#HuntingTipOfTheDay
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)
(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE
Here's how you play🕹️:
👇👇👇
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)
(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE
Here's how you play🕹️:
👇👇👇
1⃣ Go to regex101.com and paste the regex in.
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻
This simulates an attack to dump the SAM database, but uses the HARDWARE keep to prevent you from flooding your SOC with benign alerts 😀
📎ired.team/offensive-secu…
📎ired.team/offensive-secu…
Extra credit:
5⃣ Improve the regex to catch your bypass
6⃣ Repeat
🟥Redteaming your rules helps the 🟦blueteam which is real 🟪purpleteaming 💪🧠
5⃣ Improve the regex to catch your bypass
6⃣ Repeat
🟥Redteaming your rules helps the 🟦blueteam which is real 🟪purpleteaming 💪🧠
• • •
Missing some Tweet in this thread? You can try to
force a refresh
