John Lambert Profile picture
Oct 10, 2017 3 tweets 2 min read Read on X
Which of you red-teamers is going to own up to this one? #PowerShell threat decrypts a payload from a USB drive using the volume DeviceId 😱 Image
Decoded source: ghostbin.com/paste/7xnkx
Sample hash: e0679efedeb04d62b61fa60a3940fcf040bf21b56d920f0513e500965ca48c45

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Lambert

John Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JohnLaTwC

Oct 20, 2023
I spoke at @MSFTBlueHat last week.
➡️
I will follow up with a link to the recording when it is posted.

Some highlights from my talk below👇👇👇github.com/JohnLaTwC/Shar…
I talked about how incidents can teach powerful lessons and contain important truths for defenders. Image
I talked about while it is often romanced that offense has a richer toolset compared to the singular metaphor for defense ("the shield"). Defense has many creative ideas within it as well.
Image
Image
Read 12 tweets
Apr 9, 2022
If you work with event logs, here are 2 GREAT utilities:

Parse an EVTX file into JSO: github.com/omerbenamram/e…

Query a JSON stream: stedolan.github.io/jq/tutorial/

Combined with Sysmon and some built-in logs, there is a lot of power at your fingertips 💪
First, export a log to EVTX:
1⃣wevtutil epl Microsoft-Windows-Sysmon/Operational sysmonlog.evtx
2⃣wevtutil epl Security Security.evtx /ow:true
3⃣wevtutil epl "Microsoft-Windows-DNS-Client/Operational" DNS.evtx
List hashes of programs that ran:

evtx_dump-v0.7.2.exe sysmonlog.evtx -o json --dont-show-record-number | jq ".Event | select (.System.EventID == 1) | .EventData | {Hashes} | .Hashes " | sort /unique

(PROTIP: Did you know sort has an undocumented /unique switch?)
Read 6 tweets
Mar 13, 2022
I am preparing for an internal talk on career advice learned from working security crises. My notes 🧵
The fastest way to accomplish things is to build trust
You're always on stage. At work, there really is no way to be different in private v. public.
Read 24 tweets
Sep 26, 2021
My favorite story about VBS files is not the I Love You worm, but one that happened in building 40 at Microsoft.
VB Script files are associated with WScript.exe by default. This is an important detail. The other host for VB Script files is CScript.exe.
CScript is a console program. This allows your VBS to write to StdOut and it shows up in console window like cmd.exe.
Read 10 tweets
Sep 24, 2021
I've had a lot of neat employee moments at Microsoft. here's one of them.
👇
It was Feb 4, 2014. The board had just named @satyanadella as CEO.
📎news.microsoft.com/2014/02/04/mic…
An email said he was going to make some remarks in a building across campus in like 30 minutes. I jumped in my car.
The crowd filled all available space. Ballmer was high energy as usual. It was 2014 so, you know, I had my Windows Phone with me. ImageImage
Read 6 tweets
Sep 19, 2021
Found one of my Microsoft notebooks 📔 from 2005. Here are a few pages on what was on my mind then.
The Longhorn (aka Windows Vista) security plan.
Parsers were having many issues. I put this slide together to create awareness about the pattern we were seeing in MSRC at the time.
Occasionally I printed small versions of my slides and inserted them into my notebooks so I could easily socialize to people in 1-1 conversations.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(