Live training session w/ SecurityCert - Part 2
Live training session made in collaboration with SecurityCert and their Discord server.
Little disclaimer for the reader:
All materials used inside this article can and might harm your computer if executed outside a safe environement and without proper knowledge.
No responsibilities of your actions will be taken by the author of this article, meaning that whatever you do (legal or illegal), you will be hold responsible.
The goal of this article is strictly for educational purposes only.
No responsibilities of your actions will be taken by the author of this article, meaning that whatever you do (legal or illegal), you will be hold responsible.
The goal of this article is strictly for educational purposes only.
Topics
- Backdoors
- An introduction to YARA rules
- Scheduled tasks and hidden services
- Multiple masquerading techniques
- PowerShell
- Mimikatz, PsExec and PowerNetcat
- Shellcode loader: CACTUSTORCH
- WMI Triggers and Consumers
- Vulnerable web application leading to RCE
- Startup Persistency
- Possible Cobalt Strike in-memory infection
Resources
- Cobalt Strike Memory Dumps: link
- LolBas Wmic.exe: link
- Mandiant Python-Cim: link
- Investigating WMI Attacks: link
- PowerShell JEA: link
- Introduction to AMSI: link
- Monitoring WMI Consumers: link
Recording
The recording of the session is available on YouTube or down below: