digirati82.com
Drivers | digirati82
https://digirati82.com/tag/drivers
Windows Logging Service (WLS), DFIR, etc. WLS Licensing and Questions. Adding HFS read support to Windows. Recently I had a coworker request the ability to read an HFS formatted drive with Windows. I found a few scattered articles that pointed to Apple’s “Boot Camp Support Software” including an HFS driver, and it does. How to add read only HFS support to Windows (64-bit) using Apple’s HFS drivers. Download the latest “Boot Camp Support Software”. Http:/ support.apple.com/kb/DL1721. Click to email (Opens...
digirati82.com
Uncategorized | digirati82
https://digirati82.com/category/uncategorized
Windows Logging Service (WLS), DFIR, etc. WLS Licensing and Questions. Monitoring downloaded file execution: WLS Bro Splunk. Does awesome things with network data. One of those things is performing an analysis of files. On the wire, including hashing. WLS does hashing of executed files and loaded DLLs, and tracks each hash that has been seen on the host, setting “NewHash=True” for the first instance. Internet Explorer Zone Number Mapping. A macro that limits the logs to indexes where WLS data is contained.
digirati82.com
WLS 3.3 Released | digirati82
https://digirati82.com/2015/05/04/wls-3-3-released
Windows Logging Service (WLS), DFIR, etc. WLS Licensing and Questions. Burn folder support for FileMonitor. Log file metadata for files found in command line parameters and event logs. Fixed (non-removable) disk monitoring. Network location awareness by joined domain. Optional host name set by DNS resolution. Optional alternate static host name. Monitoring UDF optical media changes. Support for non-FIPS hashing algorithms when FIPS mode is enabled. Suspended process checking (potential process hollowing).
digirati82.com
Boot Camp Support | digirati82
https://digirati82.com/tag/boot-camp-support
Windows Logging Service (WLS), DFIR, etc. WLS Licensing and Questions. Tag Archives: Boot Camp Support. Adding HFS read support to Windows. Recently I had a coworker request the ability to read an HFS formatted drive with Windows. I found a few scattered articles that pointed to Apple’s “Boot Camp Support Software” including an HFS driver, and it does. How to add read only HFS support to Windows (64-bit) using Apple’s HFS drivers. Download the latest “Boot Camp Support Software”. Opening the msi with Orca.
obscuresecurity.blogspot.com
obscuresec: March 2013
http://obscuresecurity.blogspot.com/2013_03_01_archive.html
Thursday, March 28, 2013. PowerSploit Metasploit = Shells. Metasploit has supported psexec-like functionality with pass-the-hash for several years. Unfortunately, its mostly useless when an AV product is there to delete the uploaded service binary. Recently, a module (/auxiliary/admin/smb/ psexec command. Into a meterpreter shell? Kali Linux is awesome, but the version of PowerSploit. Is currently outdated, so lets pull down the script we will eventually run:. Call to Function Added. Echo $scriptblock ic...
obscuresecurity.blogspot.com
obscuresec: June 2013
http://obscuresecurity.blogspot.com/2013_06_01_archive.html
Sunday, June 30, 2013. Logging Keys with PowerShell: Get-Keystroke. I was recently inspired by Matt Graeber's. Series of posts on Microsoft's "Hey, Scripting Guy! To go back and look at old scripts and implement reflection. One of the scripts that I use regularly and mentioned in a previous post. A preferred method would be to hook each window with SetWindowsHookEx but there are several security products that flag on that behavior, so I avoided it. If you have read Matt's posts, then you understand why t...
obscuresecurity.blogspot.com
obscuresec: December 2012
http://obscuresecurity.blogspot.com/2012_12_01_archive.html
Wednesday, December 12, 2012. Finding Simple AV Signatures with PowerShell. Executed with the Inject-Shellcode. Was released by class101 which was used to demonstrate how some AV signatures could be bypassed by finding and modifying one byte within the binary. Unfortunately, the original file (and source code? Is no longer available for download by the author. Since the method still works, we decided to create a similar PowerShell script with a few improvements:. Do you want to create the directory?
obscuresecurity.blogspot.com
obscuresec: November 2012
http://obscuresecurity.blogspot.com/2012_11_01_archive.html
Friday, November 30, 2012. The amount of effort that goes into writing any book is substantial, but the amount of effort that goes into a great book is mind-boggling. " Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers. By TJ O'Connor is a great book. Despite the "cookbook" title, this book is well-organized and can be read cover-to-cover. If you are a security professional, you have already or will use the methods mentioned in the book. Exporting work...
obscuresecurity.blogspot.com
obscuresec: March 2014
http://obscuresecurity.blogspot.com/2014_03_01_archive.html
Monday, March 31, 2014. Retrieving NTDS.dit without a Shell on the DC. Combine that with PowerShell. And achieving a memory-resident shell, regardless of AV product,was trivial with PowerSploit. Armed with a fully-privileged shell on a seldom used backup server, I was in business. First lets look at the tokens on the box:. Of copying the NTDS.dit. But I prefer a simpler one. This technique relies on the Ntdsutil. File and download them both with Meterpreter:. Subscribe to: Posts (Atom). HID Reader Arduin...
obscuresecurity.blogspot.com
obscuresec: July 2013
http://obscuresecurity.blogspot.com/2013_07_01_archive.html
Friday, July 19, 2013. Guest Blog Posts and Cons. I had the pleasure of writing a few guest blogs in the last few weeks. If you haven't read them, please check them out:. Using the Windows API and Copy-RawItem to Access Sensitive Password Files. On Microsoft's " Hey, Scripting Guy! Although useful in a pinch, there are niftier methods. PowerSploit: The Easiest Shell You’ll Ever Get. To configure the handler for you. You can check that out here. WMIS: The Missing Piece of the Ownage Puzzle. The post build...
SOCIAL ENGAGEMENT