You know what ? Today I woke up strange. So LETS BURN SOME North Korean info! Lets see how their backend works. Shall we ? I am going to yolo explain what is happening here (as with most of my research), and if my ADHD mind does not distrupt me it should take 10 minutes!

#HuntingTipOfTheDay: Florian is right. 🌩️ Cloud creds often linger in Environment Vars, especially on servers/dev machines 🟠 One compromised endpoint could thus lead to a full cloud breach 🔍 Hunt for exposed tokens: if you can see it,so might an attacker x.com/cyb3rops/statu…

#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!). 🔴 Executing parent is usually explorer.exe, making detection harder 🔍 Hunt for reg changes to this key 👉 lolbas-project.github.io/lolbas/Binarie…

#HuntingTipOfTheDay: USB worms are still a thing - often the initial infection happens when a user clicks a malicious shortcut on a USB device. See if you can correlate executions with .LNK files on remote drives to find possible badness.

#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.

#HuntingTipOfTheDay: Stuck in vi/vim? Open a reverse shell to exit remotely 🙃 Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected. 🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.

#HuntingTipOfTheDay: you know how to spot/decode Base64 or XOR in PowerShell… but what about SecureString? This AES-based encryption is native to PowerShell; attackers have been seen to use this for PowerShell obfuscation. 🔍 Hunt for known SecureString decoding commands

As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them! 👉 Find all threat hunting tips here: x.com/search?q=from%…

🆕 Recent additions to LOLBAS-Project.github.io: • shell32.dll,#44 for DLL execution • PhotoViewer.dll for INetCache download • winget.exe for AWL Bypass • mmc.exe for download (via GUI) • cipher.exe for anti-forensics ➕: the #LOLBAS project now supports dark mode 😎

🚨 Heads-up for #AppLocker admins on #Lenovo laptops. ICYMI There's a sneaky leftover file inside C:\Windows\ that can be used to bypass your AppLocker restrictions. 😱 It’s part of Lenovo’s OEM setup. Worth checking for and removing if you rely on AppLocker. 🔍 Info about the

Video demo to play with ArgFuscator -- the super cool research and utility from Wietze to obfuscate command-lines to try and evade AV or EDR detection 😎 And to test your rules if any of these crazy looking commands fly under the radar! youtu.be/6-Gbv0h7m1I

This is how I found my coffee machine today. Either it needs descaling, or it is running a PoC for a denial of caffeine attack.

During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs. github.com/olafhartong/Ba… Slides available here: github.com/olafhartong/Pr…