CyberMonitor

Disable Device Enrollment Program (DEP) notification on macOS Monterey.md

NB! command-R is replaced with holding the power button on M1 macs.

With full reinstall (recommended)

   a. Boot into recovery using command-R during reboot, wipe the harddrive using Disk Utility, and select reinstall macOS

   b. Initial installation will run for approximately 1 hour, and reboot once

CyberMonitor

import re, subprocess, idaapi, ida_segment, ida_kernwin

# To install this, simply put it in your ida_install/loaders folder and open
# a `/proc/<pid>/mem` file!
#
# You might need to set `echo 0 > /proc/sys/kernel/yama/ptrace_scope` if you
# want to be able to dump processes depending on your system configuration.

# Check if the file is supported by our loader
def accept_file(li, filename):

CyberMonitor

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

CyberMonitor

Security Advisories / Bulletins linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

A

Akamai : https://www.akamai.com/blog/news/CVE-2021-44228-Zero-Day-Vulnerability

Apache Druid : apache/druid#12051

Apache Flink : https://flink.apache.org/2021/12/10/log4j-cve.html

CyberMonitor

Assembly Language / Reversing / Malware Analysis -resources

⭐Assembly Language

Modern x64 Assembly

https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA

CyberMonitor

Keybase proof

I hereby claim:

• I am cybermonitor on github.
• I am ziv_chang (https://keybase.io/ziv_chang) on keybase.
• I have a public key ASBNmYg4u_BEktiVGiSQ1qWgeuLopLyjKebpr4luMZOAbgo

To claim this, I am signing this object:

CyberMonitor

### Keybase proof

I hereby claim:

  * I am cybermonitor on github.
  * I am ziv_chang (https://keybase.io/ziv_chang) on keybase.
  * I have a public key ASBNmYg4u_BEktiVGiSQ1qWgeuLopLyjKebpr4luMZOAbgo

To claim this, I am signing this object:

CyberMonitor

Statically checked overloaded strings

This gist demonstrates a trick I came up with which is defining IsString for Q (TExp a), where a is lift-able. This allows you to write $$("...") and have the string parsed at compile-time.

This offers a light-weight way to enforce compile-time constraints. It's basically OverloadedStrings with static checks.

This trick works already in existing (old) GHCs.

CyberMonitor

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

CyberMonitor

#!/usr/bin/env python

"""Utilities for writing code that runs on Python 2 and 3"""

import operator
import sys
import types

__author__ = "Benjamin Peterson <benjamin@python.org>"
__version__ = "1.2.0"