I swear I couldn't find one place in the internet where #PetitPotam is explained in a way that I can truly understand it. So I'm dumping the attack flow here as a future reference for myself. If any of you finds it useful - good. If any of you wishes to add - comment. 1/7 The attack starts when an attacker, from her controlled machine, triggers a (possibly privileged) Windows host to authenticate to *her*. She does it by requesting EFS-RPC - Encrypted File System service - to open a remote file on her own machine. No domain creds are needed! 2/7

Our @BlackHatEvents talk is over (and went great!) and now's a good time to share everything about our research!
Our research process is detailed in this blog post, go give it a read and let @peleghd and I know if you have any questions & thoughts!
guardicore.com/labs/hafl1-our… Information about the RCE vulnerability we found with #hAFL1 can be found here >>
guardicore.com/labs/critical-…

There's a tricky way to create a new user on a Windows host without it being displayed by the "net" utility. This is something @Ben0xA tweeted about very recently.
I wanted to find out why a user named "$" is not shown, and here's what I learned :) [1/5]

https://twitter.com/Ben0xA/status/1301550957516541952

net.exe checks if the username contains a dollar sign. If it does, *and* the dollar sign appears at the end -- the username is not printed but simply skipped. This is probably because ending an account name with "$" may indicate a computer name, and not a human user. [2/5]

I wanted to write a blog post but Twitter is more fun so let's do it here.
Here's my 2019.
I left a job and started a new one at @Guardicore, which is today a true home to me.
I joined a team of professionals. and friends. People whose faces I just love seeing every day >> I gave talks in 4 different countries on 3 different topics.
Taught a Threat Hunting workshop.
Co-organized @Baot_IL's technical blogging events, making tens of technical blog posts written by women reach the internet.
Pushed women to submit their first abstract to conferences >>

[1/4] Ok this is really funny, check this out.
I was in the process of booking a flight via @OneTravel. Trying to make me book ASAP, they claimed: "38 people are looking at this flight".
Whoa, 38 is a lot, I have to hurry up. But first I have to check how they came up with 38 >> [2/4] Right click and a quick "inspect" on the number, I found out the element's class name is "view_notification_random".
Awesome variable naming guys.
So you're _randomly_ trying to freak me out. Alright >>

#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆 Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…