Author Topic: Windows Priv Esc  (Read 3257 times)

0 Members and 1 Guest are viewing this topic.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2770
  • Volunteer
Windows Priv Esc
« on: November 30, 2019, 03:01:33 AM »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33801
  • malware fighter
Re: Windows Priv Esc
« Reply #1 on: November 30, 2019, 12:55:28 PM »
Hi Michael (alan1998),

Read here: https://sevrosecurity.com/checklists/windows-priv-esc

Time for fuzzing and reverse engineering: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
but leave your white hat on, always.

Welcome to the world of trons, unpacking of packed DOS binaries, as malcreants usually do not give explanations as how they create their malware, so reverse engineering can bring welcome insights. I am an adept of the much missed F.R.A.V.I.A (R.I.P), a well-known reverse engineer before he left that for searchlores guru instructions ( Fravia stated that a good searcher can be more dangerous than any evil hacker).
Read: www.darkridge.com/~jpr5/mirror/fravia.org/projunpa.htm etc.
Windows based on DOS, so unpack packed DOS binairies with DOSBox debugger:
https://www.codejuggle.dj/unpack-dos-binaries-dosbox-debugger/

polonus

P.S. Like to analyze through Snort what I am up against also under Windows,
therefore I use Snort Analyzer with Wireshark for instance.
read: https://asecuritysite.com/forensics/snort?fname=dnslookup.pcap&rulesname=rulesdns.rules

Damian
« Last Edit: November 30, 2019, 06:38:10 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33801
  • malware fighter
Re: Windows Priv Esc
« Reply #2 on: November 30, 2019, 11:19:30 PM »
Here we have an IDS example for a malicious library presented as jQuery.js
SNYK report: https://snyk.io/test/npm/jquery.js/1.0.2
Examples in the real digital wild: https://maltiverse.com/search;query=jquery.js;page=1;sort=query_score

This happens when you are dealt to believe something to be the one thing
and it turns out to be something completely different (malware).

Actually jQuery.js as nemucod ransomeware as example: https://maltiverse.com/sample/e13d6e7e7f66c8a14c769f0ef519b11f54914f57a8f7666b4198f57df7a29502

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!