Wietze
@wietzebeukema.nl
Threat Detection & Response. Interested in cyber security, tech and politics. Views are my own, unless retweeted.
As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them!
👉 Find all of them here: bsky.app/search?q=fro...
👉 Find all of them here: bsky.app/search?q=fro...
June 30, 2025 at 8:02 AM
As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them!
👉 Find all of them here: bsky.app/search?q=fro...
👉 Find all of them here: bsky.app/search?q=fro...
#HuntingTipOfTheDay: you know how to spot/decode Base64 or XOR in PowerShell… but what about SecureString? This AES-based encryption is native to PowerShell; attackers have been seen to use this for PowerShell obfuscation.
🔍 Hunt for known SecureString decoding commands
🔍 Hunt for known SecureString decoding commands
June 27, 2025 at 9:01 AM
#HuntingTipOfTheDay: you know how to spot/decode Base64 or XOR in PowerShell… but what about SecureString? This AES-based encryption is native to PowerShell; attackers have been seen to use this for PowerShell obfuscation.
🔍 Hunt for known SecureString decoding commands
🔍 Hunt for known SecureString decoding commands
#HuntingTipOfTheDay: Stuck in vi/vim? Open a reverse shell to exit remotely 🙃
Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected.
🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.
Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected.
🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.
June 26, 2025 at 9:02 AM
#HuntingTipOfTheDay: Stuck in vi/vim? Open a reverse shell to exit remotely 🙃
Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected.
🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.
Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected.
🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.
#HuntingTipOfTheDay: there are numerous open-source projects listing cyber threats. Some of these have directly ingestible indicators, which can be very helpful when threat hunting. How about:
🔵 lots-project.com + LOLBINs
🟠 hijacklibs.net + DLL write events
🟢 lolrmm.io + DNS requests
🔵 lots-project.com + LOLBINs
🟠 hijacklibs.net + DLL write events
🟢 lolrmm.io + DNS requests
June 25, 2025 at 9:02 AM
#HuntingTipOfTheDay: there are numerous open-source projects listing cyber threats. Some of these have directly ingestible indicators, which can be very helpful when threat hunting. How about:
🔵 lots-project.com + LOLBINs
🟠 hijacklibs.net + DLL write events
🟢 lolrmm.io + DNS requests
🔵 lots-project.com + LOLBINs
🟠 hijacklibs.net + DLL write events
🟢 lolrmm.io + DNS requests
#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.
June 24, 2025 at 9:02 AM
#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.
#HuntingTipOfTheDay: USB worms are still a thing - often the initial infection happens when a user clicks a malicious shortcut on a USB device. See if you can correlate executions with .LNK files on remote drives to find possible badness.
June 23, 2025 at 12:03 PM
#HuntingTipOfTheDay: USB worms are still a thing - often the initial infection happens when a user clicks a malicious shortcut on a USB device. See if you can correlate executions with .LNK files on remote drives to find possible badness.
#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!).
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
June 20, 2025 at 12:03 PM
#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!).
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
#HuntingTipOfTheDay: Florian is right.
🌩️ Cloud creds often linger in Environment Variables, especially on servers/dev machines
🟠 One compromised endpoint could thus lead to a full cloud breach
🔍 Hunt for exposed tokens - if you can see it, so could an attacker (well, kinda)
🌩️ Cloud creds often linger in Environment Variables, especially on servers/dev machines
🟠 One compromised endpoint could thus lead to a full cloud breach
🔍 Hunt for exposed tokens - if you can see it, so could an attacker (well, kinda)
June 19, 2025 at 11:03 AM
#HuntingTipOfTheDay: Florian is right.
🌩️ Cloud creds often linger in Environment Variables, especially on servers/dev machines
🟠 One compromised endpoint could thus lead to a full cloud breach
🔍 Hunt for exposed tokens - if you can see it, so could an attacker (well, kinda)
🌩️ Cloud creds often linger in Environment Variables, especially on servers/dev machines
🟠 One compromised endpoint could thus lead to a full cloud breach
🔍 Hunt for exposed tokens - if you can see it, so could an attacker (well, kinda)
#HuntingTipOfTheDay: Oddvar Moe of @trustedsec.com shows how you can run a full C2 implant from Outlook - just setting a few registry keys does the trick.
Any activity concerning these registry keys should be consider suspicious.
Full story here: youtu.be/7MDHhavM5GM
Any activity concerning these registry keys should be consider suspicious.
Full story here: youtu.be/7MDHhavM5GM
June 18, 2025 at 11:03 AM
#HuntingTipOfTheDay: Oddvar Moe of @trustedsec.com shows how you can run a full C2 implant from Outlook - just setting a few registry keys does the trick.
Any activity concerning these registry keys should be consider suspicious.
Full story here: youtu.be/7MDHhavM5GM
Any activity concerning these registry keys should be consider suspicious.
Full story here: youtu.be/7MDHhavM5GM
#HuntingTipOfTheDay: TCC on macOS can be bypassed by triggering Electron apps' Node.js interface to run arbitrary commands
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
June 17, 2025 at 11:06 AM
#HuntingTipOfTheDay: TCC on macOS can be bypassed by triggering Electron apps' Node.js interface to run arbitrary commands
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
#ThreatHuntingTipOfTheDay: rundll32 can be abused in many ways lolbas-project.github.io#t1218.011
Instead of exports, ordinals can be used too. You could hunt for known bad ones, but are ordinals used legitimately that often at all?
Look for rundll32 with # on the command line to find out
Instead of exports, ordinals can be used too. You could hunt for known bad ones, but are ordinals used legitimately that often at all?
Look for rundll32 with # on the command line to find out
June 16, 2025 at 9:02 AM
#ThreatHuntingTipOfTheDay: rundll32 can be abused in many ways lolbas-project.github.io#t1218.011
Instead of exports, ordinals can be used too. You could hunt for known bad ones, but are ordinals used legitimately that often at all?
Look for rundll32 with # on the command line to find out
Instead of exports, ordinals can be used too. You could hunt for known bad ones, but are ordinals used legitimately that often at all?
Look for rundll32 with # on the command line to find out
UAC bypass can be achieved by eg moving the legit perfmon.exe and a malicious atl.dll to "c:\windows \system32". Windows is tricked into thinking this is a safe/trusted directory, meaning perfmon will launch with high integrity and your DLL will be loaded. Several other executables are vulnerable!
June 13, 2025 at 12:04 PM
UAC bypass can be achieved by eg moving the legit perfmon.exe and a malicious atl.dll to "c:\windows \system32". Windows is tricked into thinking this is a safe/trusted directory, meaning perfmon will launch with high integrity and your DLL will be loaded. Several other executables are vulnerable!
#HuntingTipOfTheDay: folders with trailing spaces can be created on Windows, and they cause trouble:
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
June 13, 2025 at 12:03 PM
#HuntingTipOfTheDay: folders with trailing spaces can be created on Windows, and they cause trouble:
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
#HuntingTipOfTheDay: you’ll know that in Linux, files with a leading dot are hidden by default. Attackers may use this to hide payloads or frustrate forensics. Although sometimes used legitimately, you may find unexpected entries when looking for EXECUTIONS of hidden files.
June 12, 2025 at 9:02 AM
#HuntingTipOfTheDay: you’ll know that in Linux, files with a leading dot are hidden by default. Attackers may use this to hide payloads or frustrate forensics. Although sometimes used legitimately, you may find unexpected entries when looking for EXECUTIONS of hidden files.
#HuntingTipOfTheDay: a personal favourite, command-line obfuscation. Substituting or inserting special Unicode characters might allow attackers to bypass string-based detections. Look for command lines with unusual Unicode characters. Checkout ArgFuscator.net for more fun!
June 11, 2025 at 9:02 AM
#HuntingTipOfTheDay: a personal favourite, command-line obfuscation. Substituting or inserting special Unicode characters might allow attackers to bypass string-based detections. Look for command lines with unusual Unicode characters. Checkout ArgFuscator.net for more fun!
#HuntingTipOfTheDay: macOS has a built-in SSH mechanism that is disabled by default. Would you detect it if someone enables it and logs in remotely? Look for remote login events, and investigate the associated session.
June 10, 2025 at 9:02 AM
#HuntingTipOfTheDay: macOS has a built-in SSH mechanism that is disabled by default. Would you detect it if someone enables it and logs in remotely? Look for remote login events, and investigate the associated session.
#HuntingTipOfTheDay: Services can provide persistence. Looking for changes to their commands is common, but the lesser known Environment setting is often overlooked. It could result in stealthy DLL hijacking. Inspect any paths referenced for suspicious files.
June 9, 2025 at 11:03 AM
#HuntingTipOfTheDay: Services can provide persistence. Looking for changes to their commands is common, but the lesser known Environment setting is often overlooked. It could result in stealthy DLL hijacking. Inspect any paths referenced for suspicious files.
#HuntingTipOfTheDay: explorer.exe /root,"c:/your/executable.exe" will spawn your exe from the main explorer.exe, not a new one. This breaks normal process chains. Hunt for explorer.exe with "/root", as well as explorer spawning unusual children (e.g. rundll32, mshta, powershell).
June 6, 2025 at 11:03 AM
#HuntingTipOfTheDay: explorer.exe /root,"c:/your/executable.exe" will spawn your exe from the main explorer.exe, not a new one. This breaks normal process chains. Hunt for explorer.exe with "/root", as well as explorer spawning unusual children (e.g. rundll32, mshta, powershell).
#HuntingTipOfTheDay: a common way to execute malicious code on Linux is to download a script via curl/wget and pipe the result into a shell process like bash. Hunt for curl/wget executions followed by an interactive shell within seconds, both having the same parent process.
June 5, 2025 at 10:03 AM
#HuntingTipOfTheDay: a common way to execute malicious code on Linux is to download a script via curl/wget and pipe the result into a shell process like bash. Hunt for curl/wget executions followed by an interactive shell within seconds, both having the same parent process.
#HuntingTipOfTheDay: You have probably heard of .bash_profile and .zshrc, but are you familiar with PowerShell's version of it? Attackers might use this for persistence; monitor modifications of profiles by unexpected processes, and analyse existing files for anomalies.
June 4, 2025 at 10:02 AM
#HuntingTipOfTheDay: You have probably heard of .bash_profile and .zshrc, but are you familiar with PowerShell's version of it? Attackers might use this for persistence; monitor modifications of profiles by unexpected processes, and analyse existing files for anomalies.
#ThreatHuntingTipOfTheDay: Malicious DMGs/PKGs are currently the most popular way for macOS infostealers to get foothold. Use macOS’s kMDItemWhereFroms extended attribute to see origins of downloaded DMG/PKGs; investigate ones that are rare across your IT estate.
June 3, 2025 at 9:01 AM
#ThreatHuntingTipOfTheDay: Malicious DMGs/PKGs are currently the most popular way for macOS infostealers to get foothold. Use macOS’s kMDItemWhereFroms extended attribute to see origins of downloaded DMG/PKGs; investigate ones that are rare across your IT estate.
#ThreatHuntingTipOftheDay: WMI Event Consumers trigger payloads on certain OS events. Besides running commands, they can run (fileless) VBScript/Jscript within WmiPrvSE.exe. Look for activity by/spawned off this process, and query WMI for __EventConsumers (or use EDR telemetry).
June 2, 2025 at 9:02 AM
#ThreatHuntingTipOftheDay: WMI Event Consumers trigger payloads on certain OS events. Besides running commands, they can run (fileless) VBScript/Jscript within WmiPrvSE.exe. Look for activity by/spawned off this process, and query WMI for __EventConsumers (or use EDR telemetry).
HijackLibs.net lists nearly 600 DLL Hijacking cases, and has now become your one-stop shop for all things T1574.001⚡
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
April 22, 2025 at 7:37 PM
HijackLibs.net lists nearly 600 DLL Hijacking cases, and has now become your one-stop shop for all things T1574.001⚡
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
MITRE ATT&CK v17 is out! It contains an update I have campaigned for since 2022: DLL Hijacking is now a single sub-technique, merging Search Order Hijacking & Sideloading, plus supporting related techniques.
Huge thanks & congrats to the @attack.mitre.org team on this release 🎉
Huge thanks & congrats to the @attack.mitre.org team on this release 🎉
April 22, 2025 at 7:37 PM
MITRE ATT&CK v17 is out! It contains an update I have campaigned for since 2022: DLL Hijacking is now a single sub-technique, merging Search Order Hijacking & Sideloading, plus supporting related techniques.
Huge thanks & congrats to the @attack.mitre.org team on this release 🎉
Huge thanks & congrats to the @attack.mitre.org team on this release 🎉
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
March 24, 2025 at 9:08 AM
By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...
My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.
Here’s what I found and why it matters 👉 wietze.github.io/blog/bypassi...