| A | B | C | D | E | F | G | H | I | J | K | L | M | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Timestamp | Submitter | Title | Description | Label 1 | Label 2 | Label 3 | ||||||
2 | 6/20/2021 6:29:51 | Ch33r10 | GitHub Ingress Tool Transfer | I routinely report malware staged on GitHub (they’re pretty responsive). 100% of what I report is observed as part of an attack chain. Rarely - but not never - this involves code from a legitimate author’s repo being pulled into the victim environment by the attacker’s code. https://twitter.com/pmelson/status/1406467994490970113?s=21 If you’d like to hunt this TTP in your own environment, proxy logs calling out to hXXps://raw.githubusercontent[.]com or hXXps://gist.github[.]com URLs are a good place to start. https://twitter.com/pmelson/status/1406469120565125123?s=21 | purpleteam | threathunting | |||||||
3 | 6/20/2021 8:35:26 | Ch33r10 | Process Ghosting | Evade AV by deleting your payload before running it. https://twitter.com/blackmatter23/status/1406370962984030209?s=21 https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack https://twitter.com/gabriellandau/status/1404835703574482944?s=21 | purpleteam | threathunting | |||||||
4 | 6/20/2021 8:48:36 | Ch33r10 | CredManBOF cred dumping | BOF file to use with Cobalt Strike, dumping the credential manager by abusing the SeTrustedCredmanAccess Privilege https://github.com/jsecu/CredManBOF | purpleteam | threathunting | |||||||
5 | 6/20/2021 10:33:28 | Ch33r10 | Phant0m Windows Evasion | Windows Event Log Service will not work https://twitter.com/ch33r10/status/1406634010189651971?s=21 https://twitter.com/sbousseaden/status/1278013896440324096?s=21 https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747. https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html. https://twitter.com/blackmatter23/status/1406933164006723584?s=21. https://twitter.com/blackmatter23/status/1407275816761843715?s=21 Deteciton for NEW Phant0m released: https://gist.github.com/Antonlovesdnb/9fdbc3ba157666d095b70b5e9e713106 https://twitter.com/Antonlovesdnb/status/1407352174477201420?s=20 | purpleteam | threathunting | |||||||
6 | 6/21/2021 19:55:15 | Ch33r10 | Powershell AD object enumeration | adsisearcher https://twitter.com/ninjaparanoid/status/1407137264283504640?s=21 | threathunting | ||||||||
7 | 6/21/2021 20:04:18 | Ch33r10 | Shadow Creds: Abusing Key Trust Account Mapping for Account Takeover | It is possible to add “Key Credentials” to the attribute msDS-KeyCredentialLink of the target user/computer object and then perform Kerberos authentication as that account using PKINIT. https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab | purpleteam | threathunting | |||||||
8 | 6/23/2021 11:46:01 | Ch33r10 | SOCKS over RDP | "the server component (.exe) does not require any special privileges on the server side at all, a low privileged user is also allowed to open virtual channels and proxy over the connection." https://research.nccgroup.com/2020/05/06/tool-release-socks-over-rdp/ | purpleteam | threathunting | |||||||
9 | 6/23/2021 16:00:09 | Ch33r10 | LDAP querying | https://0xdarkvortex.dev/tabs/ratelwarroom_features/badgers/ldapsentinel/ https://github.com/shellster/LDAPPER | purpleteam | threathunting | |||||||
10 | 6/23/2021 16:01:36 | Ch33r10 | SpecterOps powershell adversary tactics training | https://github.com/specterops/at-ps | resource | ||||||||
11 | 6/26/2021 6:40:55 | Ch33r10 | Pivotnacci socks connections thru http agent | https://github.com/blackarrowsec/pivotnacci | purpleteam | ||||||||
12 | 6/26/2021 19:49:10 | Ch33r10 | Mitigation Suggestion for ransomware | Change potentially malicious files to open as txt https://gist.github.com/ChuckFrey/7f77df907a53309ca5d30387989ff143. https://twitter.com/redcanary/status/1408485279669882880?s=21 | purpleteam | mitigation | |||||||
13 | 6/28/2021 12:13:21 | Ch33r10 | Sc.exe changing rights on services with sdset | Search for sc.exe changing rights on services with sdset and an ACE like: (A;;CCDCLCSWRPLORCWDWO;;;x) where x in ('AU','IU','BU','WD') You might find an elevation of privilege vuln or a sneaky attacker https://twitter.com/johnlatwc/status/1409559424201498632?s=21 | threathunting | ||||||||
14 | 6/28/2021 21:09:05 | Ch33r10 | Lsass silent process exit | https://github.com/deepinstinct/LsassSilentProcessExit | purpleteam | threathunting | |||||||
15 | 6/29/2021 18:41:29 | Ch33r10 | LDAP Recon | https://blacklanternsecurity.github.io/2021-06-28-Detecting-LDAP-Reconnaissance/ | purpleteam | threathunting | |||||||
16 | 7/2/2021 7:18:53 | Ch33r10 | 1-click meterpreter exploit chain with BeEF and AV/AMSI bypass (Article from 6/2020) | Article from 6/2020 https://medium.com/@bluedenkare/1-click-meterpreter-exploit-chain-with-beef-and-av-amsi-bypass-96b0eb61f1b6 | purpleteam | threathunting | |||||||
17 | 7/2/2021 8:07:53 | Ch33r10 | Common windows functions via rundll user32 and control panel | https://gist.github.com/gabe31415/fe2a7bd7213739b2bc407ecf0e100f9a | purpleteam | threathunting | |||||||
18 | 7/3/2021 20:13:35 | Ch33r10 | .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers. | https://github.com/dahall/Vanara | purpleteam | threathunting | |||||||
19 | 7/4/2021 7:44:37 | Ch33r10 | Understanding & Detecting C2 Frameworks — DarkFinger-C2 | https://nasbench.medium.com/understanding-detecting-c2-frameworks-darkfinger-c2-539c79282a1c | purpleteam | threathunting | |||||||
20 | 7/5/2021 16:59:10 | Ch33r10 | A Red Team Operation Leveraging a zero-day vulnerability in Zoom | https://medium.com/manomano-tech/a-red-team-operation-leveraging-a-zero-day-vulnerability-in-zoom-80f57fb0822e https://twitter.com/rpargman/status/1412159727862108168?s=21 | purpleteam | threathunting | |||||||
21 | 7/6/2021 16:30:49 | Ch33r10 | Spotify on Corp device LolBin | https://twitter.com/hexacorn/status/1412517463892414469?s=21 | purpleteam | threathunting | |||||||
22 | 7/6/2021 17:17:29 | Ch33r10 | Hunting for Phishing Links Using Sysmon and KQL | https://posts.bluraven.io/hunting-for-phishing-links-using-sysmon-and-kql-e87d1118ce5e | threathunting | ||||||||
23 | 7/6/2021 17:40:36 | Ch33r10 | Windows builtin to list stored credentials | https://twitter.com/johnlatwc/status/1412408658542186501?s=21 | threathunting | ||||||||
24 | 7/6/2021 17:41:56 | Ch33r10 | Red team tips by Vincent Yiu | https://www.vincentyiu.com/red-team-tips | purpleteam | threathunting | redteam | ||||||
25 | 7/6/2021 22:15:05 | Ch33r10 | New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings | https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/ | resource | malwareanalysis | |||||||
26 | 7/7/2021 9:24:30 | Ch33r10 | Windows Audit Policy Info | https://medium.com/tenable-techblog/dont-make-your-soc-blind-to-active-directory-attacks-5-surprising-behaviors-of-windows-audit-272551430721 | resource | ||||||||
27 | 7/7/2021 11:07:10 | Ch33r10 | File extensions used by attackers | https://filesec.io/ | resources | ||||||||
28 | 7/7/2021 12:00:02 | Ch33r10 | DNS based dropper using 100% LOLBins | What is interesting (for me as an author) is pure cmd + nslookup + certutil approach. 100% LOLBin, 0% PowerShell, and what's even more interesting, it's nslookup transfering the data, and certutil works only as decoder. https://github.com/gtworek/PSBits/tree/master/DNS/v2 https://twitter.com/0gtweet/status/1409548040105512968?s=21 https://twitter.com/pmelson/status/1408449122106019841?s=21 | purpleteam | ||||||||
29 | 7/7/2021 16:03:57 | Ch33r10 | Scour AWS Exploitation Framework | Scour is a modern module based AWS exploitation framework written in golang, designed for red team testing and blue team analysis. Scour contains modern techniques that can be used to attack environments or build detections for defense. https://github.com/grines/scour | purpleteam | ||||||||
30 | 7/8/2021 8:41:46 | Ch33r10 | Exploit Mitigations Knowledge Base by NCCGroup | https://github.com/nccgroup/exploit_mitigations | resource | ||||||||
31 | 7/8/2021 9:46:27 | Ch33r10 | Google Dorks cheat sheet | https://ahrefs.com/blog/google-advanced-search-operators/ https://0x00sec.org/t/using-search-engines-for-fun-and-bounties/23832 https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06 Thx to Binni Shah https://twitter.com/binitamshah/status/1413145864126681104?s=21 | resource | ||||||||
32 | 7/8/2021 11:51:32 | Ch33r10 | Bloodhoud Detection Ideas | https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Tools/BloodHound.yaml | threathunting | ||||||||
33 | 7/8/2021 13:33:18 | Ch33r10 | Threat Hunting with Data Science: Registry Run Keys | https://posts.bluraven.io/threat-hunting-with-data-science-registry-run-keys-9ae329d1ad85 | threathunting | ||||||||
34 | 7/8/2021 16:14:51 | Ch33r10 | DNS Purple/Threat Hunting Ideas | https://twitter.com/pgl/status/1405614755000295427?s=21 | purpleteam | threathunting | |||||||
35 | 7/8/2021 17:14:49 | Ch33r10 | Cobalt Strike Payload Analysis by Avast | https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/ | resource | threathunting | |||||||
36 | 7/10/2021 15:53:42 | Ch33r10 | Cobalt Strike hunting tip EID 7045 | Also consider EID 4697 https://twitter.com/svch0st/status/1413688851877416960?s=21 | threathunting | ||||||||
37 | 7/11/2021 15:46:35 | Ch33r10 | Pentest resource w some Red Team info | Resource for blue to understand different kind of attack techniques https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Methodology%20and%20Resources | resource | ||||||||
38 | 7/12/2021 19:50:49 | Ch33r10 | Windows Defender Disabled | https://twitter.com/johnlatwc/status/1414570238423691279?s=21 | threathunting | purpleteam | |||||||
39 | 7/14/2021 9:00:09 | Ch33r10 | XLS Entanglement | https://www.bc-security.org/post/xls-entanglement/ | purpleteam | threathunting | detection | ||||||
40 | 7/14/2021 9:02:32 | Ch33r10 | Disable security services via registry | https://twitter.com/johnlatwc/status/1415295021041979392?s=21 | threathunting | ||||||||
41 | 7/14/2021 20:30:35 | Ch33r10 | Cobalt Strike detection resource | https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence | resource | ||||||||
42 | 7/15/2021 19:24:57 | Ch33r10 | Lsass Memory Dumps are Stealthier than Ever Before – Part 2 | https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ | purpleteam | threathunting | |||||||
43 | 7/15/2021 19:30:48 | Ch33r10 | DropBox Engineering Career Framework | https://dropbox.github.io/dbx-career-framework/ic2_security_engineer.html | management | resource | |||||||
44 | 7/16/2021 7:58:14 | Ch33r10 | OSINT Resources including Shodan queries | https://twitter.com/fanimalikhack/status/1415642024875802624?s=21 Shodan: https://securitytrails.com/blog/top-shodan-dorks GitHub: https://securitytrails.com/blog/github-dorks Google: https://securitytrails.com/blog/google-hacking-techniques | resource | OSINT | |||||||
45 | 7/20/2021 13:26:30 | Ch33r10 | Beaconator stageless shellcode | Beaconator is an aggressor script for Cobalt Strike used to generate a raw stageless shellcode and packing the generated shellcode using PEzor. https://github.com/capt-meelo/Beaconator | purpleteam | ||||||||
46 | 7/21/2021 7:59:39 | Ch33r10 | VTI dorks by Florian Roth | https://github.com/Neo23x0/vti-dorks | resource | ||||||||
47 | 7/21/2021 13:02:51 | Ch33r10 | API to Sysmon Event Mapping | https://raw.githubusercontent.com/OTRF/API-To-Event/master/images/API-to-Sysmon.svg | resource | ||||||||
48 | 7/21/2021 15:59:23 | Ch33r10 | Printer Bug Coerced Authentication petitpotam | new coerced authentication primitive, enabled by default on servers and workstations, and even works anonymously against domain controllers 💣 Combine with AD CS relay (ESC8 in posts.specterops.io/certified-pre-…) and you go: anonymous ➡ domain admin! https://twitter.com/cnotin/status/1417863008324407302?s=21 https://twitter.com/wdormann/status/1418576755389083662?s=21 Detection ideas: https://twitter.com/antonlovesdnb/status/1408804802604187655?s=21 | purpleteam | threathunting | |||||||
49 | 7/23/2021 14:14:19 | Ch33r10 | UAC bypass through Trusted Folder Abuse | https://twitter.com/blackmatter23/status/1418605481766051844?s=21 | purpleteam | threathunting | detection | ||||||
50 | 7/25/2021 12:00:44 | Ch33r10 | lolbin command line obfuscation | https://twitter.com/rpargman/status/1419299727376478217?s=21 Following the advice in this blog to look for low-prevalence characters, common substitution characters, or even non-ASCII characters in commands is a great application for #JupyterNotebooks or automation with GlyphHunter: https://github.com/BinaryDefense/glyph-hunter https://twitter.com/wietze/status/1418562387175690242?s=21 https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation https://github.com/wietze/windows-command-line-obfuscation | purpleteam | threathunting | |||||||
51 | 7/26/2021 12:25:28 | Ch33r10 | Cobalt Strike from Defender perspective | https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ https://twitter.com/haus3c/status/1419694896995311619?s=21 | resource | ||||||||
52 | 7/26/2021 12:28:59 | Ch33r10 | InstallUtil lolbin | https://twitter.com/johnlatwc/status/1419613466407706624?s=21 https://lolbas-project.github.io/lolbas/Binaries/Installutil/ https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ | purpleteam | threathunting | |||||||
53 | 7/27/2021 9:18:25 | Ch33r10 | C++ code resource What are TCHAR, WCHAR, LPSTR, LPWSTR, LPCTSTR (etc.) | https://www.codeproject.com/Articles/76252/What-are-TCHAR-WCHAR-LPSTR-LPWSTR-LPCTSTR-etc https://twitter.com/binaryz0ne/status/1419829931455000601?s=21 | resource | ||||||||
54 | 7/29/2021 10:37:08 | Ch33r10 | NTLM Relaying via Cobalt Strike | https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ | purpleteam | threathunting | |||||||
55 | 7/29/2021 11:02:54 | Ch33r10 | Guide to Named Pipes and Hunting for Cobalt Strike Pipes | https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 | threathunting | ||||||||
56 | 7/30/2021 17:53:51 | Ch33r10 | ADCSPwn | A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service. https://github.com/bats3c/ADCSPwn | purpleteam | ||||||||
57 | 7/30/2021 18:02:49 | Ch33r10 | Bypassing image load kernel callbacks | https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/ | purpleteam | ||||||||
58 | 7/30/2021 18:42:57 | Ch33r10 | Hacker Recipes Resource | https://www.thehacker.recipes/active-directory-domain-services/movement/access-control-entries | resource | ||||||||
59 | 7/31/2021 6:02:47 | Ch33r10 | Pywhisker Shadow Credentials attack AD | Python version of the C# tool for "Shadow Credentials" attacks. https://github.com/ShutdownRepo/pywhisker Pre-requisites for this attack are as follows the target Domain Functional Level must be Windows Server 2016 or above. the target domain must have at least one Domain Controller running Windows Server 2016 or above. the Domain Controller to use during the attack must have its own certificate and keys (this means either the organization must have AD CS, or a PKI, a CA or something alike). the attacker must have control over an account able to write the msDs-KeyCredentialLink attribute of the target user or computer account. | purpleteam | ||||||||
60 | 8/1/2021 8:00:30 | Ch33r10 | AD Resource BadBlood | BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active… https://github.com/davidprowe/BadBlood | resource | ||||||||
61 | 8/3/2021 6:16:33 | Ch33r10 | Python ctypes to bypass AV/EDR | https://twitter.com/chvancooten/status/1418969800823513093?s=21 | purpleteam | ||||||||
62 | 8/3/2021 18:43:05 | Ch33r10 | Kerberoast with ACL abuse capabilities | https://github.com/ShutdownRepo/targetedKerberoast | purpleteam | ||||||||
63 | 8/3/2021 20:45:59 | Ch33r10 | Inceptor - Template driven AV/EDR Evasion Framework | https://github.com/klezVirus/inceptor https://twitter.com/klezvirus/status/1422223092605194245?s=21 | purpleteam | ||||||||
64 | 8/3/2021 20:51:46 | Ch33r10 | Spawn - Cobalt Strike BOF | Spawns a sacrificial process with Arbitrary Code Guard (ACG) to evade EDR hooking, BlockDLL to prevent non-MS DLL's from loading, and PPID spoofing. Then injects & executes shellcode. https://github.com/boku7/spawn https://twitter.com/0xboku/status/1421866295646171142?s=21 | purpleteam | ||||||||
65 | 8/4/2021 10:10:34 | Ch33r10 | SMB signing resource & Thread | https://twitter.com/nerdpyle/status/1422626862015029251?s=21 https://techcommunity.microsoft.com/t5/storage-at-microsoft/configure-smb-signing-with-confidence/ba-p/2418102 https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-computer-name-aliases-in-place-of-dns-cname-records/ba-p/259064 | resource | ||||||||
66 | 8/5/2021 6:10:49 | Ch33r10 | HellsGate PPID | Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process https://github.com/boku7/HellsGatePPID | resource | exploitdev | |||||||
67 | 8/7/2021 12:30:11 | Ch33r10 | CyberChef Recipes | https://github.com/mattnotmax/cyberchef-recipes | resource | ||||||||
68 | 8/7/2021 12:33:11 | Ch33r10 | Creating a Reflective loader in C# workshop | https://jfmaes-1.gitbook.io/reflection-workshop/ | resource | ||||||||
69 | 8/9/2021 17:17:58 | Ch33r10 | SigFlip | tool(s) for patching/injecting shellcode into MS-Authenticode signed PE files without breaking the signature, used for; * Bit/Sig Flipping PEs (EXE, DLL, Sys ..etc) * Encrypt/Inject shellcode into PEs * Decrypt/Load shell code from modified but still signed PE files. https://twitter.com/med0x2e/status/1424441793811259395?s=21 https://github.com/med0x2e/SigFlip | purpleteam | ||||||||
70 | 8/12/2021 15:44:39 | Ch33r10 | Threat hunting process tree resource | https://posts.bluraven.io/detecting-threats-with-process-tree-analysis-without-machine-learning-838d85f78b2c https://twitter.com/antonlovesdnb/status/1425824113281703936?s=21 | resource | threathunting | |||||||
71 | 8/15/2021 23:51:32 | Ch33r10 | Extracting and diffing Windows patches in 2020 | https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html | resource | ||||||||
72 | 8/18/2021 21:45:34 | Ch33r10 | David J Bianco Threat Hunting Project | https://github.com/ThreatHuntingProject/ThreatHunting/tree/master/hunts | resource | threathunting | |||||||
73 | 8/19/2021 10:58:25 | Ch33r10 | Win Event Examples | https://twitter.com/sbousseaden/status/1428357499292315661?s=21 https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES | threathunting | purpleteam | |||||||
74 | 8/19/2021 11:01:34 | Ch33r10 | Dump NTDS.dit from domain | https://twitter.com/vk_intel/status/1428384238819323913?s=21 Red Teaming Tip from Conti/Coba Logs: ❔"Safe" to dump NTDS.dit from domain? ...vssadmin list shadows... 🛡️shell wmic /node:"DC01" /user:"DOMAIN\admin" /password:"PASS" process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[0-9]\Windows\NTDS\NTDS.dit | purpleteam | ||||||||
75 | 8/19/2021 19:16:05 | Ch33r10 | Jackalope Fuzzer for Windows & MacOS | https://github.com/googleprojectzero/Jackalope | exploitdev | resource | |||||||
76 | 8/21/2021 8:27:07 | Ch33r10 | AMSI bypass from 2021 | https://twitter.com/tihanyinorbert/status/1428790212210069508?s=21 | research | ||||||||
77 | 8/23/2021 8:02:37 | Ch33r10 | Intel writing resource | https://github.com/mxm0z/awesome-intelligence-writing | resource | ||||||||
78 | 8/23/2021 21:38:12 | Ch33r10 | Malicious powershell deobfuscation | https://medium.com/mii-cybersec/malicious-powershell-deobfuscation-using-cyberchef-dfb9faff29f | resource | ||||||||
79 | 8/24/2021 18:24:54 | Ch33r10 | Powershell obfuscation resource | https://github.com/gh0x0st/Invoke-PSObfuscation/blob/main/layer-0-obfuscation.md | resource | ||||||||
80 | 8/26/2021 20:53:44 | Ch33r10 | Conti TTP’s using Atomic Red Team and Detection Lab & C2 Infrastructure Hunting | https://michaelkoczwara.medium.com/conti-ttps-using-atomic-red-team-and-detection-lab-c2-infrastructure-hunting-16d159fe0ed8 | purpleteam | ||||||||
81 | 8/26/2021 21:03:24 | Ch33r10 | An Alternative Way of Using MITRE ATT&CK® for Threat Hunting and Detection | https://posts.bluraven.io/an-alternative-way-of-using-mitre-att-ck-for-threat-hunting-and-detection-be55739dc7aa | resource | ||||||||
82 | 8/27/2021 17:41:27 | Ch33r10 | Process Injection via custom Beacon Object Files Part 1 | https://cerbersec.com/2021/08/26/beacon-object-files-part-1.html | purpleteam | ||||||||
83 | 8/27/2021 18:01:00 | Ch33r10 | Twitter OSINT resources | https://twitter.com/_sn0ww/status/1431295333644980232?s=21 | resource | ||||||||
84 | 8/29/2021 12:31:06 | Ch33r10 | WDAC bypass list | https://github.com/bohops/UltimateWDACBypassList | purpleteam | ||||||||
85 | 8/30/2021 9:07:13 | Ch33r10 | Blinding EDR on Windows | https://synzack.github.io/Blinding-EDR-On-Windows/ | purpleteam | ||||||||
86 | 8/30/2021 12:27:44 | Ch33r10 | Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks) | https://posts.bluraven.io/detecting-edr-bypass-malicious-drivers-kernel-callbacks-f5e6bf8f7481 | purpleteam | ||||||||
87 | 8/30/2021 13:28:55 | Ch33r10 | Understanding Cobalt Strike Profiles | https://blog.zsec.uk/cobalt-strike-profiles/ | resource | cobaltstrike | |||||||
88 | 9/1/2021 15:03:31 | Ch33r10 | Threat hunting explorer.exe with common executable extensions | #threathunting tip, look for explorer.exe with cmdline containing common executable extensions (.vbs, .hta, .ps1 etc.) https://twitter.com/sbousseaden/status/1433037382224392196?s=21 | threathunting | ||||||||
89 | 9/2/2021 10:33:56 | Ch33r10 | Cobalt Strike PowerShell Payload Analysis | https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7 | resource | ||||||||
90 | 9/2/2021 12:25:45 | Ch33r10 | Threat Hunting and Detection with Web Proxy Logs | https://posts.bluraven.io/threat-hunting-and-detection-with-web-proxy-logs-58094cae3537 | threathunting | ||||||||
91 | 9/2/2021 17:25:42 | Ch33r10 | C2 Finger.exe | https://twitter.com/wietze/status/1433520106194145311?s=21 | purpleteam | threathunting | |||||||
92 | 9/3/2021 8:32:11 | Ch33r10 | Anatomy and Disruption of Metasploit Shellcode | https://blog.nviso.eu/2021/09/02/anatomy-and-disruption-of-metasploit-shellcode/ | resource | ||||||||
93 | 9/7/2021 19:34:53 | Ch33r10 | Cobalt Strike C2 hunting with Shodan | https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2 | threathunting | ||||||||
94 | 9/7/2021 19:36:50 | Ch33r10 | Khepri post exploitation tool similar to Cobaltstrike | Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike https://github.com/geemion/Khepri | purpleteam | ||||||||
95 | 9/10/2021 13:42:00 | Ch33r10 | Rundll32.exe resource | https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 | resource | ||||||||
96 | 9/12/2021 18:52:22 | Ch33r10 | Offensive WMI - Interacting with Windows Registry (Part 3) | https://0xinfection.github.io/posts/wmi-registry-part-3/ | resource | ||||||||
97 | 9/20/2021 6:48:41 | Ch33r10 | Shodan dorks | https://github.com/ninoseki/shodan-dojo | resource | ||||||||
98 | 9/20/2021 6:51:00 | Ch33r10 | Dork collection: Shodan, VTI | https://github.com/cipher387/Dorks-collections-list | resource | ||||||||
99 | 9/28/2021 10:13:24 | Ch33r10 | Werfault.exe connecting to non ms | https://twitter.com/sbousseaden/status/1442824222775128069?s=21 | threathunting | ||||||||
100 | 10/10/2021 17:51:09 | Ch33r10 | Sigma Rules Resource | https://github.com/nasbench/SIGMA-Resources | resource |