the thumbnail looks like its from a movie, great work John!

it's fun to see how this thing works after speding two days patching all my exchange servers. Thanks.

I wasn't feeling good at all today. This video revamped me and bumped me up. Thanks John for not being just educational. But, entertaining and fun to watch too. Sending love and hoping ur having a great day

Been a software dev for a long time. Never seen this type of analysis done before... and watching this was absolutely fascinating.

Finishing up my final year in cybersecurity in college and videos like these make me so much more intrigued about this field, and that much more excited and motivated to learn more. Thank you for all the hard work you put into these!

whole, gigantic powershell script, as a big ol’ format string? that’s neat

How John doesn't have millions of followers is beside me. Thank you for all this info John. Being 45 I missed the boat in the early 2000's but a year in Im hooked. Thanks to YOU David Bombal and Network Chuck you guys have helped this construction old guy immensely

This high of production quality and you were able to put this out the same day you were prodding around. I appreciate the work you're doing, its extremely informative so thank you.

I want to thank you John because you took me to another stage in the cyber world

Thanks for bringing awareness to such hacks. Right after the video, i checked the last few customers that still has on-premises exchange, and 75% of them were affected. We could mitigate the risk and apply fixes before anything worse happened. Thanks for this John Hammond.

This is interesting stuff. We've had so many interesting (& super dangerous) exploits and vulnerabilities in last few years. At 22:30 , it's a trick to add timestamps into URL. That's probably easiest way to make sure responses are not cached at any point. Of course it could be just lazy coding and used for monitoring purposes. But little bit later John downloaded the payload (or w/e it turned out be) without the timestamp in URL. I'd always recommend to download payloads with exact same syntax. It's way too easy for malware developer to try to mislead here. If they had some nasty next stage, they could make it look like just like a boring and usual looking malware. And misleading the analysis is absolutely part of the game.

You’re a good guy. Don’t let the others bring you down just because you’re compiling open source information and sharing it in a logical and comprehensive manner. Though I consider myself a home brewed IT craptastistic person, I appreciate the information given every time you put up a video.

I don't know how you do it but whenever I watch one of your videos about malware analysis the time simply passes so quickly. Very entertaining thank you!

I never commented on youtube videos before, but, I really want to thank you John Hammond for all the good work you're doing. You are F awesome and please keep it up. BTW, you are my favorite cyber-related KZbinr!

I'm absolutely Stoked for the NahamCon CTF!!!!

Best instructor I have come across. New subscriber here! Thank you good sir!

This is such an excellent primer for this sort of work, and you make it so entertaining! Looking forward to binging all your videos over the next couple of days :)

I thoroughly enjoyed the premiere + live chat replay feature here, as well as the content itself obviously. Keep up the good work my dude, im already recommending your channel to my friends!!!

I'm watching this as I going through our exchange server logs looking for backdoors :D a nice coincidance

Title Contains: Post Exploitation Me: Oh Yeah, This is gonna be good

Thank you John !! Once again, I had fun and learned as much as I could (only some but that's in the right direction). You're awesome !

At around 20:54 the $dt is used to ensure cdn caching is bypassed. So the code on the cdn is static, but as soon as it is changed, the client is supposed to request a new copy.

Hopefully no one tries to salem witch trial you for mis speaking because you are human after all.. I'm happy you are sharing public info for education. If someone gets upset about it then they must have ill intentions with that information. Keep up the great work!

Your videos are great! I'm glad I found your channel. You have great information in a lot of topics I cover at work.

As someone who knows next to nothing on malware analysis I had a funny feeling mimikatz would turn up haha. I have learnt so much from these exploration videos only knowing intro level programing and just learning cyber security, it was awesome to see the obsfucation techniques and layers built into this and connected so many dots for me. Awesome video.

can you do a longer deep dive into this sort of stuff in the future this is just magic and easy to digest

Addicted to this content. How can I watch this whole video without any break? Inner me : You found new love !

Nice, You helped me a lot to understand the Threat!

Also the powershell explosion + guy fawkes mask was hilarious :D

i love all these type of videos, can't wait for more such that solarwinds or more of this helps!

Thanks John. As a newbie, this was great. Love how you broke it up and explain this so much!!!!

Got mind blown by that huge Powershell script made only for building an fstring piece by piece. Insane stuff!

Man, around 45:00 min in you weren't even exaggerating about that being an epiphany 😂 What a cool obfuscation technique!

Creating shellcode in a piece of malware that base64 encodes to McBAD is next level. Bravo to that 👏 👏

Great reversing. Subscribed

Hey I signed up for a CTF randomly on CTFtime, and was pleasantly surprised to see it was one you created! Lol, I'm looking forward to it!

Excellent work John, love your work mate!

Great video & I'm installing my fax machine again ;-)

Great content John. Education and humour smashed. Big thumbs up for this one. Thanx

Thank you for your efforts and time, I really appreciate it.

It's been a pleasure, John!

Im never going to move up from my current position because....my current job has nothing to do with this subject. I am literally addicted to this madness that John keeps on about. I literally cannot quit doing it. Lol .. and so i will integrate this with my ongoing studies (beer drinking) as well as continue to try to keep up.

Great Analysis

Seems like an easy way to get around this set of scripts in particular would be to have your environment variable something non-standard.

"I know this is really painful on 'human being' eyeballs" John just confirmed he is a robot.

Quick one: The long dot separated number strings at 1:04:50 such as "1.3.6.1.5.5.7.3.2" or "1.3.6.1.4.1.311.20.2.2" are SNMP MIB OIDs (en.wikipedia.org/wiki/Object_identifier).

Wonderful as always, great video!

Great Video!!! Can't wait for more.

Thank you John. As always you are very helpful and I appreciate you going through the reverse engineering process. See you on the next one! --Sage

Amazing work, thank you for sharing

T`han`ks for making the video! Good stuff down the rabbit hole. UGH, Empire is scary.

Thank u! This has been a fun one. Unfortunately not out of the water yet. 🥶

This is professional evilness thanks for showing us this John this is very interesting to me! Big like

interesting. Thanks for sharing!

Thanks for doing this. Very interesting.

Thanks John, learnt a lot.

You're doing a great job Hammond

The natural etc. strings are the join types in SQL, presumably part of SQLite

great content, as usual !

Thank you John Very intresting

Most GREAT channel between others

Us application security folks know about "format string vulnerabilities" from our C application experience, but this one is interestingly different and yet also suggests that name. :)

OMG, that puzzle script is so cool

Great work man!!!

Great video, thanks for sharing this!

these videos are so fun!

Thanks for the good laugh when you copy and paste that big file! :) I would have done the same thing haha

This was awesome man thanks!

Thank you, learned alot

John always has to ctrl v or ctrl f something big and THEN realizes that he's made a mistake...LOL

John, you make it very entertaining even though it makes my brain ache!

Thank you, this is very helpful!

this is what my org got hit by- i really appreciate the analysis!

Now I just like your content before watching! Its that good!!

video looks great

That is some next level PS scripting! Thanks for the video, John. I really enjoyed it.

Man that was fun and I love the recon of it

Crazy Thumbnail John!!

Cool thumbnail, cool video, cool person, could not asked for more :D

Techcraft? That sounds so ominous 😮 When somebody asks me if I have any hobbies, I just say that I like T.I.T.S. in my spare time. Which OF COURSE stands for tinkering in tech services.

Not sure if it was mentioned...but the hig versus low would have shown up in the web logs and help identify instances with higher permissions (Administrator) versus lower permissions (non-Administrator).

Thanks!

This 1Hr of video teaches more than what I have learnt in past 25 years of my life. Truly appreciate the knowledge you shared and for free.

Thumbnail looks 🔥

I like what ya’ did with the thumbnail

Given all the references to IEX, I guess something that can be done that could make you immune to a few of these would be to use a non-standard windows install folder.

The image in the photo makes John look like some secret agent

Hello dear friend, I wish you success and health ❤

great, had fun

That actually killed the video encoder.

ThankYou Jon for this detailed Video. Do you also help us with some video to fix the issue?

Hi, cool thumbnail!

Bro, just want you to know, you are awesome!

your videos are great

Welldone

More than 10.000 lines of powershell ... created when they notified the exchange exploit ... this is done by a huge team of professionals.

as a computer profesional i love these videos please keep doing the good work you are do.

46:23 This is impressive. That has to be some of the most bullshit obfuscation techniques I have ever seen. And you got it. Bless you

54:30 THE HOLY ONE STRINGS ALL HALE THE STRING GOD

So what I'm getting from this is to have an obfuscated IEX at the end as a false "wire" to cut, then embed the real IEX in the middle. Got it.