home.social
Sign in Create account

#knowledgedrop — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #knowledgedrop, aggregated by home.social.

  1. 13reak :fedora: @[email protected] ·

    #dfir #knowledgedrop

    Interesting observation:

    Hard-coded RAM relocations (i.e. not ASLR) are actually way less common in modern day (64 bit) programs than you think. Most jumps etc. are relative and not hard-coded e.g. in the .reloc table.

    I ran some velo tests and only one program on my standard Windows 10 installation with browsers had hard coded relocations: velociraptor itself.

    #RAM #memory #relocation #velociraptor

    PS: before someone complains: yes, 32 bit programs have Base of Data relocations, but that's for backwards compatibility when I'm correctly informed.

    #dfir #knowledgedrop #ram #memory #relocation #velociraptor
  2. 13reak :fedora: @[email protected] ·

    How to filter zeek logs:

    cat conn.log | zeek-cut <columns> | column -t | less -S

    (column and less display the columns aligned and readable)

    #DFIR #knowledgedrop #NIDS #zeek

    #dfir #knowledgedrop #nids #zeek
  3. 13reak :fedora: @[email protected] ·

    #dfir #knowledgedrop

    #psexec can be detected by .key files:

    "Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]

    [1] aboutdfir.com/the-key-to-ident

    #dfir #knowledgedrop #psexec
  4. 13reak :fedora: @[email protected] ·

    #dfir #knowledgedrop

    #psexec can be detected by .key files:

    "Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]

    [1] aboutdfir.com/the-key-to-ident

    #dfir #knowledgedrop #psexec
  5. 13reak :fedora: @[email protected] ·

    #dfir #knowledgedrop

    #psexec can be detected by .key files:

    "Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]

    [1] aboutdfir.com/the-key-to-ident

    #dfir #knowledgedrop #psexec
  6. 13reak :fedora: @[email protected] ·

    #dfir #knowledgedrop

    #psexec can be detected by .key files:

    "Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]

    [1] aboutdfir.com/the-key-to-ident

    #dfir #knowledgedrop #psexec
  7. 13reak :fedora: @[email protected] ·

    #dfir #knowledgedrop

    There's a new'ish #linux tool similar to #sysmon by @0xrawsec from @circl

    why.kunai.rocks/
    (see also @kunai_project )

    PS: it is written in #rust :blobwink:

    #dfir #knowledgedrop #linux #sysmon #rust