I ended up in a persistent research to evade Sysmon's registry monitoring. Through manipulation of targeted RegRun keys—saving, altering, and then restoring them—a cunning tactic emerges. Why? Sysmon leverages registry callback within its driver component for overseeing registry events (EventCode 12, 13, 14). However, a drawback emerges: the REG_NOTIFY_CLASS for RegRestoreKey and RegSaveKey is not being monitored that cause a blindsides. below is the POC tool github repo I developed to assist the community in testing their EDR and XDR solutions against this possible evasion technique to develop counter measure or detections. https://lnkd.in/e8CC8en5 blog is coming soon.. 😉 #reverseengineering #blueteam #redteam #detectionengineering
Teoderick C.’s Post
More Relevant Posts
-
#buildinpublic update I've been in a bit of limbo between our household being sick for the last few weeks and our new baby boy set to arrive anyday now... I wanted to show off a cool tool I built for Civia Inc. today to catch potential security issues in development. I'm calling it an XSSTrapSeeder which automatically adds XSS payloads into our local database for all models. This lets the us set it and forget it (so to speak) unless we write code that trips on of these traps (so we can fix it before it gets into production). Just another cool thing that was very easy to do in #Laravel with the concepts and building blocks it has.
-
Did you know with Sentry's event fingerprinting you can group errors with greater granularity? If your quering an API service the stack trace is generally the same even if the outgoing request is very different Add it to your Sentry.init beforeSend function.
-
I have just created a new repo to deobfuscate the new campaign of #Smokeloader Dec-2023 and decrypt the configuration of the dropped stage the flow of execution is Wextract file ->drops 5IH0Dp8.exe -> inject (3 stage) into explorer.exe https://lnkd.in/d-DS4pw6 #malwareanalysis #threatintelligence #threatdetection #malwaredetection #cyberdefense #malwareprotection #cyberattack
-
-
This is very cool - LiteLLM (YC W23) have integrated with Pydantic Logfire, meaning you can use Logfire to observe calls to 100+ LLMs! https://lnkd.in/eW6x6pU7
-
Did you know with Sentry's event fingerprinting you can group errors with greater granularity? If your quering an API service the stack trace is generally the same even if the outgoing request is very different Add it to your Sentry.init beforeSend function.
-
Living off the #FalsePositive for #CyberThreat #DetectionEngineering #TrustEverybodyButCutTheCards LoFP is an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with #MITREATTACK techniques, rule source, and data source. Entries include details from related rules along with their description and detection logic. The goal is to enable both red and blue teams with this information: - #Redteams can use this information to blend in - #blueteams can use this information to assess weak spots in their #detectionlogic and also as an assistant during alert #triage and #investigation, by looking at common FPs around certain techniques and data sources. For more details, checkout the release #blog https://lnkd.in/dCtE_gS3. #TrustEverybodyButCutTheCards
-
-
🎈 The web server on the default port 80 hosts a demo virtual host, accessible with guest credentials. While reviewing the links, I discover a MinIO Metrics section that is visible due to a Line Feed (LF) injection vulnerability. This allows me to analyze the logs, leading to the discovery of a new virtual host. This new virtual host uses the MinIO platform and reveals the service version, which is vulnerable to CVE-2023-28432. This is an information disclosure vulnerability that exposes the root user's credentials of the platform. After a thorough analysis, I determine that a specific version of a bucket leaks critical information related to an identity-based secrets and encryption management system. Finally, privilege escalation is achieved by leveraging a program that can be executed with elevated privileges by a user.
Owned Skyfall from Hack The Box!
hackthebox.com
-
Talks about AI Security, Application and Cloud Security. Principal Product Security Architect, R&D at CyberArk
Just came across the threatcl tool. Seems like a really nice concept using familiar formats like HCL to describe threat models and exportable to OTM, essentially declaring threat models as a TF code and bringing the whole programmatic suite to it (testing threat models, PRs to threat models with CR, etc). I hope to see more organizations adapt an as-a-code approach to their threat models rather than documenting them in some word document or a DFD that is never updated since then. A good threat model is a live one and should be updated with the actual implementation, and emerging threats. That would be a real maturity indicator. Great job Christian Frichot ! #threat_modeling #appsec
threatcl
threatcl.github.io
-
Many digital forensics analysts and investigators will be aware of FTK Imager, and maybe even the newer products within the FTK suite. But without using the software every day, it's difficult to know the small (but mighty!) key features that many investigators who use the software really love. Join Exterro experts for just 30 minutes every month for snapshots into their favourite features in FTK. #ftk #forensic #forensictoolkit #digitalforensics
My Favourite FTK Feature Series
go.exterro.com
-
Many digital forensics analysts and investigators will be aware of FTK Imager, and maybe even the newer products within the FTK suite. But without using the software every day, it's difficult to know the small (but mighty!) key features that many investigators who use the software really love. Join Exterro experts for just 30 minutes every month for snapshots into their favourite features in FTK. #ftk #forensic #forensictoolkit #digitalforensics
My Favourite FTK Feature Series
go.exterro.com
Staff Threat Intel Analyst, Adversary Tactics
1yOne thing is clear from the video...while the changes themselves may not be detected using this technique, _getting to_ the changes will appear in EDR telemetry. Let's say you change "regreeper.exe" to something else, something perhaps a bit more innocuous. The creation of the process will be recorded by EDR, and the writing of the file to disk may also be recorded (depending upon your EDR platform). Regardless of what you name the file, the hash will be different, so least frequency of occurrence analysis will tell you, "hey, here's an EXE we haven't seen in the environment before...". So, yeah...the technique itself may allow you to bypass EDR tools, but getting to the point to where the technique can be used leaves a LOT of footprints, and LOT of opportunities for detections.