Med-Mastodon

0 posts0 participants0 posts today

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 62 : Wasn't up for it yesterday, took a sick day. Did some poking around at a recent CVE. Not going to share which one at this time. Led to another thread, though. Something that could lead to finding weird... Look for instances of the Windows process WerFault.exe starting. What was the parent process? What was the user id for the process? You may find something that is well broken and needs fixing--that cleans up log files--or something that needs further research. <a href="https://infosec.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 61 : Another light day. Read articles and another chapter in _Rust Programming Language_--was reminded to keep up on that via link from a <a href="https://infosec.exchange/@thegrugq" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@thegrugq</a> newsletter to @buttplug.io (<a href="https://infosec.exchange/@twitter" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@twitter</a>) thread, leading to @m_ou_se@twitter presence talking about her book _Rust Atomics and Locks_ (which is available at <a href="https://marabos.nl/atomics/" rel="nofollow noopener noreferrer" target="_blank">https://marabos.nl/atomics/</a>, so I have some more reading and coding to do... <a href="https://infosec.exchange/tags/GetSmart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GetSmart</a> <a href="https://infosec.exchange/tags/Rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Rust</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 60 : Another section of CRTO done. Learned more about MSFT's Data Protection API, which was new to me. Otherwise, it was light today. <a href="https://infosec.exchange/tags/GetSmart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GetSmart</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 59 : Two more sections of CRTO down. Tuned the registry run key search in Defender ATH. Noisy bugger, going to take some work to sort out "normal". Seems like a good place to hide for long-haul persistence. <a href="https://infosec.exchange/tags/RedTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RedTeam</a> <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 58 : Spent some time poking around log sources. Checked for logging and events matching oppsec warnings from CRTO. Created and tuned some queries for Defender ATH. There's signal in there about Registry run key creation and scheduled task creation. Good to know for <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a> and <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blueteam</a>!

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 57 : Finished the next section of CRTO. Juuust shy of half-way. Checked out a couple of presos at the Antisyphon "Most Offensive Con That Ever Offensived" on-line conference. I like the personalities and some of the dialogue in the <a href="https://infosec.exchange/tags/RedTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RedTeam</a> panel discussion at the beginning. However, it was a little too "let's be controversial for the sake of controversy" for my taste. (I hope to get a pizza delivered to me, one day.)

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 56 : Read a CISA <a href="https://infosec.exchange/tags/RedTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RedTeam</a> report: <a href="https://www.cisa.gov/sites/default/files/2023-02/aa23-059a-cisa_red_team_shares_key_findings_to_improve_monitoring_and_hardening_of_networks.pdf" rel="nofollow noopener noreferrer" target="_blank">https://www.cisa.gov/sites/default/files/2023-02/aa23-059a-cisa_red_team_shares_key_findings_to_improve_monitoring_and_hardening_of_networks.pdf</a> Definitely cribbing some report formatting and noting TTPs.

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 55 : Completed three more <a href="https://infosec.exchange/tags/CRTO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CRTO</a> sections, maybe about a 1/3 of the way through--so far, mostly review. Added another item to the <a href="https://infosec.exchange/tags/ThreatHuntThursday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHuntThursday</a> list. <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/GetSmart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GetSmart</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 54 : Completed credential theft section for <a href="https://infosec.exchange/tags/CRTO" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CRTO</a>, got some good ideas for <a href="https://infosec.exchange/tags/ThreatHuntThursday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHuntThursday</a> for log events and access patterns I hadn't though of before. <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/GetSmart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GetSmart</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 53 : Thin on the hacking today. Listened to risky.biz and got caught up on <a href="https://infosec.exchange/@thegrugq" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@thegrugq</a> newsletters.

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a>: day 52 : Spent more time on CRTO, got through several sections. Looked at some of the tooling called out. If something tried to talk to lsass, there's a Windows Event 4656 generated. These events don't make it into Windows Defender Advanced Threat Hunting. Some KQL that *might* help a little bit: 'DeviceProcessEvents | where (FileName != "lsass.exe" and ProcessCommandLine has "lsass")' This could find where someone's trying to tinker with it from the command line. (Since lsass does get started in the normal day-to-day of things, filter out it itself being the running process, look for things trying to operate on it.) <a href="https://infosec.exchange/tags/redteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#redteam</a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blueteam</a> <a href="https://infosec.exchange/tags/GetSmart" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GetSmart</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a>: day 51 : Spent some time going through CRTO. First two sections down. Spun up a new kali box to play around with some of the tooling covered in recon section. Reckon I'll do a once through the material before getting lab time and going after the lab exercises. <a href="https://infosec.exchange/tags/RedTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RedTeam</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a>: day 50 : Grrr. Yesterday was actually day 49. Anyways. Signed up for zeropointsecurity.co.uk Certified Red Team Operator course. LFG! <a href="https://infosec.exchange/tags/RedTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RedTeam</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/PrimumNonNocere" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#PrimumNonNocere</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 48 : even more <a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rust</a>. Read some on chapter 5. Watched a couple of videos by <a href="https://mastodon.social/@0atman" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@0atman</a> on his No Boilerplate YouTube channel. Poked around on crates.io a bit and looked at some code.

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 47 : Read a bit more about rust. Started in on Chapter 4 of The Rust Programming Language. Still not grokking why there is a mutable/immutable setting for variables. Seems there's no difference between an immutable variable and a constant.

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 45 : Read about <a href="https://infosec.exchange/tags/rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#rust</a> in _Rust Programming Language, 2nd Ed._

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : days 43 & 44 : Forgot to post yesterday. Modified a BadUSB/Rubber Ducky script to run PowerShell and feed a file. Helping out a <a href="https://infosec.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> analyst w/that one. Helped myself for a future <a href="https://infosec.exchange/tags/RedTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RedTeam</a> exercise. Also spend some time w/'hello, world', Rust, and Windows OS. Baby steps, time will tell w/that one. Tried out a different format for attack trees, but haven't tried it out on anyone yet. <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/LabItUp" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LabItUp</a> <a href="https://infosec.exchange/tags/CamelCaseTags4OnScreenReaders" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CamelCaseTags4OnScreenReaders</a>

ath0<a href="https://infosec.exchange/tags/hack100days" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hack100days</a> : day 42 : Listened in on N00bie Tuesday by Alh4zr3d@twitter. Someone mentioned Zero Point Security has a "Rust for n00bs" [[<a href="https://training.zeropointsecurity.co.uk/courses/rust-for-n00bs" rel="nofollow noopener noreferrer" target="_blank">https://training.zeropointsecurity.co.uk/courses/rust-for-n00bs</a>]] class. I'm a n00b, so ran full-tilt into that rabbit hole. An inexpensive introduction. Rust has some interesting quirks. Tried it out on MacOS. Next up, Windows. <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/LearnToCode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LearnToCode</a> <a href="https://infosec.exchange/tags/Rust" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Rust</a>

Recent searches

Search options

Administered by:

Server stats:

#hack100days