the thumbnail looks like its from a movie, great work John!

I wasn't feeling good at all today. This video revamped me and bumped me up. Thanks John for not being just educational. But, entertaining and fun to watch too. Sending love and hoping ur having a great day

it's fun to see how this thing works after speding two days patching all my exchange servers. Thanks.

whole, gigantic powershell script, as a big ol’ format string? that’s neat

This high of production quality and you were able to put this out the same day you were prodding around. I appreciate the work you're doing, its extremely informative so thank you.

I thoroughly enjoyed the premiere + live chat replay feature here, as well as the content itself obviously. Keep up the good work my dude, im already recommending your channel to my friends!!!

This is such an excellent primer for this sort of work, and you make it so entertaining! Looking forward to binging all your videos over the next couple of days :)

This is interesting stuff. We've had so many interesting (& super dangerous) exploits and vulnerabilities in last few years. At 22:30 , it's a trick to add timestamps into URL. That's probably easiest way to make sure responses are not cached at any point. Of course it could be just lazy coding and used for monitoring purposes. But little bit later John downloaded the payload (or w/e it turned out be) without the timestamp in URL. I'd always recommend to download payloads with exact same syntax. It's way too easy for malware developer to try to mislead here. If they had some nasty next stage, they could make it look like just like a boring and usual looking malware. And misleading the analysis is absolutely part of the game.

I want to thank you John because you took me to another stage in the cyber world

Been a software dev for a long time. Never seen this type of analysis done before... and watching this was absolutely fascinating.

Title Contains: Post Exploitation Me: Oh Yeah, This is gonna be good

I never commented on youtube videos before, but, I really want to thank you John Hammond for all the good work you're doing. You are F awesome and please keep it up. BTW, you are my favorite cyber-related KZbinr!

Thank you John !! Once again, I had fun and learned as much as I could (only some but that's in the right direction). You're awesome !

Your videos are great! I'm glad I found your channel. You have great information in a lot of topics I cover at work.

I don't know how you do it but whenever I watch one of your videos about malware analysis the time simply passes so quickly. Very entertaining thank you!

Best instructor I have come across. New subscriber here! Thank you good sir!

How John doesn't have millions of followers is beside me. Thank you for all this info John. Being 45 I missed the boat in the early 2000's but a year in Im hooked. Thanks to YOU David Bombal and Network Chuck you guys have helped this construction old guy immensely

Finishing up my final year in cybersecurity in college and videos like these make me so much more intrigued about this field, and that much more excited and motivated to learn more. Thank you for all the hard work you put into these!

Thanks John. As a newbie, this was great. Love how you broke it up and explain this so much!!!!

Thanks for bringing awareness to such hacks. Right after the video, i checked the last few customers that still has on-premises exchange, and 75% of them were affected. We could mitigate the risk and apply fixes before anything worse happened. Thanks for this John Hammond.

You’re a good guy. Don’t let the others bring you down just because you’re compiling open source information and sharing it in a logical and comprehensive manner. Though I consider myself a home brewed IT craptastistic person, I appreciate the information given every time you put up a video.

Thank you for your efforts and time, I really appreciate it.

Great content John. Education and humour smashed. Big thumbs up for this one. Thanx

Excellent work John, love your work mate!

I'm absolutely Stoked for the NahamCon CTF!!!!

Wonderful as always, great video!

Nice, You helped me a lot to understand the Threat!

i love all these type of videos, can't wait for more such that solarwinds or more of this helps!

Addicted to this content. How can I watch this whole video without any break? Inner me : You found new love !

At around 20:54 the $dt is used to ensure cdn caching is bypassed. So the code on the cdn is static, but as soon as it is changed, the client is supposed to request a new copy.

Amazing work, thank you for sharing

As someone who knows next to nothing on malware analysis I had a funny feeling mimikatz would turn up haha. I have learnt so much from these exploration videos only knowing intro level programing and just learning cyber security, it was awesome to see the obsfucation techniques and layers built into this and connected so many dots for me. Awesome video.

It's been a pleasure, John!

Great reversing. Subscribed

Also the powershell explosion + guy fawkes mask was hilarious :D

I'm watching this as I going through our exchange server logs looking for backdoors :D a nice coincidance

Thank you, this is very helpful!

Thanks John, learnt a lot.

Thanks for doing this. Very interesting.

Great video, thanks for sharing this!

Great video & I'm installing my fax machine again ;-)

Great Video!!! Can't wait for more.

T`han`ks for making the video! Good stuff down the rabbit hole. UGH, Empire is scary.

John, you make it very entertaining even though it makes my brain ache!

Hopefully no one tries to salem witch trial you for mis speaking because you are human after all.. I'm happy you are sharing public info for education. If someone gets upset about it then they must have ill intentions with that information. Keep up the great work!

Man, around 45:00 min in you weren't even exaggerating about that being an epiphany 😂 What a cool obfuscation technique!

This was awesome man thanks!

great content, as usual !

interesting. Thanks for sharing!

Thank you John Very intresting

Now I just like your content before watching! Its that good!!

can you do a longer deep dive into this sort of stuff in the future this is just magic and easy to digest

Thank you, learned alot

Great Analysis

You're doing a great job Hammond

Cool thumbnail, cool video, cool person, could not asked for more :D

John looks intimidating in this thumbnail

Great work man!!!

Thank you John. As always you are very helpful and I appreciate you going through the reverse engineering process. See you on the next one! --Sage

Creating shellcode in a piece of malware that base64 encodes to McBAD is next level. Bravo to that 👏 👏

Crazy Thumbnail John!!

This is professional evilness thanks for showing us this John this is very interesting to me! Big like

Bro, just want you to know, you are awesome!

Got mind blown by that huge Powershell script made only for building an fstring piece by piece. Insane stuff!

Thanks!

Thank u! This has been a fun one. Unfortunately not out of the water yet. 🥶

Love it !!!

these videos are so fun!

Hey I signed up for a CTF randomly on CTFtime, and was pleasantly surprised to see it was one you created! Lol, I'm looking forward to it!

Man that was fun and I love the recon of it

This 1Hr of video teaches more than what I have learnt in past 25 years of my life. Truly appreciate the knowledge you shared and for free.

Thanks for the good laugh when you copy and paste that big file! :) I would have done the same thing haha

Most GREAT channel between others

OMG, that puzzle script is so cool

Quick one: The long dot separated number strings at 1:04:50 such as "1.3.6.1.5.5.7.3.2" or "1.3.6.1.4.1.311.20.2.2" are SNMP MIB OIDs (en.wikipedia.org/wiki/Object_identifier).

I like what ya’ did with the thumbnail

That is some next level PS scripting! Thanks for the video, John. I really enjoyed it.

"I know this is really painful on 'human being' eyeballs" John just confirmed he is a robot.

video looks great

You have the coolest tech glasses 👓

Us application security folks know about "format string vulnerabilities" from our C application experience, but this one is interestingly different and yet also suggests that name. :)

That was cool to watch , thx. Respect. And what about the ecp/y.js and webshell (aspx) files ?

The natural etc. strings are the join types in SQL, presumably part of SQLite

Seems like an easy way to get around this set of scripts in particular would be to have your environment variable something non-standard.

Not sure if it was mentioned...but the hig versus low would have shown up in the web logs and help identify instances with higher permissions (Administrator) versus lower permissions (non-Administrator).

great, had fun

as a computer profesional i love these videos please keep doing the good work you are do.

Thumbnail looks 🔥

Im never going to move up from my current position because....my current job has nothing to do with this subject. I am literally addicted to this madness that John keeps on about. I literally cannot quit doing it. Lol .. and so i will integrate this with my ongoing studies (beer drinking) as well as continue to try to keep up.

this is what my org got hit by- i really appreciate the analysis!

your videos are great

The image in the photo makes John look like some secret agent

i'm not a programmer - but i love your videos!

Welldone

Might be worth getting VSCode to try use the inbuilt PS code formatter/beautify features on those powershell scripts.

Hi, cool thumbnail!

Where in the Exchange Server log do you get all these informations from? Like e.g. what commands the attacker executed? Are there any prerequs. like anhanced monitoring or so must be enabled?

ThankYou Jon for this detailed Video. Do you also help us with some video to fix the issue?

great

Perfect, as it should be xD