Research & Detection @nextronsystems | @sigma_hq maintainer | Avid learner and passionate about all things #Detection #Sigma #DFIR #WindowsInternals
HAL
Joined August 2011
- Tweets 5,254
- Following 1,126
- Followers 7,656
- Likes 15,411
Nasreddine Bencherchali retweeted
The MOVEit Transfer exploitation is not just SQL injection(👀)
We uncovered the very last stage of the attack chain to drop human2.aspx ultimately ends up gaining remote code execution ‼
We fully recreated the attack chain with a demo achieving a reverse shell & ransomware!
20
290
10
1,041
28,038
Nasreddine Bencherchali retweeted
I created a Sysmon fork from @nextronsystems to include LOLDrivers.io's sysmon_config_vulnerable_hashes.xml. Thank you and big credits to everyone @SwiftOnSecurity @cyb3rops @olafhartong @nas_bench @_josehelps 😄
github.com/zer0lightning/sys…
#Sysmon
4
25
81
Nasreddine Bencherchali retweeted
Check out our latest blog post where we provide a comprehensive guide on utilizing the free THOR Lite for scanning indicators of a compromised MOVEit Transfer service
Be aware that we've included a link to one of the new 'emerging threat' folders in the Sigma rule repository
Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite
#MOVEit #Vulnerability #CompromiseAssessment #IOCs #YARA #Sigma
nextron-systems.com/2023/06/…
1
24
1
82
Nasreddine Bencherchali retweeted
Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite
#MOVEit #Vulnerability #CompromiseAssessment #IOCs #YARA #Sigma
nextron-systems.com/2023/06/…
13
1
32
Hello RichPEHeader, my new friend,
I've come to compute you again,
Because a vision softly creeping,
Through the bits and bytes while I'm sleeping,
And the hash that was planted in my brain,
Still remains, In the realm of machine strain
#LOLDrivers 2.0 Release coming soon
2
3
28
Nasreddine Bencherchali retweeted
One of the tools that I wish people outside of Microsoft would use more is Performance Monitor and Windows Performance Analyzer.
11
10
70
Nasreddine Bencherchali retweeted
Okay I'm down a rabbit hole but I'm wracking my brain on this, desperately wanting to figure out how the #MOVEit exploit comes together.
We've got in the known IIS logs a procedure (coming disjointly from different IPs) that hits up
- moveitisapi.dll
- guestaccess.aspx
etc
5
75
7
433
🤘🤘🤘 Derdian - Lord Of War (Official Lyric Video feat. Fabio Lione) inv.warpnine.de/wdjKohPYs-c via @YouTube
2
If you're tracking the MOVEit. Use this VT search to find the DLLs dropping the "human2.aspx" virustotal.com/gui/search/na…
1
17
2
46
Really interesting read. If you follow game dev, check it out.
Here's a link to my Redfall investigation without the paywall bloomberg.com/news/articles/…
Show this thread
2
Just when you think #LOLDrivers couldn't get more exciting. 600+ new drivers are coming in V2.0 🔥
6
18
1
138
GIF
Nasreddine Bencherchali retweeted
Didn't see it on LOLBAS but Odbcconf has the "/r" flag to register a rps file to via RunOnce :) The key created uses the path of the binary you provide. I.e if you copy it to another location it'll use that instead. Useless? Maybe! But fun :) #lolbin
More: github.com/nasbench/Misc-Res…
2
13
43
Nasreddine Bencherchali retweeted
We had a hunch this was using a driver. Get the free 🛡️sysmon block list at #LOLDrivers
Looking for some BYOVD coverage? No worries, #LOLDrivers got you covered. This project was created to shine the light on the darkness. We've seen multiple instances now where the driver was already on our list + some. If you haven't given this project a look and are worried about… tweeter.jakobs.systems/i/web/status/166…
1
13
1
58
Also good to know is that the action flag "/a" isn't required as it's often seen. So change your CLI based detection.
1
6