Are you over 18 and want to see adult content?
More Annotations
![A complete backup of https://portroyalspeedway.com](https://www.archivebay.com/archive6/images/806d3e6f-3c97-4701-b947-b13785ec58cc.png)
A complete backup of https://portroyalspeedway.com
Are you over 18 and want to see adult content?
![A complete backup of https://sentienceinstitute.org](https://www.archivebay.com/archive6/images/a8f515e2-cd7e-4cb0-812b-1cd01ae039e7.png)
A complete backup of https://sentienceinstitute.org
Are you over 18 and want to see adult content?
![A complete backup of https://casinoenligne365.com](https://www.archivebay.com/archive6/images/12fcfeae-ee35-4f4f-aa80-08d391c50a01.png)
A complete backup of https://casinoenligne365.com
Are you over 18 and want to see adult content?
![A complete backup of https://bearsbbq.com](https://www.archivebay.com/archive6/images/710ec369-ac24-4d7c-b5d7-ccab301a1b41.png)
A complete backup of https://bearsbbq.com
Are you over 18 and want to see adult content?
![A complete backup of https://kalzip.com](https://www.archivebay.com/archive6/images/6d9fa5d2-f0c1-4097-92ef-c6aada9e856d.png)
A complete backup of https://kalzip.com
Are you over 18 and want to see adult content?
![A complete backup of https://jinshiyuan.com.cn](https://www.archivebay.com/archive6/images/cbe03855-8637-4a64-8bab-69d13f8f9a43.png)
A complete backup of https://jinshiyuan.com.cn
Are you over 18 and want to see adult content?
![A complete backup of https://terminland.eu](https://www.archivebay.com/archive6/images/df38d8c0-fdf1-4029-b6d3-5a94e5919129.png)
A complete backup of https://terminland.eu
Are you over 18 and want to see adult content?
![A complete backup of https://actusoins.com](https://www.archivebay.com/archive6/images/07d2e8ed-3868-437a-878e-634945679b15.png)
A complete backup of https://actusoins.com
Are you over 18 and want to see adult content?
![A complete backup of https://seattle.com](https://www.archivebay.com/archive6/images/541f4584-8663-49a8-887e-8d80649af0a4.png)
A complete backup of https://seattle.com
Are you over 18 and want to see adult content?
![A complete backup of https://airless-discounter.de](https://www.archivebay.com/archive6/images/c15140ad-9451-41d9-8c14-ed5e71d3648e.png)
A complete backup of https://airless-discounter.de
Are you over 18 and want to see adult content?
![A complete backup of https://okeyodalari.net](https://www.archivebay.com/archive6/images/b96cbcb3-5fe9-465e-a816-9ca136120598.png)
A complete backup of https://okeyodalari.net
Are you over 18 and want to see adult content?
![A complete backup of https://outfrontmotorsports.com](https://www.archivebay.com/archive6/images/c539cfbb-b8e8-48ee-a6da-f8807cf5cece.png)
A complete backup of https://outfrontmotorsports.com
Are you over 18 and want to see adult content?
Favourite Annotations
![Autópálya matrica vásárlás: e-matrica online 2019](https://www.archivebay.com/archive/ef9e3fc7-06f3-4c60-a02d-25be367fa413.png)
Autópálya matrica vásárlás: e-matrica online 2019
Are you over 18 and want to see adult content?
![Redwood Furniture: Pergola Kits, Pavilions & Tables | Forever Redwood](https://www.archivebay.com/archive/66d81577-82c5-499e-a1ef-cb1ccc8d2119.png)
Redwood Furniture: Pergola Kits, Pavilions & Tables | Forever Redwood
Are you over 18 and want to see adult content?
![Owen Homeopathic Remedies, Homoeopathics Kits, Supplies & Products, Australia](https://www.archivebay.com/archive/14d1e27a-79f8-496c-8e8f-3ae003a989b5.png)
Owen Homeopathic Remedies, Homoeopathics Kits, Supplies & Products, Australia
Are you over 18 and want to see adult content?
![MoissaniteCo: Moissanite Jewelry Shop](https://www.archivebay.com/archive/53e5a618-febf-4424-9f1b-9e0e478cb02c.png)
MoissaniteCo: Moissanite Jewelry Shop
Are you over 18 and want to see adult content?
![Yasal İddaa Bayisi ile İddaa Oyna | Oley.com](https://www.archivebay.com/archive/fb21aa8b-0d88-494c-aca7-aeef06188483.png)
Yasal İddaa Bayisi ile İddaa Oyna | Oley.com
Are you over 18 and want to see adult content?
Text
and take action bas
CREATING REAL LOOKING USER ACCOUNTS IN AD LAB As I write my own tools for IR Hunting and Post-Expoitation I like to have a large realistic set of AD accounts and also accounts with accentuated and not english characters to make sure my tools will work in large environments and also simulate multiple geographical locations since most customers a WINRM SSL CERTIFICATE DEPLOYMENT VIA GPO In the Subject Name tab select in Subject name format select Common Name and click on the checkbox of DNS name. Add the group that you want to be able to request code signing certificates and the Domain Computers Group for the domain. Allow Read and Enroll , Click on Apply and then Ok. For Auto enrollment select the domain computers and enable
POWERSHELL BASICS
PowerShell Basics - Extending the Shell with Modules and Snapins. In PowerShell there are 2 main ways to extend the shell, this are: Modules - A package that contains Windows PowerShell commands int he form of functions, cmdlerts and workflows, in addition it may contain variables, aliases and providers. Modules can be written in PowerShelland
POWERSHELL BASICS
CREATING WMI FILTERS AND GPOS WITH POWERSHELL In my last 2 blog post I covered the creation of group policy objects for distributing certificates to all computers in a domain and enable Network Level Authentication on them plus also covered how to create and use WMI filters to specify which machines a POSH-SYSMON MODULE FOR CREATING SYSMON CONFIGURATION FILES Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the TIP: METERPRETER SSL CERTIFICATE VALIDATION To have the connection validated we need to first tell the payload what certificate the handler will be using by setting the path to the PEM formatted certificate in the HANDLERSSLCERT option then we enable checking of this certificate by setting stagerverifysslcert to true. POWERSHELL TIP: VALIDATING IP ADDRESS AS A PARAMETER PowerShell Tip: Validating IP Address as a Parameter. I find myself many times writing an Advanced Function that takes as its parameters only IP Addresses. A quick way I found for validating that an IP Address was passed is using the Type Accelerator and the parameter option of if we look at the typeaccelerator
METERPRETER NEW WINDOWS POWERSHELL EXTENSION The first command is the powershell_execute, this command executes a given string inside a the unmanaged runspace in memory and returns the string output of it. If we look at the help message of it we see there is an additional optional option for the command, the -s option allows you to specify a ID or Name to a separate pipeline inside the Runspace, this allows you to keep variable separate BASICS OF TRACKING WMI ACTIVITY WMI (Windows Management Instrumentation) has been part of the Windows Operating System since since Windows 2000 when it was included in the OS. The technology has been of great value to system administrators by providing ways to pull all types of information, configure componentsand take action bas
CREATING REAL LOOKING USER ACCOUNTS IN AD LAB As I write my own tools for IR Hunting and Post-Expoitation I like to have a large realistic set of AD accounts and also accounts with accentuated and not english characters to make sure my tools will work in large environments and also simulate multiple geographical locations since most customers a WINRM SSL CERTIFICATE DEPLOYMENT VIA GPO In the Subject Name tab select in Subject name format select Common Name and click on the checkbox of DNS name. Add the group that you want to be able to request code signing certificates and the Domain Computers Group for the domain. Allow Read and Enroll , Click on Apply and then Ok. For Auto enrollment select the domain computers and enable
POWERSHELL BASICS
PowerShell Basics - Extending the Shell with Modules and Snapins. In PowerShell there are 2 main ways to extend the shell, this are: Modules - A package that contains Windows PowerShell commands int he form of functions, cmdlerts and workflows, in addition it may contain variables, aliases and providers. Modules can be written in PowerShelland
POWERSHELL BASICS
CREATING WMI FILTERS AND GPOS WITH POWERSHELL In my last 2 blog post I covered the creation of group policy objects for distributing certificates to all computers in a domain and enable Network Level Authentication on them plus also covered how to create and use WMI filters to specify which machines a POSH-SYSMON MODULE FOR CREATING SYSMON CONFIGURATION FILES Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the TIP: METERPRETER SSL CERTIFICATE VALIDATION To have the connection validated we need to first tell the payload what certificate the handler will be using by setting the path to the PEM formatted certificate in the HANDLERSSLCERT option then we enable checking of this certificate by setting stagerverifysslcert to true. POWERSHELL TIP: VALIDATING IP ADDRESS AS A PARAMETER PowerShell Tip: Validating IP Address as a Parameter. I find myself many times writing an Advanced Function that takes as its parameters only IP Addresses. A quick way I found for validating that an IP Address was passed is using the Type Accelerator and the parameter option of if we look at the typeaccelerator
METERPRETER NEW WINDOWS POWERSHELL EXTENSION The first command is the powershell_execute, this command executes a given string inside a the unmanaged runspace in memory and returns the string output of it. If we look at the help message of it we see there is an additional optional option for the command, the -s option allows you to specify a ID or Name to a separate pipeline inside the Runspace, this allows you to keep variable separate MY NEW HOME LAB SETUP First Server. This server in terms of CPU it out performs the second server do to that it is a Xeon with Hyperthreading, but CPU has not been a constrained so far in my labs when I use Quad Core CPUs. The basic build is: Intel Xeon E3-1230 V2 Ivy Bridge 3.3GHz (3.7GHz Turbo) LGA 1155 69W Quad-Core Server Processor. BASICS OF TRACKING WMI ACTIVITY WMI (Windows Management Instrumentation) has been part of the Windows Operating System since since Windows 2000 when it was included in the OS. The technology has been of great value to system administrators by providing ways to pull all types of information, configure componentsand take action bas
BASICS OF THE METASPLOIT FRAMEWORK API IRB is the Interactive Ruby Shell, a REPL (Read -> Eval -> Print Loop) that will allow us to to interact with the Framework in real time allowing us to test and validate ideas quickly. One big advantage of the Metasploit Framework is that we can run IRB from inside msfconsole it self. When invoked from inside msfconsole we are running from the GETTING DNS CLIENT CACHED ENTRIES WITH CIM/WMI What is DNS Cache The DNS cache maintains a database of recent DNS resolution in memory. This allows for faster resolution of hosts that have been queried in the recent past. To keep this cache fresh and reduce the chance of stale records the time of items in the cache isof 1
POWERSHELL BASICS
PowerShell Basics - Extending the Shell with Modules and Snapins. In PowerShell there are 2 main ways to extend the shell, this are: Modules - A package that contains Windows PowerShell commands int he form of functions, cmdlerts and workflows, in addition it may contain variables, aliases and providers. Modules can be written in PowerShelland
RDP TLS CERTIFICATE DEPLOYMENT USING GPO Here is an example on how to deploy TLS certificates for use of RDP via GPO and how to configure some none Microsoft systems. We start by openting the Certificate Authority management console, Right-Clicking on Certificate Templates and selecting Manage. It will open a template management console. we will scroll down and select Computer SYSINTERNALS NEW TOOL SYSMON (SYSTEM MONITOR) In the case of Windows 2012 R2 and Windows 8.1 Microsoft added the capability to enable command line logging for these systems. To enable them one would go to Computer Configuration -> Policies -> Administrative Templates -> System-> Audit Process Creation. But still the information is limited and unless we also enable AppLocker we would not get a SHA1 of the process image to also CONFIGURING NETWORK LEVEL AUTHENTICATION FOR RDP Recently there has been a lot of attention given to the Remote Desktop Protocol for attacker. The protocol has seen a work in 2011 that abused week passwords and it’s features to copy files and infect other machines and now in 2012 there is a remote code execution bug inthe protocol it se
METERPRETER NEW WINDOWS POWERSHELL EXTENSION The first command is the powershell_execute, this command executes a given string inside a the unmanaged runspace in memory and returns the string output of it. If we look at the help message of it we see there is an additional optional option for the command, the -s option allows you to specify a ID or Name to a separate pipeline inside the Runspace, this allows you to keep variable separatePOWERSHELL BASICS
In my previous blog post where I covered Execution Policy and Code Signing I mentioned that these steps where only useful for content that is downloaded from the internet and to prevent accidental execution of scripts. Microsoft when they designed PowerShell they placed the control over it SHELL IS ONLY THE BEGINNING When getting shell is only the start of the journey.* Blog
* Infosec Tactico Podcast* Search
* Blog Series
* PowerShell Basics
* MSF Installation Guides * Installing Metasploit in Ubuntu and Debian * Installing Metasploit Framework in OS X* Projects
* About Me
Navigation Blog Infosec Tactico Podcast Search Blog Series PowerShell Basics MSF Installation Guides Installing Metasploit in Ubuntu and Debian Installing Metasploit Framework in OS X Projects About Me GETTING DNS CLIENT CACHED ENTRIES WITH CIM/WMIFebruary 03, 2020
by
Carlos Perez in PowerShell, Red Team , Blue
Team , Hunting
WHAT IS DNS CACHE
The DNS cache maintains a database of recent DNS resolution in memory. This allows for faster resolution of hosts that have been queried in the recent past. To keep this cache fresh and reduce the chance of stale records the time of items in the cache is of 1 day on Windowsclients.
The DNS Client service in Windows is the one that manages the cache on a system, This time Window can be modified via the registry in theregistry key
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNSCACHE\PARAMETERS where the MAXCACHETTL property controls the time in the cache in seconds and the MAXNEGATIVECACHETTL property controls the time a failed response is cached.WHY IS IT IMPORTANT
For an attacker, it means primarily situational awareness. It allows him to know what other systems this host has accessed and the IP address of the host. This may allow identifying security platforms by the FQDNs used as well as business process systems, both internal or in the cloud. On an important note for the attacker is that if his implant/agent on the system does not include its own resolution capability it has an IOC present on the system that can be used to track its command and control infrastructure. For a defender, the ability to know what hosts a system may have connected to in the last 24 hours. This will permit a defender to query across his environment for hosts that are communicating or have communicated with a specific host if DNS resolution was part of the process and if the attacker is not using its own resolution method. If the attacker is “Living off the Land” and using OS tools it will still leave the femoral trace on the system until the cached entry TTL (Time to Live) expires. MSFT_DNSCLIENTCACHE CLASS In Windows 8/2012 Microsoft added the MSFT_DNSClientCache class into the CIM object database in Windows. The class is under the new namespace that was also added to ROOT\STANDARDCIMV2 and the resources are provided as part of the DNSCLIENTCIM.DLL. This allows us to query for instances of the class and get all entries for the DNS Cachedatabase.
Read More
__February 03, 2020
/__Carlos Perez
__powershell , Threat Hunting, WMI , CIM
__PowerShell , Red Team, Blue Team ,
Hunting
__Comment
1 Likes
Share
Blog RSS
BEING GRATEFUL AT HEILDERBURGMarch 24, 2019 by
Carlos Perez
Recently while in the bar of the Crown Plaza in Heidelberg for the Troopers conference I became aware of the number of how grateful I should be for what I have in this industry. For what I’m grateful for is not technical or recognition but of the group of people in the industry, I have the honor to call friends. I would like to share some of them in this blog post. While coming back from dinner at Heidelberg JD also known as @SadProcessor send me a DM that several of our friends are at the hotel bar and even so I don't drink I should come down and hang out. I was jet lag but had not seen many of them in months so I said to myself “Why not” so I went down.Read More
__March 24, 2019
/__Carlos Perez
__Comment
18 Likes
Share
Blog RSS
OPERATING OFFENSIVELY AGAINST SYSMONOctober 08, 2018
by Carlos Perez
in Blue Team
, Red Team ,
PowerShell
Sysmon is a tool written by Mark Russinovich that I have covered in multiple blog post and even wrote a PowerShell module called Posh-Sysmon to help with the generation of configuration files for it. Its main purpose is for the tracking of potentially malicious activity on individual hosts and it is based on the same technology as Procmon. It differs from other Sysinternals tools in that Sysmon is actually installed on the host and saves its information in to the Windows Eventlog so it is easier to be able to collect the information with the use of SIEM (Security Information and Event Management) tools. Sysmon has the capability to log information for:*
Process Creation and Termination*
Process changing a file creation time.*
Network Connection
*
Driver Load
*
Image Load
*
CreateRemoteThread
*
Raw Access Read of a file*
A process opens another process memory*
File Creation
*
Registry Events
*
Pipe Events
*
WMI Permanent EventsRead More
__October 08, 2018
/__Carlos Perez
__Sysmon
__Blue Team , Red Team, PowerShell
__1 Comment
22 Likes
Share
Blog RSS
REBUILDING MY PLAYBOOK .. KNOWLEDGE BASEDecember 13, 2017
by Carlos Perez
I find myself in the situation where I lost my personal playbook by user error. I accidentally deleted the VM where I ran xWiki where it was kept and did not realized the mistake until days later. Even if painful to rebuild it is a good opportunity to think on how to better organize it and put it in a more flexible format. I Initially called my collection of techniques as playbook, but in reality they where not one. It was simply a collection from which I wold pull depending on the situation and as reference when writing presentations, blog posts and reports. To me a playbook is a collections of plays, each play composing of multiple steps that would vary depending environment and purpose. So the term playbook really did not fit. As I rebuild now I have decided to call it a Knowledge Base. By calling it a Knowledge Base this gives me the advantage to properly later build a real playbook where I can cover small samples of multiple steps and tools together that I can pull in to planning in to the different stages using the PACE (stands for Primary Alternate Contingency Emergency) principal where it makes sense. If you have ever taken the OSCP Exam from OffensiveSecurity you have learned the importance of having a knowledge base with the right information. You also learn as you progress through the material and labs to build and hopefully not fail on the first try.Read More
__December 13, 2017
/__Carlos Perez
__5 Comments
49 Likes
Share
Blog RSS
OPERATIONAL LOOK AT SYSINTERNALS SYSMON 6.20 UPDATENovember 27, 2017
by Carlos Perez
Sysmon has been a game changer for many organizations allowing their teams to fine tune their detection of malicious activity when combined with tools that aggregate and correlate events. A new version of Symon was recently released. Version 6.20 fixes bugs and adds new features. Some the of the note worthy changes for me are: * Enhancements in WMI Logging. * Ability to change driver name. * Ability to change service name and service executable name.Read More
__November 27, 2017
/__Carlos Perez
__3 Comments
22 Likes
Share
Blog RSS
* __Newer
* Older__
Copyright Carlos Perez 2014Details
Copyright © 2024 ArchiveBay.com. All rights reserved. Terms of Use | Privacy Policy | DMCA | 2021 | Feedback | Advertising | RSS 2.0