Share this page!

Stephan Berger Profile picture
Twitter logo
Apr 2 3 tweets 2 min read
#ThreatHunting: When investigating a potentially compromised Exchange server, one of the first steps I take is to search the MFT for .aspx files (with @velocidex's MFT Hunt, for example). Examine the results for suspicious file names or paths.
(1/3)

#CyberSecurity Image
The picture above shows different webshells that I identified within the first few minutes of the investigation.
(2/3)
This procedure also has the advantage of finding "hidden" web shells. Attackers can create a virtualDirectory that points to webshells in non-standard directories. Check the @HuntressLabs blog post about which configuration files to examine:

huntress.com/blog/rapid-res…
(3/3)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Mar 8
Many customers log process starts and executed programs in a SIEM, or have an EDR in use. Nevertheless, the question often arises: which product could one still buy? None at all! Best build-up detections with the existing logs. An example (🧵):

#CyberSecurity
#UACME (github.com/hfiref0x/UACME) lists a large set of UAC bypass techniques. Here is a (recent) overview of which techniques currently work and which do not: medium.com/falconforce/fa…

@falconforceteam
The file we use to bypass UAC is "Akagi64.exe" - either compile it yourself from the UACME repository or download it (at your own risk) from a public source. Use the upload task from #Covenant to upload the binary to the target host (given ofc that we already have a shell).
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @malmoeb has new unrolls!

Check out other threads from @malmoeb!

Read all threads by @malmoeb

:(