#hack100days : day 70 : Today was a day of json and powershell. Took a different approach than I usually do. Started with laying out a json schema for all the data elements I want. Then backed into into functions and code. I've coded in ksh and bash for so long, I'm more used to doing the functions first. This is more interesting, because now I hunt for LOLBAS to get the data. #redteam #LolBas

#hack100days : day 69 : Forgot to post last night. Watched @alh4zr3d @alh4zr3d@twitter.com "Newbie Tuesday" stream. Biggest take-away was older Logitech wireless devices speak wifi. So, "BadUSB"/RubberDucky is in-play during physical tests: https://github.com/insecurityofthings/jackit/tree/master/jackit #redteam

#hack100days : day 68 : Watched some #rust videos by @valhalla_dev Watched him go over some chapters out of the Rust Book and a couple of videos on malware dev. #redteam #GetSmart

#hack100days : day 67 : Read another chapter #rust. This one hurt my brain and will need to be revisited. #getsmart

#hack100days : day 66 : Took a crack at #HackTheBox new release, Inject. I've gotten rusty.

#hack100days : day 65 : Kept chipping away at _Rust_Programming. Took at look at Defender and Advanced Threat. Created a query for finding admin users modifying registry run keys. I'm a fan of the 'project' command to grab only the columns I care about. #GetSmart

#hack100days : day 64 : read another chapter of _Rust_Programming_… Site visit today, learning and relearning about processes and tech used to make the firm money. Thinking hard about attack paths and drafting possibles exercises. #redteam #getsmart

#hack100days : day 63 : Lots of context switching today, articles, newsletters, and such. Going to unplug and finish another chapter of _Rust_Programming_Language_. #GetSmart

#hack100days : day 62 : Wasn't up for it yesterday, took a sick day. Did some poking around at a recent CVE. Not going to share which one at this time. Led to another thread, though. Something that could lead to finding weird... Look for instances of the Windows process WerFault.exe starting. What was the parent process? What was the user id for the process? You may find something that is well broken and needs fixing--that cleans up log files--or something that needs further research. #ThreatHunting #BlueTeam

#hack100days : day 61 : Another light day. Read articles and another chapter in _Rust Programming Language_--was reminded to keep up on that via link from a @thegrugq newsletter to @buttplug.io (@twitter) thread, leading to @m_ou_se@twitter presence talking about her book _Rust Atomics and Locks_ (which is available at https://marabos.nl/atomics/, so I have some more reading and coding to do... #GetSmart #Rust

#hack100days : day 60 : Another section of CRTO done. Learned more about MSFT's Data Protection API, which was new to me. Otherwise, it was light today. #GetSmart

#hack100days : day 59 : Two more sections of CRTO down. Tuned the registry run key search in Defender ATH. Noisy bugger, going to take some work to sort out "normal". Seems like a good place to hide for long-haul persistence. #RedTeam #BlueTeam

#hack100days : day 58 : Spent some time poking around log sources. Checked for logging and events matching oppsec warnings from CRTO. Created and tuned some queries for Defender ATH. There's signal in there about Registry run key creation and scheduled task creation. Good to know for #redteam and #blueteam!

#hack100days : day 57 : Finished the next section of CRTO. Juuust shy of half-way. Checked out a couple of presos at the Antisyphon "Most Offensive Con That Ever Offensived" on-line conference. I like the personalities and some of the dialogue in the #RedTeam panel discussion at the beginning. However, it was a little too "let's be controversial for the sake of controversy" for my taste. (I hope to get a pizza delivered to me, one day.)

#hack100days : day 56 : Read a CISA #RedTeam report: https://www.cisa.gov/sites/default/files/2023-02/aa23-059a-cisa_red_team_shares_key_findings_to_improve_monitoring_and_hardening_of_networks.pdf Definitely cribbing some report formatting and noting TTPs.

#hack100days : day 55 : Completed three more #CRTO sections, maybe about a 1/3 of the way through--so far, mostly review. Added another item to the #ThreatHuntThursday list. #redteam #GetSmart

#hack100days : day 54 : Completed credential theft section for #CRTO, got some good ideas for #ThreatHuntThursday for log events and access patterns I hadn't though of before. #redteam #GetSmart

#hack100days : day 53 : Thin on the hacking today. Listened to risky.biz and got caught up on @thegrugq newsletters.

#hack100days: day 52 : Spent more time on CRTO, got through several sections. Looked at some of the tooling called out. If something tried to talk to lsass, there's a Windows Event 4656 generated. These events don't make it into Windows Defender Advanced Threat Hunting. Some KQL that *might* help a little bit: 'DeviceProcessEvents | where (FileName != "lsass.exe" and ProcessCommandLine has "lsass")' This could find where someone's trying to tinker with it from the command line. (Since lsass does get started in the normal day-to-day of things, filter out it itself being the running process, look for things trying to operate on it.) #redteam #blueteam #GetSmart

#hack100days: day 51 : Spent some time going through CRTO. First two sections down. Spun up a new kali box to play around with some of the tooling covered in recon section. Reckon I'll do a once through the material before getting lab time and going after the lab exercises. #RedTeam #infosec