Share this page!

John Lambert Profile picture
Twitter logo
21 Aug, 5 tweets, 2 min read
True #DFIR Tales
πŸ‘‡πŸ‘‡πŸ‘‡

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with John Lambert

John Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JohnLaTwC

John Lambert Profile picture
8 Sep
#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.

Came across this interesting command. What is it doing? πŸ€”
It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
How can we find out more about this tool? The tool name (comrelg.exe) is fakedπŸ€₯ and the hash didn't lead anywhere and I didn't have a copy of the sample. (set aside pivoting on imphash etc for now🧠)
Read 8 tweets
John Lambert Profile picture
22 Aug
Some of my #infosec infographics in one thread
πŸ‘‡πŸ‘‡πŸ‘‡
Adversaries need credentials more than malware. Avoid the sins of Windows credential administration
πŸ“Ž
Attackers seek to turn illegitimate access into legitimate access. Find them after they submerge.
πŸ“Ž
Read 10 tweets
John Lambert Profile picture
27 Jul
#HuntingTipOfTheDay
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)

(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE

Here's how you playπŸ•ΉοΈ:
πŸ‘‡πŸ‘‡πŸ‘‡
1⃣ Go to regex101.com and paste the regex in.
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻
This simulates an attack to dump the SAM database, but uses the HARDWARE keep to prevent you from flooding your SOC with benign alerts πŸ˜€
πŸ“Žired.team/offensive-secu…
Read 4 tweets
John Lambert Profile picture
11 Oct 20
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
πŸ“Žvirustotal.com/gui/file/1994a…
πŸŽπŸŽ‡joesandbox.com/analysis/21041… ImageImageImageImage
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
πŸ“Žvirustotal.com/gui/file/5644a… ImageImageImage
Some links for research:
πŸ‘‹πŸŒgithub.com/edparcell/Hell…
πŸ”™πŸšͺlabs.f-secure.com/archive/add-in…
πŸ“„gist.github.com/ryhanson/22722…
πŸ“Ž
🎁github.com/moohax/xllpoc
cc/ @buffaloverflow @moo_hax @ryHanson @FSecureLabs
Read 13 tweets
John Lambert Profile picture
14 Sep 20
Want to see the most beautiful equation in math? I’ll show you. It starts with the Roots of Unity.
Image
Image
Read 14 tweets
John Lambert Profile picture
29 Jul 20
"The best way to show that a stick is crooked is not to argue about it or to spend time denouncing it, but to lay a straight stick alongside it"
― D.L. Moody
"There is no love, there are only proofs of love"
― Pierre Reverdy
"When the student is ready, the teacher will appear"
― various
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @JohnLaTwC has new unrolls!

Check out other threads from @JohnLaTwC!

Read all threads by @JohnLaTwC

:(