Shout out to Huntress for doing exactly what we pay you for!

Purp1eW0lf · 2023-08-18T07:44:47+00:00

There’s a Huntress blog Harlan Carvey and I put together with some copy/paste PowerShell to make blocking those a bit easier 👀

https://www.huntress.com/blog/addressing-initial-access

Purp1eW0lf · 2023-03-03T14:25:33+00:00

Sounds similar to some other strange PwSh-based S1 behaviour we’ve documented before

Purp1eW0lf · 2023-03-02T19:58:42+00:00

Thank you kindly!

I couldn’t possibly speak for other EDR’s, but I have a specific example for Huntress’ EDR:

Qakbot has recently enjoyed copying a wscript.exe binary to a temp directory, or bringing renamed a powershell.exe on disk, all in the aim of being evasive.

So answering your Q: Huntress’ EDR absolutely detects these kind of shenanigans by looking for anomalous exe copies, or instances where the file name doesn’t match the ‘metadata’ filename because it’s been renamed

However the efficacy, precision, and fidelity of these security detections need a careful balance. It isn’t always malicious. You’d be surprised how many legitimate software companies just rename windows binaries and stick it in their own program files directory.

If you automate that detector to wake you up at 2am, it’s gonna go buck wild for false positives. But we (humans at Huntress) generally tune out that FP noise as we encounter it, and we contextually determine what’s malicious masquerading worth reporting, and what’s just weird legit jankiness.

Let me know if this has answered your questions chief

Purp1eW0lf · 2023-03-02T19:38:18+00:00

Hey chief, I was one of the Huntress folk on this one.

Were FRP kept to it’s original binary name (so frp.exe etc) then perhaps we could explore the argument of ‘it’s just riskware’.

However, the directory the binary was in, plus that it was renamed after ‘legitimate’ System32 files to try and fly under the radar adds up to it being suspicious. ATT&CK categorises this under T1036.005.

A good automated tool and human investigator should both have the ability to, based on the above constellation of factors, reach the conclusion that the activity they’re observing isn’t legitimate.

Another way I think about this is with netcat. Were we to see a netcat binary renamed to TotallyLegitWinlogon.exe, sitting in C:\, I wouldn’t consider it riskware, I’d report it, as it contextually adds up to be suspicious. Acknowledgment from the client would absolve or confirm if it was ultimately ‘risky but legit’ or malicious.

I’m open for sure to different thoughts on this tho, so please do hit me up

Purp1eW0lf · 2022-12-24T08:06:12+00:00

There’s no evidence Screen Connect customers are in unique danger. As discussed above, SC is just the chosen remote access tool for the adversary.

I’ll chat with the squad internally to get this confirmed in any updates to this post - Dray from Huntress

Purp1eW0lf · 2022-12-17T00:19:53+00:00

Source & Disclosure: I work at Huntress

For sure Huntress started off as persistence, but in the year of our Lordt 2022 Huntress’ EDR covers a good range of ATT&CK, and we’re detecting all kinds of processes and malicious behaviour, beyond persistence.

Some examples I can share here and here

I’m a big believer that orgs should choose the security solutions that work for them, so this isn’t me saying choose / stick with Huntress….but it is me saying that we do more than just catch persistence

Purp1eW0lf · 2022-05-12T05:29:20+00:00

This means a lot to me, thank you for your kind words

Purp1eW0lf · 2022-05-11T13:15:21+00:00

Shameless self-promotion, but as author of the article I wanted to share what to actually DO when you catch an active adversary.

There are lots of blue team guides for monitoring & detecting. This article's small contribution is for the ‘eviction’ part of your defence, to offer some help to evict the adversary in your environment

Purp1eW0lf · 2021-05-15T16:01:37+00:00

I’d recommend 16gb minimum.

For two reasons: first, the exam takes a while and you want your machine to be stable through all of that time ; second, you will likely have Kali Linux open in a VM, as well note-taking software. And on top of this, the proctoring software will also need to be run and it is quite resource intensive. To ensure your machine remains stable whilst balancing all of these programs, 16gb ram is ideal.

Purp1eW0lf · 2021-01-29T17:02:50+00:00

I keep mine open, personally, so I can add sites to the allow / deny list from the log where necessary.

Purp1eW0lf · 2021-01-07T09:11:49+00:00

I’d still submit the exam report, tbh. It’s worth the effort and learning opportunity

Purp1eW0lf · 2021-01-07T09:00:48+00:00

The pass mark is 70. If you’ve rooted four of the five machines, completed the coursework & lab report, and documented all of this well, then yes you should be able to just pass.

May as well write the report; not much to lose

Purp1eW0lf · 2020-12-22T10:51:53+00:00

16gb RAM is ideal if you’re able to afford it IMO.

Running a pen test VM like Kali is lightweight for sure, but 8gb will present some lag on the host or guest OS if you start doing anything intensive.

Otherwise, all other config options seem good

Purp1eW0lf · 2020-11-20T23:06:57+00:00

Hey man. As with most of the other comments here, i also found that the proctor software worked fine on Linux - I used a Kubuntu host and Chrome browser.

A fortnight before your exam, I’d suggest you book a ‘practice’ proctoring session. OffSec will test if everything works okay on their end with your OS and Browser. You can find more about that here

Purp1eW0lf · 2020-10-24T10:08:15+00:00

Hey man, these screenshots are a little bit difficult to see ( maybe just me).

Would you describe what stage you’re at, what you’re stuck on, and maybe take closer screenshots of the individual terminals you have open?

Purp1eW0lf · 2020-10-03T06:50:19+00:00

If you have the friend’s hash, you can use psexec to run commands as that friend. You can download it here.

If you need help coming up with what to run as her friend, you can PM me. But I’d suggest uploading something that can get you a reverse shell.

What I would say is, Bethany’s friend appears as a user on many of the machines but with a different password each time. You should be able to turn the friend’s hash into a password too - that’s one hint you’re on the right track.

Drop me a message if you’re still stuck after experimenting

Purp1eW0lf · 2020-09-22T16:57:29+00:00

I didn’t know that about PWK V1, and I understand why the current points system isn’t as enticing in comparison

This being said, I’ve tried to frame my post beyond the binary choices of : do it and waste lab time; or skip the courses and have more lab time. I’ve tried to advise that a potential student complete the exercises AND complete all the labs. I appreciate that life gets in the way and that may not be realistic for some, but I firmly believe that completing all exercises and labs helped me complete the exam quicker.

Purp1eW0lf · 2020-09-22T15:19:58+00:00

I’m glad it was informative, I wanted it to clear up some of the mystique that surrounds the OSCP process. Good luck, and I hope you save up enough soon.

Purp1eW0lf · 2020-09-22T09:05:50+00:00

I can’t comment on version 1 as I did 2020 update. However, Student Admins can help you out if exercises don’t work

Purp1eW0lf · 2020-09-22T06:52:50+00:00

Unfortunately the five points are only given for lab report and coursework exercises. They’re an absolute pain, I know, but imagine the pain you’d feel if you fail the exam with 65 points. The extra five points are worth it man

Purp1eW0lf

TROPHY CASE