|
|
|
New RR Plugin Identities.pl |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : This past week, I read an interesting FireEye blog post that discussed malware that targets the volume boot record. As I read through the post, I got to step 4 Component Installation for the malware, and the Registry values listed caught my eye. I know...go figure, right The blog post states that a number of values are created within a specific hive file, and that these values refer to the various components of the malware itself. As such, I looked at these values as a great way to determine if a system was infected, through either digital forensic analysis, or even active hunting within the enterprise. The key path for the values listed in the blog post is HKCU .Default . Hhhmmm...okay, so...where is that hive on the system As you can see in the figure to the right, taken via RegEdit on my Windows 10 system, the path should be listed as HKU , which stands for HKEY_USERS , rather than HKCU , which stands for HKEY_CURRENT_USER which would be me . Regardless, we see the .Default key in the figure. This MSDN blog post lets us know that it's not what we think...no, not at all. That is, this key is not for the Default User , from which the new user profiles are created, but instead for the Local System account. The RegRipper profilelist.pl plugin will show us the paths to the NTUSER.DAT hives for various accounts on the system, including not only the users but the other SIDs, as well Path pourcentssystemrootpourcents system32 config systemprofile SID S-1-5-18 LastWrite Tue Jul 14 04 53 25 2009 UTC Path C Windows ServiceProfiles LocalService SID S-1-5-19 LastWrite Thu Dec 30 20 51 42 2010 UTC Path C Windows ServiceProfiles NetworkService SID S-1-5-20 LastWrite Thu Dec 30 20 51 42 2010 UTC As such, you can extract the NTUSER.DAT file from any of these profiles, and run the identities.pl plugin uploaded to the GitHub repository today against it.
Les mots clés de la revue de presse pour cet article : plugin
Les videos sur SecuObs pour les mots clés : plugin
Les éléments de la revue Twitter pour les mots clé : plugin
Les derniers articles du site "Windows Incident Response" :
- Training Philosophy
- Cool Stuff, re WMI Persistence
- Windows Registry Forensics, 2E
- Event Logs
- Links Plugin Updates and Other Things
- Tools, Links, From the Trenches, part deux
- From the Trenches
- Updated samparse.pl plugin
- The Need for Instrumentation
- Analysis
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
