Share this page!

Nasreddine Bencherchali Profile picture
Twitter logo
Jan 24 3 tweets 2 min read
Here is a fun #persistence technique to use if WSL is installed.

Execute "wsl --user root vi /etc/cron.d/persist" (or use an existing one)

Add your command "*/1 * * * * root /mnt/c/Windows/System32/calc.exe"

Start cron service "wsl --user root service cron start"
Processes created from this will be children of the "wslhost.exe" process so use that for detection.
For DFIR you can check the file sys as described here
You can also check the mounted system live from the special WSL share \\wsl.localhost\<distro-name>\
This technique was part of a discussion we had about WSL/VHDX files during our usual detection meeting. It yielded some good results

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nasreddine Bencherchali

Nasreddine Bencherchali Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nas_bench

Nasreddine Bencherchali Profile picture
Jan 12
A lesser-known event log I recently found for tracking malicious AppX installations is the "Microsoft-Windows-AppXDeploymentServer/Operational". Here are a couple of ways how you can leverage it with some free SIGMA rules at the end. 🧵
EID 401 with ErrorCode "0x80073cff" (related to policy errors). This could indicate an attempt of installing unsigned packages that perhaps require sideloading to be enabled.
You can also use EID 400/401 with the field name "PackageFullName" similar to a hash. To potentially track known malicious package installations/attempts.
Read 6 tweets
Nasreddine Bencherchali Profile picture
Feb 6, 2022
EDRs/AVs sometimes trust certain locations or perform certain behavior when met with unexpected weirdness. Here are some ideas to check/test for, the next time you have some alone time with your solution

1/🧵
-EDRs often times are configured to send telemetry via a pulling mechanism or via batches that can't exceed certain sizes per X time. Generating a lot of benign events before starting the attack could temporarily blind the EDR console

2/
-Execution from the AV install/data location (programfiles/programdata) could be whitelisted by default
-Files exceeding a certain size or executed from certain depths might not get scanned
-A full "C:\" partition could yield weird behavior for an EDR/AV

3/
Read 5 tweets
Nasreddine Bencherchali Profile picture
Dec 11, 2021
#log4j thread

Detection Ideas + Yara by @cyb3rops - gist.github.com/Neo23x0/e4c8b0…
Hashes for vulnerable LOG4J versions by @mubix - github.com/mubix/CVE-2021…
SIGMA by @SOC_Prime - tdm.socprime.com/tdm/info/XY2Ej…
tdm.socprime.com/tdm/info/4SiOs…
Payloads list by @GreyNoiseIO - gist.github.com/nathanqthai/01…
#Suricata and #Snort IDS signature by @ET_Labs - rules.emergingthreatspro.com/open/
Velociraptor artifact by @mgreen27 - docs.velociraptor.app/exchange/artif…
Callback domains by @GreyNoiseIO - gist.github.com/superducktoes/…
List of IP's looking for RCE by @GreyNoiseIO - gist.github.com/gnremy/c546c79…
Shodan query by @n0x08 -
Read 8 tweets
Nasreddine Bencherchali Profile picture
Feb 2, 2021
Following @SwiftOnSecurity amazing thread ().

I’ve compiled some the tools mentioned in it with their corresponding links in the thread below (For reference and easy find).
1. Pressing the F5 key in notepad will insert a timestamp
2. RpcPing (docs.microsoft.com/en-us/windows-…)
3. Qwinsta (docs.microsoft.com/en-us/windows-…)
4. Log Parser Lizard (lizard-labs.com/log_parser_liz…)
5. Dependency Walker (dependencywalker.com)
6. Sysinternals (docs.microsoft.com/en-us/sysinter…)
7. Dependencies (github.com/lucasg/Depende…)
8. ngrep (github.com/jpr5/ngrep)
9. PowerToys (github.com/microsoft/Powe…)
10. Everything (voidtools.com)
11. clip.exe (docs.microsoft.com/en-us/windows-…)
12. CertAlert (certalert.net)
13. grepcidr
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(