duzvik

 {
     "eventVersion": "1.04",
     "userIdentity": {
         "type": "SAMLUser",
         "principalId": "71ECIxd9HdqExample:Bob",
         "userName": "Bob",
         "identityProvider": "71ECIxd9HdqExample"
     },
     "eventTime": "2016-03-09T01:22:27Z",
     "eventSource": "sts.amazonaws.com",

duzvik

duzvik

function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

duzvik

title: Possible emails/attachmets extraction by Emotet
description: Detects Emotet malware component, that extract emails and attachments from outlook.
author: Den Iuzvyk
detection:
  condition: selection and not filter
  selection:
    EventID: 7
    ImageLoaded|endswith: mapi32.dll
  filter:
    Image|endswith: outlook.exe

duzvik

Registry keys Deleted (Apparently)

• HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational{5770385f-c22a-43e0-bf4c-06f5698ffbd9}
• HKLM\System\CurrentControlSet\Control\WMI\Security\08dd09cd-9050-5a49-02f8-46fd443360a8
• HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences\0
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\ChannelReferences
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers{5770385f-c22a-43e0-bf4c-06f5698ffbd9}

duzvik

title: Processes accessing the camera and microphone from suspicious folder
description: Detects Processes accessing the camera and microphone from suspicious folder
author: Den Iuzvyk
date: 2020/06/07
reference:
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
tags:
- attack.collection
- attack.t1125
- attack.t1123

duzvik

(from : https://simplifiedthinking.co.uk/2015/10/03/install-mqtt-server/ )

Installing Brew

The Mosquitto MQTT Server can be easily installed using Homebrew.  If it’s not installed on your system already, then a quick visit to the homepage will give you all you need to get going.  Homebrew is an OS X Package Manager for installing and updating non-Mac OS X utilities that are more commonly found in other variants of Linux.  To install the basic package manager run the following command.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Installing Mosquitto MQTT

duzvik

import cutter
import re
cutter.cmd('aa')
#sample 57752e9a9d3d2b54f68f015a0de589b4
#function that perform deobfuscation located at 0x10003630
#encoded string passed to this function at ecx register
#let's find all xrefs to this function and deobfuscate string passed at ecx
#ed x
#and add comment in each  function call

duzvik

I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'.  It may be located in SYSTEM32.

Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways.

Here are a few examples that you may or may not find useful - 

1) Replace ComSpec Variable

set comspec=c:\windows\system32\calc.exe
cscript manage-bde.wsf

duzvik

import cutter;
import re;

cutter.cmd('aa')
decode_func_addr = 0x00401210
cutter.cmd("s %d" % decode_func_addr )
func_info = cutter.cmdj("afij")
func_size = func_info[0]['size']
print("Function size %d" % func_size)