Our @BlackHatEvents talk is over (and went great!) and now's a good time to share everything about our research!
Our research process is detailed in this blog post, go give it a read and let @peleghd and I know if you have any questions & thoughts!
guardicore.com/labs/hafl1-our…
Information about the RCE vulnerability we found with #hAFL1 can be found here >>
guardicore.com/labs/critical-…
Last but not least - today we open sourced #hAFL1! It's there for you to experiment with. Feel free to reach out to @peleghd or me for technical support 😛
github.com/SB-GC-Labs/hAF…
Come meet me at @BlackHatEvents by @Guardicore's booth or by the pool. See ya 😎

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ophir Harpaz

Ophir Harpaz Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @OphirHarpaz

6 Sep 20
There's a tricky way to create a new user on a Windows host without it being displayed by the "net" utility. This is something @Ben0xA tweeted about very recently.
I wanted to find out why a user named "$" is not shown, and here's what I learned :) [1/5]
net.exe checks if the username contains a dollar sign. If it does, *and* the dollar sign appears at the end -- the username is not printed but simply skipped. This is probably because ending an account name with "$" may indicate a computer name, and not a human user. [2/5]
In Powershell, usernames ending with $ *do* show in the output of Get-LocalUser cmdlet, although Powershell uses the same source - SAM's (Security Account Manager) user enumeration. It simply doesn't use the "$-at-the-end" heuristic, and displays all user objects returned. [3/5]
Read 5 tweets
1 Jan 20
I wanted to write a blog post but Twitter is more fun so let's do it here.
Here's my 2019.
I left a job and started a new one at @Guardicore, which is today a true home to me.
I joined a team of professionals. and friends. People whose faces I just love seeing every day >>
I gave talks in 4 different countries on 3 different topics.
Taught a Threat Hunting workshop.
Co-organized @Baot_IL's technical blogging events, making tens of technical blog posts written by women reach the internet.
Pushed women to submit their first abstract to conferences >>
I reversed binaries,
Analyzed procmon traces and pcaps,
Parsed MSIs,
Hacked whatever,
Did data analysis (yes, me, I swear)
Wrote hell lot of code (compared to what I usually tolerate),
Got better at coding, debugging, scaling, designing, reversing, hunting, investigating >>
Read 7 tweets
16 Oct 19
[1/4] Ok this is really funny, check this out.
I was in the process of booking a flight via @OneTravel. Trying to make me book ASAP, they claimed: "38 people are looking at this flight".
Whoa, 38 is a lot, I have to hurry up. But first I have to check how they came up with 38 >>
[2/4] Right click and a quick "inspect" on the number, I found out the element's class name is "view_notification_random".
Awesome variable naming guys.
So you're _randomly_ trying to freak me out. Alright >>
[3/4] So what's your sophisticated pseudo-random algorithm?
Apparently, OneTravel are choosing a number between 28 and 45.
Because as you all know, based on serious psychological research, these numbers tend to make people book their flights fast #sarcasm #not42 >>
Read 4 tweets
3 Jul 19
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(