Dr. Maik Ro
@maikroservice.com
💜-Team Hacker
Training the next generation of purple team hackers
(he/him)
https://maikroservice.com/email
Training the next generation of purple team hackers
(he/him)
https://maikroservice.com/email
I setup my pihole today
November 7, 2025 at 9:32 PM
I setup my pihole today
Your new favorite Cheatsheet - Threat Hunting w/ Windows 🪟 + osquery
osquery provides a powerful SQL interface that you can use to hunt adversaries in your network.
Coupled with fleet management software like fleetdm / zentral, it allows you to query all your endpoints at once! 💜💜💜
#hacking
osquery provides a powerful SQL interface that you can use to hunt adversaries in your network.
Coupled with fleet management software like fleetdm / zentral, it allows you to query all your endpoints at once! 💜💜💜
#hacking
July 29, 2024 at 5:07 PM
Your new favorite Cheatsheet - Threat Hunting w/ Windows 🪟 + osquery
osquery provides a powerful SQL interface that you can use to hunt adversaries in your network.
Coupled with fleet management software like fleetdm / zentral, it allows you to query all your endpoints at once! 💜💜💜
#hacking
osquery provides a powerful SQL interface that you can use to hunt adversaries in your network.
Coupled with fleet management software like fleetdm / zentral, it allows you to query all your endpoints at once! 💜💜💜
#hacking
Mhhhh where have we seen the 2nd one already?!
September 17, 2023 at 6:46 PM
Mhhhh where have we seen the 2nd one already?!
So what happens when we run klist now?
We can see our TERMSRV ticket 💙 🎫
NOW THAT IS WHAT I AM TALKING ABOUT 🥳🥳🥳
We can see our TERMSRV ticket 💙 🎫
NOW THAT IS WHAT I AM TALKING ABOUT 🥳🥳🥳
September 17, 2023 at 6:46 PM
So what happens when we run klist now?
We can see our TERMSRV ticket 💙 🎫
NOW THAT IS WHAT I AM TALKING ABOUT 🥳🥳🥳
We can see our TERMSRV ticket 💙 🎫
NOW THAT IS WHAT I AM TALKING ABOUT 🥳🥳🥳
All you need to do is open a powershell window - type:
mstsc /remoteguard
This will again open the RDP connection window, but when you connect it stops the login process on the remote machine.
Plus, apparently it stops tickets from being forwarded - thx @powerpointken
mstsc /remoteguard
This will again open the RDP connection window, but when you connect it stops the login process on the remote machine.
Plus, apparently it stops tickets from being forwarded - thx @powerpointken
September 17, 2023 at 6:46 PM
All you need to do is open a powershell window - type:
mstsc /remoteguard
This will again open the RDP connection window, but when you connect it stops the login process on the remote machine.
Plus, apparently it stops tickets from being forwarded - thx @powerpointken
mstsc /remoteguard
This will again open the RDP connection window, but when you connect it stops the login process on the remote machine.
Plus, apparently it stops tickets from being forwarded - thx @powerpointken
When we run klist again we can see not one but two tickets!
but ummm … this one is not for the TERMSRV?!
Where is the TERMSRV Ticket?!
That is a very good question.
but ummm … this one is not for the TERMSRV?!
Where is the TERMSRV Ticket?!
That is a very good question.
September 17, 2023 at 6:45 PM
When we run klist again we can see not one but two tickets!
but ummm … this one is not for the TERMSRV?!
Where is the TERMSRV Ticket?!
That is a very good question.
but ummm … this one is not for the TERMSRV?!
Where is the TERMSRV Ticket?!
That is a very good question.
Now you start the RDP tool, type away the computer and username you want to connect with and press that big “Connect” button at the bottom.
What would you expect now?
More tickets, right?!
What would you expect now?
More tickets, right?!
September 17, 2023 at 6:44 PM
Now you start the RDP tool, type away the computer and username you want to connect with and press that big “Connect” button at the bottom.
What would you expect now?
More tickets, right?!
What would you expect now?
More tickets, right?!
The command “klist” lists all the tickets currently stored in memory (RAM) of the machine
Before the RDP session is started there is only one ticket on my machine - this is asked for when you login with the domain account.
Before the RDP session is started there is only one ticket on my machine - this is asked for when you login with the domain account.
September 17, 2023 at 6:44 PM
The command “klist” lists all the tickets currently stored in memory (RAM) of the machine
Before the RDP session is started there is only one ticket on my machine - this is asked for when you login with the domain account.
Before the RDP session is started there is only one ticket on my machine - this is asked for when you login with the domain account.
This is the so called TGT request and if all goes well we receive a TGT from the domain controller.
That one in hand (well technically it is in memory 😅) we can now ask for a service ticket.
The service we want to connect to is called “TERMSRV” or Terminal Server
That one in hand (well technically it is in memory 😅) we can now ask for a service ticket.
The service we want to connect to is called “TERMSRV” or Terminal Server
September 17, 2023 at 6:43 PM
This is the so called TGT request and if all goes well we receive a TGT from the domain controller.
That one in hand (well technically it is in memory 😅) we can now ask for a service ticket.
The service we want to connect to is called “TERMSRV” or Terminal Server
That one in hand (well technically it is in memory 😅) we can now ask for a service ticket.
The service we want to connect to is called “TERMSRV” or Terminal Server
When you click on the AS-REQ packet you can see that the computer I am currently on workstation02 sends a request to the domain controller dc01 with my username attached.
September 17, 2023 at 6:35 PM
When you click on the AS-REQ packet you can see that the computer I am currently on workstation02 sends a request to the domain controller dc01 with my username attached.
We first request a Ticket Granting Ticket (TGT) for the user we want to connect with - this is our Authentication Service Request (AS-REQ)
We can see that in Wireshark when filtering for “kerberos” and looking at the “Info” column
We can see that in Wireshark when filtering for “kerberos” and looking at the “Info” column
September 17, 2023 at 6:35 PM
We first request a Ticket Granting Ticket (TGT) for the user we want to connect with - this is our Authentication Service Request (AS-REQ)
We can see that in Wireshark when filtering for “kerberos” and looking at the “Info” column
We can see that in Wireshark when filtering for “kerberos” and looking at the “Info” column
Next you will be asked for your username and you need to use either domain\username or username@domain - if you don’t, this process uses NTLM and NOT kerberos.
If you want to follow make sure to run wireshark at least on the domain controller to see the ticket workflows
If you want to follow make sure to run wireshark at least on the domain controller to see the ticket workflows
September 17, 2023 at 6:35 PM
Next you will be asked for your username and you need to use either domain\username or username@domain - if you don’t, this process uses NTLM and NOT kerberos.
If you want to follow make sure to run wireshark at least on the domain controller to see the ticket workflows
If you want to follow make sure to run wireshark at least on the domain controller to see the ticket workflows
We type the FQDN of the machine we want to connect to:
workstation01.snackempire.home
and push the Connect button. 🏎️💭
workstation01.snackempire.home
and push the Connect button. 🏎️💭
September 17, 2023 at 6:35 PM
We type the FQDN of the machine we want to connect to:
workstation01.snackempire.home
and push the Connect button. 🏎️💭
workstation01.snackempire.home
and push the Connect button. 🏎️💭
Once that is done you will see the something similar to the following screenshot.
🎈CONGRATULATIONS 🎈
You installed your Security Information and Event Management System in your HomeLab 🎉
You dont have any agents yet but we will walk through the setup in the next 🧵
🎈CONGRATULATIONS 🎈
You installed your Security Information and Event Management System in your HomeLab 🎉
You dont have any agents yet but we will walk through the setup in the next 🧵
September 12, 2023 at 9:32 PM
Once that is done you will see the something similar to the following screenshot.
🎈CONGRATULATIONS 🎈
You installed your Security Information and Event Management System in your HomeLab 🎉
You dont have any agents yet but we will walk through the setup in the next 🧵
🎈CONGRATULATIONS 🎈
You installed your Security Information and Event Management System in your HomeLab 🎉
You dont have any agents yet but we will walk through the setup in the next 🧵
After login wazuh will check for updates and do some sanity checks for your detection rules
September 12, 2023 at 9:31 PM
After login wazuh will check for updates and do some sanity checks for your detection rules
Now comes the final step!
In your browser - navigate to the IP of the VM and you should see this:
In your browser - navigate to the IP of the VM and you should see this:
September 12, 2023 at 9:30 PM
Now comes the final step!
In your browser - navigate to the IP of the VM and you should see this:
In your browser - navigate to the IP of the VM and you should see this:
After the install process is finished you will see a password and username inside your terminal
Save it to a secret location (password manager cough )
Save it to a secret location (password manager cough )
September 12, 2023 at 9:30 PM
After the install process is finished you will see a password and username inside your terminal
Save it to a secret location (password manager cough )
Save it to a secret location (password manager cough )
After the login you visit
in your browser
Next, copy the installation command:
paste it into our terminal, enter the sudo password and watch the magic happen 🦄🪄
in your browser
Next, copy the installation command:
paste it into our terminal, enter the sudo password and watch the magic happen 🦄🪄
September 12, 2023 at 9:27 PM
After the login you visit
in your browser
Next, copy the installation command:
paste it into our terminal, enter the sudo password and watch the magic happen 🦄🪄
in your browser
Next, copy the installation command:
paste it into our terminal, enter the sudo password and watch the magic happen 🦄🪄
Software - just skip it, we will install it later
and now the install starts - once that is done reboot and login.
and now the install starts - once that is done reboot and login.
September 12, 2023 at 9:27 PM
Software - just skip it, we will install it later
and now the install starts - once that is done reboot and login.
and now the install starts - once that is done reboot and login.
Now select the correct disk and select "use entire disk" - if you prefer to have encrypted disks also choose this option and type the password twice
then continue and commit to the installation - you now need to enter your username etc.
NEXT - openssh, you dont need it now
then continue and commit to the installation - you now need to enter your username etc.
NEXT - openssh, you dont need it now
September 12, 2023 at 9:27 PM
Now select the correct disk and select "use entire disk" - if you prefer to have encrypted disks also choose this option and type the password twice
then continue and commit to the installation - you now need to enter your username etc.
NEXT - openssh, you dont need it now
then continue and commit to the installation - you now need to enter your username etc.
NEXT - openssh, you dont need it now
On the next screen you choose "Ubuntu Server" so that you can have a comfortable experience
After that its time to select the correct network interface - hit that space key again!
and then again for the proxy address (unless you have one) + mirror address
After that its time to select the correct network interface - hit that space key again!
and then again for the proxy address (unless you have one) + mirror address
September 12, 2023 at 9:27 PM
On the next screen you choose "Ubuntu Server" so that you can have a comfortable experience
After that its time to select the correct network interface - hit that space key again!
and then again for the proxy address (unless you have one) + mirror address
After that its time to select the correct network interface - hit that space key again!
and then again for the proxy address (unless you have one) + mirror address
You select your favorite Language and come to this screen next - you select "Update to the new installer" with the arrow keys and click your "space" key to continue.
Next up you choose the correct layout of your keyboard (you can use the "identify your keyboard" function)
Next up you choose the correct layout of your keyboard (you can use the "identify your keyboard" function)
September 12, 2023 at 9:27 PM
You select your favorite Language and come to this screen next - you select "Update to the new installer" with the arrow keys and click your "space" key to continue.
Next up you choose the correct layout of your keyboard (you can use the "identify your keyboard" function)
Next up you choose the correct layout of your keyboard (you can use the "identify your keyboard" function)
Installation - You start your SIEM Journey with the Start Button of the VM
press enter and let the adventure begin 🚀
press enter and let the adventure begin 🚀
September 12, 2023 at 9:27 PM
Installation - You start your SIEM Journey with the Start Button of the VM
press enter and let the adventure begin 🚀
press enter and let the adventure begin 🚀
Becoming a (better) SOC analyst 💙
How to build your own SIEM for your HomeLab:
How to build your own SIEM for your HomeLab:
September 12, 2023 at 9:27 PM
Becoming a (better) SOC analyst 💙
How to build your own SIEM for your HomeLab:
How to build your own SIEM for your HomeLab:
How it started - one year ago I was at ~300 followers - each post had 10 likes max.
Today - posts reach around 100k views and 3-4% engagement = 3k-4k!!! people interact with EACH post
🤯
Play the long game.
It will pay off.
Thanks 2 you!
Today - posts reach around 100k views and 3-4% engagement = 3k-4k!!! people interact with EACH post
🤯
Play the long game.
It will pay off.
Thanks 2 you!
August 30, 2023 at 9:55 PM
How it started - one year ago I was at ~300 followers - each post had 10 likes max.
Today - posts reach around 100k views and 3-4% engagement = 3k-4k!!! people interact with EACH post
🤯
Play the long game.
It will pay off.
Thanks 2 you!
Today - posts reach around 100k views and 3-4% engagement = 3k-4k!!! people interact with EACH post
🤯
Play the long game.
It will pay off.
Thanks 2 you!