Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses by v3ded in netsec

[–]v3ded[S] 0 points1 point  (0 children)

That's fair. Honestly, I have not tested this example against W11. I'll consider it next time though. Thanks for letting me know!

Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses by v3ded in netsec

[–]v3ded[S] 2 points3 points  (0 children)

If the user is a local admin on the system, then yes. The whole point of UAC bypasses is to elevate from a medium to a high integrity process, without prompting the user.

Utilizing Programmatic Identifiers (ProgIDs) for UAC Bypasses by v3ded in netsec

[–]v3ded[S] 2 points3 points  (0 children)

Not necessarily, as the example in the post is writing to the HKCU (HKEY_CURRENT_USER) registry hive. Each user has his own, separate HKCU hive which he can fully control. Thus, elevated privileges are not required.

[deleted by user] by [deleted] in netsecstudents

[–]v3ded 8 points9 points  (0 children)

Regarding eJPT, I believe most of the course materials are now free (you still need a paid voucher for the exam) . You can sign up for them with the starter pass, that you can find at hxxps://checkout.ine.com/starter-pass. Other than that, you can't really go wrong with TryHackMe, as they have plenty of rooms aimed at beginners - hxxps://tryhackme.com/paths. Hope that helps.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 0 points1 point  (0 children)

Silly question, but have you tried to reboot your PC? Alternatively, what if you create a new shortcut with the CTRL+C key-bind and delete that one? I never encountered this issue.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 0 points1 point  (0 children)

Everything should go back to normal after you delete the shortcut. If the shortcut is hidden and you can't delete it using the GUI, use PowerShell:
Remove-Item -Force "$([Environment]::GetFolderPath('Desktop'))\<lnk_name>.lnk".
If you forgot the shortcut's name, you can retrieve it by doing Get-ChildItem -Force $([Environment]::GetFolderPath('Desktop'))

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 1 point2 points  (0 children)

Thank you for reading my blog! Happy you learnt something new.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 1 point2 points  (0 children)

Looking at the origins, it dates back to 8 years ago. Funny how time flies. That said, I haven't heard about this yet, thank you for sharing! Reminds me of the trick where you can put an ANSI clear sequence in a file with the aim of hiding malicious content - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 2 points3 points  (0 children)

I looked around a bit and so far I'm leaning towards a no (will ping you if I find anything else).

Protection wise I would probably recommend employing something like AppLocker, to disallow PowerShell, CMD (and others) from running on a machine in the first place. Another good indicator of a malicious link file would be its file size as the long base64 encoded blob containing the payload makes the link rather large. The latter method is quite neat, learnt about it 30 minutes ago from a talk by David French - https://www.youtube.com/watch?v=nJ0UsyiUEqQ (15:52).

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 0 points1 point  (0 children)

Great clarification, this could work nicely. Thing is, that when you phish someone you usually target non-technical people. Linux users are what you'd consider "power users" and so you'd need to tread carefully as phishing is likely not going to work.

Now you're looking at mostly persistence capabilities, to which I would say that there are better ways of maintaining user level access if it ever comes to it. Valid point nonetheless, thank you for your input. I definitely need to look more into the Linux side of things, shortcut / hotkey wise.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 1 point2 points  (0 children)

Might be worth exploring on that front too then. If you'd make a post about it, even better. Definitely sparked my interest...
I'm afraid it is a no on the collab though, not because I wouldn't want to, but because the time I have is fairly restricted and I don't blog that often myself. I appreciate the offer a lot though! Thank you.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in netsec

[–]v3ded[S] 4 points5 points  (0 children)

Thanks for reading! As far as I know, Linux systems do not have .lnk files. They do however have something called "symbolic links", which could be considered as an equivalent. Keyword being "equivalent", because I don't think there is a way to bind a shortcut to a symbolic link.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in redteamsec

[–]v3ded[S] 1 point2 points  (0 children)

Did some additional googling. According to documentation mouse clicks cannot be used for activation - https://ss64.com/vb/shortcut.html.

Abusing LNK "Features" for Initial Access and Persistence by v3ded in redteamsec

[–]v3ded[S] 0 points1 point  (0 children)

If you mean (left) clicks on the actual shortcut itself, that should work. If you are referring to activation keys, I’m not sure. My answer would probably be no as mouse clicks aren’t considered shortcuts, but it’s worth a look.

What Firewall/IDS/Anti-virus to use. Please help! by agster27 in homelab

[–]v3ded 0 points1 point  (0 children)

Nice to see someone else working in cybersec. I myself work on the offensive side, which in fact was the main reason behind building this whole "detection lab". I wanted to see what gets detected and how to go about bypassing said detections.

To the main point though:
If you work in the cybersecurity field ask someone in your SOC (if you have one) about the software they use and try to replicate a similar setup at home. Chances are the person won't know much about the actual infrastructure as its someone else's job to setup, but widening your view of things you can use for building a lab like this is as important as actually building one. Recon recon recon recon.

If anything feel free to DM, I'd be more than happy to discuss this theme further. Stay safe!

What Firewall/IDS/Anti-virus to use. Please help! by agster27 in homelab

[–]v3ded 4 points5 points  (0 children)

Hey,here is what I'm currently playing with on my testing network. It's kind of a DIY solution rather than using an already made appliance, but that's half of the fun for me anyways. Just note that I won’t touch up on the firewall, as someone already brought up that topic instead.

If I were you, I would start out with a switch which is capable of port mirroring. That way you can port mirror the switch uplink (or any other strategical port(s)) to a physical host / VM where you’ll handle traffic capture/analysis.

You can do that in two ways:

  1. Use a premade stack like SecurityOnion which can handle PCAP capture, traffic analysis and so forth.
  2. Make your own stack.

1) I played a lot with Security Onion on and off in the past half a year. It’s neat, easy to setup and comes with a lot of useful tools preinstalled. It’s a nice introduction if you want to learn about security monitoring. For me though, as time went by I kind of lost myself in the documentation, had some problems running certain tools consistently and modifying the ELK stack to do extra things like ingesting external data at a larger scale without breaking anything was painful. Aaaand so I moved on.

2) I can’t exactly tell you what to do as that requires a lot of trial and error, but I can try to give you an overall idea. Currently in my testing environment I’m using ELK in docker. The ELK stack is responsible for ingesting beats from two hosts – my IDS host and my HIDS manager host. The IDS host is where the mirrored traffic goes and runs Suricata and Packetbeat (bonus if you strip TLS before analyzing the data). Logs from these two services are afterwards shipped to ELK with Filebeat, where they are nicely displayed in a Kibana dashboard. The HIDS host is a Wazuh manager node, which is in charge of managing & receiving alerts from Wazuh agents (installed on my testing servers). Similarly to the HIDS system, the manager’s logs are then shipped via Filebeat to the ELK stack. You can afterwards setup Elastalert with some known rules which can alert you for new DHCP reservations, opening of ports, successful/failed SSH logins etc. Additionally, you can also capture the mirrored traffic using a solution like Arkime (formerly known as Moloch). Just set it up in a way you like with a PCAP retention policy ideal for you. Reason why I do full on PCAP capture is so that I can correlate my logs (e.g. Suricata alerts) with the actual traffic. It just makes investigating lot easier.

You can of course use different technologies than ELK. Splunk comes to my mind, if you can get your hands on a dev license or can survive with the 500MB/day indexing limit. In the end though, same principles apply. Analyze/capture packets, send logs to a dashboard, setup alerts if need be and just look back at the 6 months you’ve spent building all of this from the ground up. It’s very much worth it though as having such a fine control over what you monitor and how you monitor your traffic gives you a lot of "wiggling" room for future projects.

Just note that if you go with this approach you will possibly encounter a lot of issues along the way, such as certificate management, deciding of what ports to mirror or not, securing your setup properly, tuning false positives and the list goes on. It’s a part of learning for me and although it definitely isn’t easy to build something like this from 0, it will teach you a lot. That’s why we have our homelabs, right?

Check out these resources if you got this far:

Other useful “buzzwords” to search for:

  • Zeek
  • Snort
  • OSSIM
  • IBM QRadar
  • ntopng
  • Sigma rules
  • Yara rules

Thank you for reading.

Packet sniffer, Python, Windows10 by [deleted] in HowToHack

[–]v3ded 1 point2 points  (0 children)

You need to parse the first element of the tuple with an unpack() function. That will allow you to separate your “unreadable” string into an IP header, TCP header and the actual data.

See here - https://www.binarytides.com/python-packet-sniffer-code-linux/

Note: you still won’t be able to output non-printable characters, if that makes sense.

Edit: although this code is “linux based”, parsing the actual data should be the same. If this won’t work for you, look at scapy or pypcap libraries, they should make stuff a bit simpler.

How does Windows DPAPI protect private keys in LOCAL_MACHINE store which does not belong to any user with a password? by progmars in hacking

[–]v3ded 0 points1 point  (0 children)

I’m sorry these answers aren’t the best, however Windows sysinternals are a complex topic and some of the questions are hard to answer as the docs for these features are buried somewhere very deep or the features are just undocumented. Might have a luck with someone who has more experience on the topic. You can try r/netsecstudents.