likely caused by an avalanche. They’re called avalanche chutes.