#HuntingTipOfTheDay
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)

(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE

Here's how you play🕹️:
👇👇👇
1⃣ Go to regex101.com and paste the regex in.
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻
This simulates an attack to dump the SAM database, but uses the HARDWARE keep to prevent you from flooding your SOC with benign alerts 😀
📎ired.team/offensive-secu…
Extra credit:
5⃣ Improve the regex to catch your bypass
6⃣ Repeat
🟥Redteaming your rules helps the 🟦blueteam which is real 🟪purpleteaming 💪🧠

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Lambert

John Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JohnLaTwC

11 Oct 20
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041… ImageImageImageImage
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a… ImageImageImage
Read 13 tweets
14 Sep 20
Want to see the most beautiful equation in math? I’ll show you. It starts with the Roots of Unity.
Image
Image
Read 14 tweets
29 Jul 20
"The best way to show that a stick is crooked is not to argue about it or to spend time denouncing it, but to lay a straight stick alongside it"
― D.L. Moody
"There is no love, there are only proofs of love"
― Pierre Reverdy
"When the student is ready, the teacher will appear"
― various
Read 7 tweets
10 Jul 20
Full of avalanche debris to hike over and logs to traverse. ImageImageImage
Brush that is way over your head and tricky footing over a hidden floor of logs, roots, and holes. And hazards. ImageImageImage
But at the end is a lovely waterfall fed by snowmelt from Alta mountain. ImageImageImageImage
Read 4 tweets
10 Jul 20
Pacific Northwest: If you look closely at this panoramic view of Gold Creek Valley (Cascades in WA state), notice the downed trees at left and the bare mountainside with waterfalls at right. Image
In 2007 there was a massive avalanche on the right side. The force was so strong it carried across Gold Creek and up the left side of the valley causing the trees to fall UPHILL. Image
Aside, when you’re hiking along the side of a mountain and periodically exit the forest for some open bouldery views and then re-enter the forest, that open area was likely caused by an avalanche. They’re called avalanche chutes.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(