Tools: Execution possibilities for a dynamic analysis, if deobfuscation is not soooo good: Tipp: Overwrite sensible methods, if the language allows it. For example, in JavaScript: eval = print Now, each eval statement is not executed, but just printed :-).
Goal: See on a system if some specific executeable was executed.
See also Autostart (Persistence) | Hexacorn
Registry Windows Event Logging File system analysis See the NTFS article about logging.
Forensic tools
Dissect is a forensic tool for file system images,
Questions, who should be answered easily: Tips for analyzing log files Search a log and count the hosts: cat log | jq -c '.host' | sort | uniq -c | sort -n To see more about the host “Apache” cat log | grep "Apache" | jq Search in gzipped logs: zgrep log.gzzcat log.gz | grep "Apache" Convert…
Use cases Tools Standard unix tools like awk can also been used with a cat of a flow file. nfdump SiLK argus
JA4S is a system to hash the configuration of a TLS connection. More: ja4/technical_details/README.md at main · FoxIO-LLC/ja4 · GitHub Possible use cases:
Case: Ransomware
Checklist: Good stuff:
CAINE can be used as a live system to perform forensic studies of a system (e.g. after a Incident).
If the system is powered off: If the system is active: If the system is a VM: Other systems: Questions:
Get hidden content from password fields Scenario: Use JavaScript for extraction. Copy and pase the following into the web browser’s console: Extract keystrokes live from a Browser Scenario: Do: Extract Cookies Scenario: Inject/Do: Extract local / session storage Like above: Stealing site passwords Scenario: Then, inject JS which adds an invisible user/username/name text field and…
Pacu can be used to test an AWS account. Setup: Unauthorized enumeration Requires only an AWS access key and secret key. Enumerate roles. Create a list with possible roles to check. run iam__enum_roles --word-list /tmp/roles.txt --account-id $accountId Enumerate users which belong to a (previously found) role. Create also a list of possible user names. run iam__enum_users --word-list…
Initial (network) enumeration Check where a service is hosted by quering the nameserver records for our target domain: host -t ns $domain Get more information / confirmation via a whois query to one previously found domain. whois $previouslyFoundDomain Check where a host is running: host $domainhost $ipFromTheDomain Check more domains of this organisation / of…
Attacking Domain Controller Synchronization The DRS Directory Replication Service is responsible to replicate a DC’s data to multiple redundant DC’s. Scenario: You own a user who has one of the following rights: Normally, users in the following groups have these (could be configured otherwise, of course): You can check with the script in Basic Active Directory…
The four process ID’s For each process, Linux manages four UID’s. When a process from a user with UID 1000 is started/forked, then the new process has normally also the UID 1000. However, with SUID/GUID it becomes more complicated, since processes can get other UIDs than the one of the caller. When a process like passwd…
Enumeration In PowerShell Caution: This command works via RDP in an interactive session, but NOT in a non-privileged bind/winrm shell. All services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName All running services: PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}…
Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.
Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.
python -c 'import pty;pty.spawn("/bin/bash")';
python3 -c 'import pty;pty.spawn("/bin/bash")';