hey john hammond i sent you a form of malware from a discord link I have seen it appear i don't have the proper pc tools to do it so can you do it for me i sent it to you a month ago about so i dont know if you seen it yet or such
Thought to challenge you with a simple but puzzling event. Notepad seems inconsistent in its ability to paste text with newline into either 'find' or 'replace' text box. It will consistently grab text, including newline into the f'ind' box if text is highlighted when invoking 'find' or 'replace' functions. It will consistently keep text with nl in both find & replace boxes when 'new window' is selected. It also is incinsistent whether saving a file with nl in replace box will pass the ability to the saved file even when replace text is performed before saving.
Hey, is there a way to run this on an exported "C:\Windows\System32\winevt\Logs" folder. I mean to give it a source folder/file. I have exported a full log folder to my sandbox and I have to analyze it. Thanks for you time and help
Interesting tool. Do you have any idea if it could be integrated with log management tools? I would like to forward those logs to an elasticsearch and there use the deepblue to search for security incidents.
Not exactly, but most will have similar rules built in, but you can certainly just look at the powershell script and see the eventids he's using (4688(security), 4672(security), 4720(security), 4728(security), 4732(security), 4756(security), 4625(security), 4673(security), 4674(security), 4648(security), 1102(security), 7045(system), 7030(system), 7036(system), 7040(system), 104(system), 2(application), 8003(applocker),...,etc), and implement similar conditions that he's using in your use case. The one catch is that proper audit policy, and applocker in at least audit mode (if you want those usecases) has to be configured on the end points that you're pulling the event logs from.
Not wrong, but only on weaker clients. It's all fun and games until they have an IDS to detect the purge and a SIEM where everything gets offloaded to. At that point you're just ringing the dinner bell for no gain lol
According to you, how does chainsaw compares to deepbluecli. From my testing i found chainsaw to be more effective but there's so much praise for deepbluecli that's why i am asking for opinions
Hi, @abduallhyasin3055, I've found that chain saw use cases rely rather heavily on the presense of sysmon, and you can't quarantee that will be around. Although, admittedly, it does use some standard events too -- and yara rules. I don't think it's a matter of "either/or"; nothing stops you from running both on extracted event logs, right?
Yay kids, so now your computing experience has gone from fun gaming and whatever, to having to do all this crazy BS to counter any hacking maggots! Yay!
I’m not sure if your 🎙️ setup jives with those hand gestures for your explanations? Ah well at least you look like every other podcaster and presenter. Good video content in any case
tail -f /var/log/someapp/access.log Still liked your comment as I don’t plan on responding to a bunch of questions to my comment. Don’t forget to pipe that command into grep to automatically search for keywords like, tail…. | grep “created user” Or something along those lines. Every scenario will require a different value to grep for
@@userhandler0tten351 The goal wasn't to be first. Never in the entire existence of my RUclips/Google account did I get to watch a video less than 12 hours after it's published. Therefore I typed "42 seconds" without realizing there were no other comments. When I realized it, I refreshed the page to see if someone else already wrote something. Nothing except my "42 seconds" comment. I refreshed again. Still nothing except my "42 seconds" comment. I thought that was kinda cool so I edited my comment. I received a facepalm for being happy. I probably don't deserve to feel good over the simple things in life. I'm sorry you found it stupid. I'll never do that ever again.
Just looked the tool was updated last week (end of June/23): New Sliver and Metasploit EVTX files including cmd.exe writing to ADM… …IN$, and suspicious remote threads master @eric-conrad eric-conrad committed last week 1 parent 8e510aa commit 2eecc65 Show file tree Hide file tree Showing 3 changed files with 0 additions and 0 deletions. Filter changed files Binary file addedBIN +1.07 MB evtx/metasploit-sysmon.evtx Binary file not shown. Binary file addedBIN +1.07 MB evtx/sliver-security.evtx Binary file not shown. Binary file addedBIN +68 KB evtx/sliver-sysmon.evtx Binary file not shown.
@JH - Excellent! Very useful tool. Thanks for sharing.
How do you pump out so many videos. You're insane! hahah
Hey John, super amazing video. Thanks alot for that. Really practical and fruitful.🤩🤩🤩
hey john hammond i sent you a form of malware from a discord link I have seen it appear i don't have the proper pc tools to do it so can you do it for me i sent it to you a month ago about so i dont know if you seen it yet or such
Awesome video, thk u. Short sweet and to the point love it!!!!!
Thought to challenge you with a simple but puzzling event. Notepad seems inconsistent in its ability to paste text with newline into either 'find' or 'replace' text box. It will consistently grab text, including newline into the f'ind' box if text is highlighted when invoking 'find' or 'replace' functions.
It will consistently keep text with nl in both find & replace boxes when 'new window' is selected.
It also is incinsistent whether saving a file with nl in replace box will pass the ability to the saved file even when replace text is performed before saving.
Cool! Thanks for video!!
Legend
Awsome tool.😊😊😊
Really usefull!
Hey, is there a way to run this on an exported "C:\Windows\System32\winevt\Logs" folder. I mean to give it a source folder/file. I have exported a full log folder to my sandbox and I have to analyze it. Thanks for you time and help
Interesting tool. Do you have any idea if it could be integrated with log management tools? I would like to forward those logs to an elasticsearch and there use the deepblue to search for security incidents.
Not exactly, but most will have similar rules built in, but you can certainly just look at the powershell script and see the eventids he's using (4688(security), 4672(security), 4720(security), 4728(security), 4732(security), 4756(security), 4625(security), 4673(security), 4674(security), 4648(security), 1102(security), 7045(system), 7030(system), 7036(system), 7040(system), 104(system), 2(application), 8003(applocker),...,etc), and implement similar conditions that he's using in your use case. The one catch is that proper audit policy, and applocker in at least audit mode (if you want those usecases) has to be configured on the end points that you're pulling the event logs from.
is there a windows EXE utility that trawls through the same information.
this is why you clear the even viewer after you install the remote
That’s often very noisy. Defenders should always be monitoring any audit logs being cleared
In that case attackers often clear as the very last step before they’re out the door
@@Pax833 it isnt for me, windows said nothing when the script was running
Not wrong, but only on weaker clients. It's all fun and games until they have an IDS to detect the purge and a SIEM where everything gets offloaded to. At that point you're just ringing the dinner bell for no gain lol
How i can send a discord to you to check is legal or not. Is very sus on verification sending you to microsoft
????????? i have the same result of you on my PC normal or not i think ????
but ty
what previous video is he refrencing ?
According to you, how does chainsaw compares to deepbluecli. From my testing i found chainsaw to be more effective but there's so much praise for deepbluecli that's why i am asking for opinions
I would agree, I think Chainsaw is the "modern" choice for cutting up event logs these days
Hi, @abduallhyasin3055, I've found that chain saw use cases rely rather heavily on the presense of sysmon, and you can't quarantee that will be around. Although, admittedly, it does use some standard events too -- and yara rules. I don't think it's a matter of "either/or"; nothing stops you from running both on extracted event logs, right?
please, could you tell me what is the best computer for cyber security, and tell if I can use the MacBook as I already have one?
thanks.
MAC is fine bro... there's no perfect computer...as long as you have about 8-16 gb and can run virtual machines, you will be fine...
Hey love u
Yay kids, so now your computing experience has gone from fun gaming and whatever, to having to do all this crazy BS to counter any hacking maggots! Yay!
I’m not sure if your 🎙️ setup jives with those hand gestures for your explanations?
Ah well at least you look like every other podcaster and presenter.
Good video content in any case
We need a Linux equivalent, like if you agree!.
tail -f /var/log/someapp/access.log
Still liked your comment as I don’t plan on responding to a bunch of questions to my comment.
Don’t forget to pipe that command into grep to automatically search for keywords like,
tail…. | grep “created user”
Or something along those lines. Every scenario will require a different value to grep for
😁
Early :3
hello , please make fundamental topics of cyber seccuirty
Try hackersploit...ippsec...sabid...tcm..too many out there
hlo
42 seconds ago
FANTASTIC, I'M FIRST!
Took too long to type it and send it 🤦🏽♂️
@@userhandler0tten351 The goal wasn't to be first. Never in the entire existence of my RUclips/Google account did I get to watch a video less than 12 hours after it's published. Therefore I typed "42 seconds" without realizing there were no other comments. When I realized it, I refreshed the page to see if someone else already wrote something. Nothing except my "42 seconds" comment. I refreshed again. Still nothing except my "42 seconds" comment. I thought that was kinda cool so I edited my comment.
I received a facepalm for being happy. I probably don't deserve to feel good over the simple things in life. I'm sorry you found it stupid. I'll never do that ever again.
@@thinotmandresy yo bro, don’t ever stop. I just thought it was funny is all.
I’ve literally done the same so don’t feel bad at all yo
first
bad sponser dislike
Brother i need Your help..Please reply my message
Just looked the tool was updated last week (end of June/23): New Sliver and Metasploit EVTX files including cmd.exe writing to ADM…
…IN$, and suspicious remote threads
master
@eric-conrad
eric-conrad committed last week
1 parent 8e510aa
commit 2eecc65
Show file tree Hide file tree
Showing 3 changed files with 0 additions and 0 deletions.
Filter changed files
Binary file addedBIN +1.07 MB
evtx/metasploit-sysmon.evtx
Binary file not shown.
Binary file addedBIN +1.07 MB
evtx/sliver-security.evtx
Binary file not shown.
Binary file addedBIN +68 KB
evtx/sliver-sysmon.evtx
Binary file not shown.