Malware can sometimes hide itself or impersonate common Windows processes. These are some of my notes on how to differentiate between real and fake.
Some notes that I’ve used when to identify suspicious activity searching through packet captures.
Of course some of the basic hunting should include looking at ports and strange host/ip addresses. Other than those basic locations, we can look at the different protocols. …
File entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.
Files that are encrypted will…
Malware infection via malicious macros (or scripts within Microsoft Office products such as Word and Excel) are some of the most successful attacks to date.
For example, current APT campaigns such as Emotet, QuickBot infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However…
PDF’s are capable of containing many more types of code that can be executed without the user’s knowledge. This includes:
remnux@thm-remnux:~/Tasks/3$ peepdf notsuspicious.pdf
Warning: PyV8 is not installed!!File: notsuspicious.pdf
My notes on THM Room.
This room will cover accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.
Scan the machine with nmap, how many ports are open?
Not shown: 993 closed ports
Notes on THM Room
nmap -p- -A 10.10.107.122
3 — Port 80, 6498, 65534
By The Dark Raver
-----------------START_TIME: Thu Sep 23 20:40:33 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.107.122/ ----
==> DIRECTORY: http://10.10.107.122/hidden/…
My Notes on THM Room.
The analysis of iPhone backups made with iTunes is an interesting topic, to say the very least. When backing up an iPhone, iTunes accesses the iPhone in a privileged state — similar to using the
sudocommand on Linux to run a command with root privileges.
My notes on THM room.
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Using a Yara rule is simple. Every
yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file…
My notes on THM room.
You’ve likely encountered a website that requires you to have Special Characters, Capital Letters, and a Number in your password. These are password rules, aimed to make your account more secure and harder for attackers to guess. If you’re trying to bruteforce someones password and…