Windows a file-less, persistent, local privilege escalation backdoor and detection approach | allinfosecnews.com

March 12, 2023, 6:36 a.m. | /u/digicat

For [Blue|Purple] Teams in Cyber Defence www.reddit.com



sc.exe sdset scmanager D:(A;;KA;;;WD)

Setting the security descriptor on the service manager to allow anyone to start SYSTEM services! Will Blue notice this?? ;)

Detection with Velociraptor:

[https://github.com/Velocidex/velociraptor-docs/pull/531/commits/2b957311bd252dc8453c0cdf3b5acdba1e9fbd93](https://github.com/Velocidex/velociraptor-docs/pull/531/commits/2b957311bd252dc8453c0cdf3b5acdba1e9fbd93)

source: [https://twitter.com/Alh4zr3d/status/1629535208297975809?t=wryopPzbbLfEgYKV3cqA0g&s=19](https://twitter.com/Alh4zr3d/status/1629535208297975809?t=wryopPzbbLfEgYKV3cqA0g&s=19)

amp backdoor blue blueteamsec detection escalation file local local privilege escalation manager notice persistent privilege privilege escalation security service services start system velociraptor windows

More from www.reddit.com / For [Blue|Purple] Teams in Cyber Defence

JA4T: TCP Fingerprinting - And How to Use It to Block Over 60% of Internet … 18 hours ago | www.reddit.com

block blueteamsec fingerprinting internet +3

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices 20 hours ago | www.reddit.com

arcanedoor blueteamsec campaign devices +6

The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers - The Citizen … 1 day, 10 hours ago | www.reddit.com

apps blueteamsec citizen lab keyboard +7

Spain reopens a probe into a Pegasus spyware case after a French request to work … 1 day, 10 hours ago | www.reddit.com

blueteamsec case french pegasus +6

Justice Department Announces Charges Against Four Iranian Nationals For Multi-Year Cyber Campaign Targeting U.S. Companies 1 day, 14 hours ago | www.reddit.com

blueteamsec campaign charges companies +7

Decrypting Synology Patchfiles 2 days, 3 hours ago | www.reddit.com

blueteamsec synology

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials 2 days, 22 hours ago | www.reddit.com

blizzard blueteamsec compromise credentials +5

No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities 3 days, 9 hours ago | www.reddit.com

agents blueteamsec can exploit +2

Request for Feedback: Roadmap to Threat Hunter 3 days, 23 hours ago | www.reddit.com

blueteamsec cloud cybersecurity engineer +16

SOC 2 Manager, Audit and Certification

@ Deloitte | US and CA Multiple Locations

View on infosec-jobs.com

Cloud Technical Solutions Engineer, Security

@ Google | Mexico City, CDMX, Mexico

View on infosec-jobs.com

Assoc Eng Equipment Engineering

@ GlobalFoundries | SGP - Woodlands

View on infosec-jobs.com

Staff Security Engineer, Cloud Infrastructure

@ Flexport | Bellevue, WA; San Francisco, CA

View on infosec-jobs.com

Software Engineer III, Google Cloud Security and Privacy

@ Google | Sunnyvale, CA, USA

View on infosec-jobs.com

Software Engineering Manager II, Infrastructure, Google Cloud Security and Privacy

@ Google | San Francisco, CA, USA; Sunnyvale, CA, USA

View on infosec-jobs.com