Open in app

Sign In

Write

Sign In

svch0st
svch0st

243 Followers

Home

About

Jul 25, 2021

Guide to Named Pipes and Hunting for Cobalt Strike Pipes

Intro to Named Pipes The way that helped me start to understand pipes is to think of them as like type of network socket that is created. It can be used to send and receive information between processes or even hosts. As a rudimentary example, you can query the current pipes on your host: …

Cobalt Strike

4 min read

Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Guide to Named Pipes and Hunting for Cobalt Strike Pipes
Cobalt Strike

4 min read


May 6, 2021

Stats from Hunting Cobalt Strike Beacons

Some Statistics on Cobalt Strike Configs in April and May 2021 — Collected from over 1000 configurations, here are some high-level statistics that demonstrate some of the common trends among one of the most popular tools in an adversary’s arsenal. These configs were collected from live servers around early May 2021. If you are interested in how the data was collected, scroll…

4 min read

Stats from Hunting Cobalt Strike Beacons
Stats from Hunting Cobalt Strike Beacons

4 min read


Feb 25, 2021

Windows User Access Logs (UAL)

Windows Server Artefact — Overview User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role on a local server. The DFIR team at KPMG released a great blog which spotlights User Access Logs by delving into the different components that make up the database. Digital forensics and incident response The KPMG Cyber Response Services team is dedicated to helping clients respond to cyber incidents. In a recent…advisory.kpmg.us

Forensics

3 min read

Windows User Access Logs (UAL)
Windows User Access Logs (UAL)
Forensics

3 min read


Dec 29, 2020

Magnet Weekly CTF Challenge Week #12

Windows Memory Forensics — Part 1 What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed! From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question. This search was…

3 min read

Magnet Weekly CTF Challenge Week #12
Magnet Weekly CTF Challenge Week #12

3 min read


Dec 22, 2020

Magnet Weekly CTF Challenge Week #11

Windows Memory Forensics — Part 1 What is the IPv4 address that myaccount.google.com resolves to? At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor…

2 min read

Magnet Weekly CTF Challenge Week #11
Magnet Weekly CTF Challenge Week #11

2 min read


Dec 14, 2020

Magnet Weekly CTF Challenge Week #10

Windows Memory Forensics — Challenge 10 *At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. * What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx” I started this week with the netscan plugin vol.py -f memdump.mem --profile=Win7SP1x64 netscan From the netscan output…

3 min read

Magnet Weekly CTF Challenge Week #10
Magnet Weekly CTF Challenge Week #10

3 min read


Dec 7, 2020

Magnet Weekly CTF Challenge Week #9

Windows Memory Forensics — Part 1 The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string. I started off by running kdbgscan over the image to get the profile: Win7SP1x64 When reading the question for part 1, I had…

5 min read

Magnet Weekly CTF Challenge Week #9
Magnet Weekly CTF Challenge Week #9

5 min read


Dec 2, 2020

Magnet Weekly CTF Challenge Week #8

Part 1 What package(s) were installed by the threat actor? Select the most correct answer! Part 2 Why? - hosting a database - serving a webpage - to run a php webshell - create a fake systemd service Part 1 Especially considering last weeks question, we know where to look when we…

2 min read

Magnet Weekly CTF Challenge Week #8
Magnet Weekly CTF Challenge Week #8

2 min read


Nov 23, 2020

Magnet Weekly CTF Challenge Week #7

Part 1 Domains and Such What is the IP address of the HDFS primary node? Part 2: Is the IP address on HDFS-Primary dynamically or statically assigned? Part 3: What is the interface name for the primary HDFS node? Part 1 If you navigate to /etc/network/interfaces on the primary image, you can…

1 min read

Magnet Weekly CTF Challenge Week #7
Magnet Weekly CTF Challenge Week #7

1 min read


Nov 16, 2020

Magnet Weekly CTF Challenge Week #6

Challenge 6 (Nov. 9–16) The Elephant in the Room 25 Part One: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On…

4 min read

Magnet Weekly CTF Challenge Week #6
Magnet Weekly CTF Challenge Week #6

4 min read

svch0st

svch0st

243 Followers
Following
  • Anton Chuvakin

    Anton Chuvakin

  • Olaf Hartong

    Olaf Hartong

  • Mike Cohen

    Mike Cohen

  • Null Byte

    Null Byte

See all (6)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech