Malware Analysis & Threat Intel: UAC Bypasses

Рет қаралды 65,334

2 ай бұрын

jh.live/anyrun-ti || ANYRUN has just released their latest Threat Intelligence feature set, and it is super cool to track and hunt for malware families or observed tradecraft -- try it out! jh.live/anyrun-ti
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZbin ALGORITHM ➡ Like, Comment, & Subscribe!

Пікірлер: 66

@IAmmlskOG 2 ай бұрын

dude you move through this file like butter

@nickadams2361 2 ай бұрын

he did it before, this is a planned demo. Normal stuff you should be able to do at work

@user-sx4zy5hn2f Ай бұрын

@@nickadams2361😊😊😊😊😊😊😊😊😊

@IOwnThisHandle 4 күн бұрын

It is rehearsed

@hedgehogform 2 ай бұрын

VSCode has a powershell formatter

@HachikoTanuki 2 ай бұрын

I feel like such a casual that I know none of the tools John is using, while VSCode is too casual for John to know it has a Powershell formatter 😭

@markcentral 2 ай бұрын

Thanks for the video. Is the anyrun segment part of a sponsored deal? If not, I would have preferred you continued to demonstrate how to deconstruct the malware locally. There's a lot of educational value and wisdom potential being lost by moving things to an online platform that requires a subscription vs local

@gabriell4815162342 2 ай бұрын

I love your videos, as a foreigner and because I don't speak native English, I feel very comfortable and can understand everything because of the calm and concise way you speak. In addition to practicing my English, I learn a lot about cyber security

@Alfred-Neuman 2 ай бұрын

I learned English by watching lot of KZbin videos like this. If you are curious enough and/or determined, you'll be able to write some English poetry pretty soon. ;D

@severinghams Ай бұрын

@@Alfred-Neuman I don't understand foreigners' fascination with English poetry. Why is poetry something that so many non-English speakers flock to when they learn English? Why not debate, or music, or popular speeches, or literature- why _specifically_ poetry? What is so special about poetry?

@Alfred-Neuman Ай бұрын

@@severinghams How many languages do you speak outside of English?

@Adkali 2 ай бұрын

Love the threat analysis using the dynamic analysis. Again, thanks john for another fun schooling video

@Supstone8519 2 ай бұрын

Very insightful. Thank you for doing this video.

@PMM619 2 ай бұрын

hey fan from Morocco, all the love !!

@valk9789 2 ай бұрын

Treat at the end~ love John's laugh😅❤

@antifreeze44 2 ай бұрын

You're take on the Apex stuff was AWESOME, thanks John!

@cypher2226 2 ай бұрын

I didn't know about that UAC bypass

@YuKonSama Ай бұрын

I kind of like the sublime approach to clean the sample up but I also would be interested into automating stuff like this (guess R.E.M has tools for this). For example, deleting variables that are assigned but never used should be a pretty easy task.

@Carambolero 2 ай бұрын

Nice start, but next time if you want to promote a tool, just go to the point and state it in the Title. Tx.

@capability-snob 2 ай бұрын

What was the intended use of this .ini file and the class named by the guid?

@memeconnect4489 2 ай бұрын

a lot of danish words in that code

@7YBzzz4nbyte 2 ай бұрын

Seems to be fluff to obfuscate the code itself. Seems like Danish-inspired gobbledegook, words stacked without meaning, though a scanner would not know (at least not before AI). 😮

@Duy1P3 Ай бұрын

I'd really like to see your homelab setup and see how you run things and do your investigations and with what tools and stuff.

@Streetrack 2 ай бұрын

I really like this one!!

@k.g.c.karunathilaka9781 Ай бұрын

Thanks

@allofabout7064 2 ай бұрын

I hope you discuss Qlin Ransomware, and how to overcome it (recovery)

@ShayBlez 2 ай бұрын

Never thought Id see Bonzi Buddy again.. XD

@carsonjamesiv2512 2 ай бұрын

NICE!😃

@dipongkorroy6424 2 ай бұрын

Love from Bangladesh ❤

@user-lq3tv4nd8w 2 ай бұрын

Why did you bang ladesh tho, poor fella

@JohnSmith-jc7dk 2 ай бұрын

why vbs is required to deploy remcos and not deploying remcos directly?

@UnfiItered 2 ай бұрын

Vbs was just a stager to build the powershell to run. Basically the hacker was trying to hide what they were doing behind a bunch of dead end code.

@U20E0 2 ай бұрын

The point is that anyone who finds the malware but doesn't know how to handle this (including antiviruses) will likely not try to, which hopefully buys some more time before it gets logged into a malware registry. Inflated file sizes also stop VirusTotal and some antiviruses from analysing the file

@eikichi9050 2 ай бұрын

Hello Mr Hammond it is possible to defend against these type of attacks? Sorry for my english

@UnfiItered 2 ай бұрын

If your end users don't use/run vbs/batch/PS1 scripts. You can make a group policy to require UAC to run them or disable them completely.

@codytrout3257 2 ай бұрын

Pro tip- change the speed to slower if you cant keep up with the commands fully, yet, like me.

@user-yi4ef2gk1o 2 ай бұрын

NICE this is really menace :)

@learnsomething564 2 ай бұрын

First one ooooo now i have millions in my account

@carteldebellamy677 2 ай бұрын

Awesome video

@johnvardy9559 Ай бұрын

I love y john

@Hacker_Solo 2 ай бұрын

Where can we obtain this sample for free

@RandomytchannelGD 2 ай бұрын

@psbharathkumarachari4005 2 ай бұрын

hi man fan from india

@mdfourhadkhan1842 2 ай бұрын

❤❤❤❤❤❤

@Monothefox 2 ай бұрын

It's in Danish.

@liljeep3631 2 ай бұрын

You guys use uac?

@UnfiItered 2 ай бұрын

? Everyone in the AD world uses UAC. You don't want your end users in a lower privilege group policy to just download and run anything without UAC. You're opening yourself up to so many threat vector by doing that.

@liljeep3631 2 ай бұрын

@@UnfiItered vector these nuts

@UnfiItered 2 ай бұрын

@@liljeep3631 okay, obviously you're a troll.

@liljeep3631 2 ай бұрын

@@UnfiItered don’t need uac

@UnfiItered Ай бұрын

@@nezu_cc other than stealing files via emails and accessing network, everything else should require UAC via group policy (cmd, pwsh, windows native file encryption tools, vbs, portable exe etc..). Even then, group policy should dictate which user have access to which network drive. Outlook is the only email client used. Attachment is disallowed unless sending to internal email.