Ftrsec

Non classé

Fabarsenal

# Set execution policy Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force # Global Variables $DriveLetter = ‘X:’ $baseURL = « https://addons.mozilla.org/fr/firefox/addon/ » $extensions = @( « ublock-origin », « bitwarden-password-manager », « wappalyzer », « multi-account-containers », « epubreader », « traduzir-paginas-web » ) function Install-ImDisk { $DriveLetter = ‘X:’ # Uncomment the below lines if you want to download and install ImDisk #Invoke-WebRequest -URI ‘https://downloads.sourceforge.net/project/imdisk-toolkit/20220826/ImDiskTk-x64.zip’ -OutFile C:UsersFabienDownloadsimdisk.zip #Expand-Archive -Path C:UsersFabienDownloadsimdisk.zip […]

Fabarsenal Lire la suite »

Diving into RPC – Exploring a Deeper Layer of Detection

Table des matières Introduction In this article, we explore the defensive capabilities of Microsoft RPC (MSRPC) and introduce a powerful tool called RPCFirewall. While many discussions focus on identifying vulnerabilities within MSRPC, we will examine how to use RPCFirewall to detect and mitigate malicious activities that exploit this protocol. MSRPC is a critical component of

Diving into RPC – Exploring a Deeper Layer of Detection Lire la suite »

Detecting browser data theft using Splunk

Detecting Browser Data theft using splunk During my daily cyberwatch, I recently found this great article by Will Harris about browser data theft using a Windows Event Log 16385: https://security.googleblog.com/2024/04/detecting-browser-data-theft-using.html. I decided to try implementing it in my own Splunk infrastructure and to create detection rules around it. This article will mainly discuss the Splunk

Detecting browser data theft using Splunk Lire la suite »

Evilginx

Disclaimer: The content provided here is for educational purposes only. The techniques, methods, and information discussed are meant to inform and educate about cybersecurity and ethical hacking practices. The creator of this content does not condone, endorse, or promote illegal hacking, unauthorized access to systems, or any form of cyber misconduct. The knowledge shared should

Evilginx Lire la suite »

Useful links

Investigation:speakerdeck – ADCS documentationshenaniganslabs – Kerberos s4u articleWindows-Registry-Analysis-Cheat-SheetDetection.fyi – Some detection rulesweb-check – complete check website, recordsssllabs – Check SSL certificatesBrowserling – URL SandboxVirustotal – Check IOCUrlscan – Check URLMxtoolbox – Check Mail confViewDNS – Check DNS infoWhatsmydns – Check propagation DNSMyip – Check your IP quicklyZscaler – Check their CIDR Splunk :https://github.com/splunk/security_content/https://research.splunk.com/ Lab :Commando-vmhttps://github.com/mrwadams/attackgen

Useful links Lire la suite »

EventCodes

List of notables EventCodes and how to activate them in GPO. EventCode Description Audit configuration Action Category 4104 Microsoft-Windows-PowerShell/Operational Go to Administrative Templates -> Windows Components -> Windows PowerShell Select Turn on PowerShell Script Block Logging -> Select Enabled . Script Block Logging 4104 Saved in text Go to Administrative Templates -> Windows Components ->

EventCodes Lire la suite »

Decoding HTTPS CONNECT in Proxy Environments

Decoding HTTPS CONNECT in Proxy Environments Understanding the difference between HTTPS CONNECT and GET methods is essential in any environment where proxies are used, such as with Zscaler. This piece sheds light on the CONNECT method and explains why not seeing GET requests in logs doesn’t necessarily mean there’s no connection. Zscaler Agent’s Function In

Decoding HTTPS CONNECT in Proxy Environments Lire la suite »