Wietze
@wietzebeukema.nl
Threat Detection & Response. Interested in cyber security, tech and politics. Views are my own, unless retweeted.
As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them!
👉 Find all of them here: bsky.app/search?q=fro...
👉 Find all of them here: bsky.app/search?q=fro...
June 30, 2025 at 8:02 AM
As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them!
👉 Find all of them here: bsky.app/search?q=fro...
👉 Find all of them here: bsky.app/search?q=fro...
#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.
June 24, 2025 at 9:02 AM
#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.
#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!).
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
June 20, 2025 at 12:03 PM
#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!).
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...
#HuntingTipOfTheDay: TCC on macOS can be bypassed by triggering Electron apps' Node.js interface to run arbitrary commands
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
June 17, 2025 at 11:06 AM
#HuntingTipOfTheDay: TCC on macOS can be bypassed by triggering Electron apps' Node.js interface to run arbitrary commands
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines
UAC bypass can be achieved by eg moving the legit perfmon.exe and a malicious atl.dll to "c:\windows \system32". Windows is tricked into thinking this is a safe/trusted directory, meaning perfmon will launch with high integrity and your DLL will be loaded. Several other executables are vulnerable!
June 13, 2025 at 12:04 PM
UAC bypass can be achieved by eg moving the legit perfmon.exe and a malicious atl.dll to "c:\windows \system32". Windows is tricked into thinking this is a safe/trusted directory, meaning perfmon will launch with high integrity and your DLL will be loaded. Several other executables are vulnerable!
#HuntingTipOfTheDay: folders with trailing spaces can be created on Windows, and they cause trouble:
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
June 13, 2025 at 12:03 PM
#HuntingTipOfTheDay: folders with trailing spaces can be created on Windows, and they cause trouble:
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)
🔍 Hunt for paths with trailing spaces - highly sus
HijackLibs.net lists nearly 600 DLL Hijacking cases, and has now become your one-stop shop for all things T1574.001⚡
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
April 22, 2025 at 7:37 PM
HijackLibs.net lists nearly 600 DLL Hijacking cases, and has now become your one-stop shop for all things T1574.001⚡
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam
Check out individual entries, or use the API to integrate all data into your security pipeline: hijacklibs.net/api/
#cyberdefense #blueteam