CVE19 윈도우 침해사고 분석 1. 레지스트리 분석 시작프로그램 등록 관련 레지스트리 HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Windows\Load HKLM\Software\Microsof.. 2024. 1. 25. socat https://flower0.tistory.com/778 Socat 다양한 사용 예시 Socat은 다양한 용도로 사용될 수 있습니다. 아래에는 socat을 사용한 몇 가지 예시를 제시합니다. 1. 포트 포워딩 Socat을 사용하여 로컬 포트를 외부 서버의 포트로 포워딩할 수 있습니다. $ socat TCP-LISTEN:8080,fork TCP:example.com:80 이 예시는 로컬에서 8080포트로 들어오는 연결을 example의 80 포트로 전달합니다. 2. 프록시 서버 Socat을 사용하여 프록시 서버를 구성할 수 있습니다. $socat TCP-LISTEN:8888,fork TCP:example.com:80 이 예시는 로컬에서 888포트로 들어오는 연결을 example.com의 80 포트로 전달하.. 2024. 1. 22. SharpWSUS SharpWSUS is a CSharp tool for lateral movement through WSUS. WSUS: Windows Server Update Services https://github.com/nettitude/SharpWSUS GitHub - nettitude/SharpWSUS Contribute to nettitude/SharpWSUS development by creating an account on GitHub. github.com sharpwsus locate sharpwsus inspect sharpwsus create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \\"n.. 2024. 1. 22. Mimikatz https://research.splunk.com/endpoint/8148c29c-c952-11eb-9255-acde48001122/ `wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message "Enabled Privileges:\s+(?\w+)\s+Disabled Privileges:" | where privs="SeDebugPrivilege" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as "Enabled Privileg.. 2024. 1. 22. RDPThief https://github.com/0x09AL/RdpThief GitHub - 0x09AL/RdpThief: Extracting Clear Text Passwords from mstsc.exe using API Hooking. Extracting Clear Text Passwords from mstsc.exe using API Hooking. - GitHub - 0x09AL/RdpThief: Extracting Clear Text Passwords from mstsc.exe using API Hooking. github.com RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API.. 2024. 1. 22. HackBrowserData https://github.com/moonD4rk/HackBrowserData GitHub - moonD4rk/HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏 Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏览器数据导出解密工具。 - GitHub - moonD4rk/HackBrowserData: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏 github.com HackBrowserData is a command-line tool fo.. 2024. 1. 22. Analyzing Metasploit traffic https://sapphirex00.medium.com/c2-forensics-analyzing-metasploit-traffic-c0d0a3bb5449 C2 Forensics: Analyzing Metasploit traffic When working on network traffic analysis, responders need to identify quickly the severity and the depth of the incident once it has been… sapphirex00.medium.com 2024. 1. 22. Cobalt Strike https://www.splunk.com/en_us/blog/security/listen-to-those-pipes-part-1.html Listen To Those Pipes: Part 1 In this Hunting with Splunk episode (part 1 or 2), we focus on, you guessed it, pipes. Pipes are a form of inter-process communication (IPC), which can be used for abuse just like processes can. www.splunk.com Cobalt Strike uses predefined pipe names. If the bad guys stick to those names, i.. 2024. 1. 22. CVE-2023-21746 Local Potato 취약점 NTLM authentication -> LPE However, if you’re trying to authenticate locally, the authentication is set up with a Security Context. BlackArrowSec published a privilege escalation PoC that exploits the StorSvc service, permitting attackers to execute code as SYSTEM by writing a DLL file to any directory in the PATH. The LocalPotato PoC exploits a vulnerability in a specific scena.. 2024. 1. 21. 이전 1 2 3 다음
