Usman Sikander’s Post

Completed the Windows Event Logs HTB Workshop! This one was difficult, but I learned a lot. This practical module provided: -An introduction to Windows Event Logs, emphasizing their importance in detecting unusual activities. -Details on using Sysmon and Event Logs to spot and study harmful behaviors such as DLL hijacking, uncontrolled PowerShell/C-Sharp injection, and credential dumping. -An introduction to the powerful Get-WinEvent cmdlet for simplifying analysis, including how to extract events from specific logs and apply filters based on various criteria.

Hi everyone! In continuation of the topic about NetNTLM hashes, session stealing and exploits :)))) The other day FakePotato came out and fixed one super interesting vector of privilege escalation - through wallpaper setting. Earlier, the ncc group had a cool article (https://lnkd.in/dnMsVc8u) about how changing the wallpaper could leak the NetNTLM hash. There were quite a few requirements limiting the attack: Webdav Redirector, DNS record..... I posted a tool called LeakedWallpaper (https://lnkd.in/ddz78hQm) that allows you to get the NetNTLM hashes of ANY user whose session is present on the host. Permission requirements: any. This is possible due to the COM object abuzing. The method will work fine until the June KB5040434 fix is installed. Demo can be found here (https://lnkd.in/diMx9QiT)

“Poolparty” is one of SafeBreach projects, which consists of a set of fully-undetectable process injection techniques abusing Windows Thread Pools. It exploits some design flaws and undocumented features of Windows Thread Pools to inject code into any process without triggering any alerts from leading endpoint detection and response (EDR) solutions. Poolparty has eight variants, each using a different type of thread pool work item to execute the injected code.

If your Friday is going bad due to CS update (faulty channel file, not quite an update though), Follow this: 1. Boot Windows into Safe Mode or WRE. 2. Go to C:\Windows\System32\drivers\CrowdStrike 3. Locate and delete file matching "C-00000291*.sys" 4. Boot normally. This may not solve problems for every machine out there, but they are on it. Twitter Thread: https://lnkd.in/gB3_Fuuk

Advanced technique for concealing a process at the ring-0 level by manipulating the ActiveProcessLinks, specifically the nt!_LIST_ENTRY structure within the Windows operating system kernel. This method hinges on the alteration of the BLINK and FLINK entries within this doubly linked list to effectively obscure the presence of a target process. By doing so, it becomes possible to hide the process from both system utilities and forensic analysis tools that rely on traversing these links to enumerate processes. The technique leverages the inherent structure of the Windows kernel's process management mechanisms, thereby offering a stealthy means of evasion that can be particularly useful in contexts where maintaining undetectability is paramount.

Completed the Windows Event Logs & Finding Evil module! Things to highlight: ✅An introduction to Get-WinEvent cmdlet for simplifying analysis, including how to extract events from specific logs and apply filters based on various criteria. ✅Hands-on skills for leveraging Windows Event Logs effectively in threat detection and investigation. ✅Details on using Sysmon and Event Logs to spot and study harmful behaviors such as DLL hijacking, uncontrolled PowerShell/C-Sharp injection, and credential dumping.

✅ Another module of the CDSA is complete! This module covered Windows Event Logs, Sysmon, and how to identify suspicious Windows activities such as LSASS dumping, DLL Hijacks, and unusual C# execution. This module will most definitely be reviewed again before the exam!

Set a breakpoint in Wndbg, based on debug output strings.

DISM Commands and then some….