the thumbnail looks like its from a movie, great work John!

it's fun to see how this thing works after speding two days patching all my exchange servers. Thanks.

How John doesn't have millions of followers is beside me. Thank you for all this info John. Being 45 I missed the boat in the early 2000's but a year in Im hooked. Thanks to YOU David Bombal and Network Chuck you guys have helped this construction old guy immensely

I wasn't feeling good at all today. This video revamped me and bumped me up. Thanks John for not being just educational. But, entertaining and fun to watch too. Sending love and hoping ur having a great day

Been a software dev for a long time. Never seen this type of analysis done before... and watching this was absolutely fascinating.

This is interesting stuff. We've had so many interesting (& super dangerous) exploits and vulnerabilities in last few years. At 22:30 , it's a trick to add timestamps into URL. That's probably easiest way to make sure responses are not cached at any point. Of course it could be just lazy coding and used for monitoring purposes. But little bit later John downloaded the payload (or w/e it turned out be) without the timestamp in URL. I'd always recommend to download payloads with exact same syntax. It's way too easy for malware developer to try to mislead here. If they had some nasty next stage, they could make it look like just like a boring and usual looking malware. And misleading the analysis is absolutely part of the game.

I want to thank you John because you took me to another stage in the cyber world

I don't know how you do it but whenever I watch one of your videos about malware analysis the time simply passes so quickly. Very entertaining thank you!

You’re a good guy. Don’t let the others bring you down just because you’re compiling open source information and sharing it in a logical and comprehensive manner. Though I consider myself a home brewed IT craptastistic person, I appreciate the information given every time you put up a video.

Thanks for bringing awareness to such hacks. Right after the video, i checked the last few customers that still has on-premises exchange, and 75% of them were affected. We could mitigate the risk and apply fixes before anything worse happened. Thanks for this John Hammond.

I'm absolutely Stoked for the NahamCon CTF!!!!

This high of production quality and you were able to put this out the same day you were prodding around. I appreciate the work you're doing, its extremely informative so thank you.

Best instructor I have come across. New subscriber here! Thank you good sir!

I never commented on youtube videos before, but, I really want to thank you John Hammond for all the good work you're doing. You are F awesome and please keep it up. BTW, you are my favorite cyber-related KZbinr!

Finishing up my final year in cybersecurity in college and videos like these make me so much more intrigued about this field, and that much more excited and motivated to learn more. Thank you for all the hard work you put into these!

As someone who knows next to nothing on malware analysis I had a funny feeling mimikatz would turn up haha. I have learnt so much from these exploration videos only knowing intro level programing and just learning cyber security, it was awesome to see the obsfucation techniques and layers built into this and connected so many dots for me. Awesome video.

At around 20:54 the $dt is used to ensure cdn caching is bypassed. So the code on the cdn is static, but as soon as it is changed, the client is supposed to request a new copy.

I thoroughly enjoyed the premiere + live chat replay feature here, as well as the content itself obviously. Keep up the good work my dude, im already recommending your channel to my friends!!!

This is such an excellent primer for this sort of work, and you make it so entertaining! Looking forward to binging all your videos over the next couple of days :)

Your videos are great! I'm glad I found your channel. You have great information in a lot of topics I cover at work.

Thank you John !! Once again, I had fun and learned as much as I could (only some but that's in the right direction). You're awesome !

whole, gigantic powershell script, as a big ol’ format string? that’s neat

Hopefully no one tries to salem witch trial you for mis speaking because you are human after all.. I'm happy you are sharing public info for education. If someone gets upset about it then they must have ill intentions with that information. Keep up the great work!

Addicted to this content. How can I watch this whole video without any break? Inner me : You found new love !

Nice, You helped me a lot to understand the Threat!

I'm watching this as I going through our exchange server logs looking for backdoors :D a nice coincidance

Title Contains: Post Exploitation Me: Oh Yeah, This is gonna be good

Great content John. Education and humour smashed. Big thumbs up for this one. Thanx

i love all these type of videos, can't wait for more such that solarwinds or more of this helps!

Thanks John. As a newbie, this was great. Love how you broke it up and explain this so much!!!!

Thank you for your efforts and time, I really appreciate it.

Man, around 45:00 min in you weren't even exaggerating about that being an epiphany 😂 What a cool obfuscation technique!

This 1Hr of video teaches more than what I have learnt in past 25 years of my life. Truly appreciate the knowledge you shared and for free.

Great reversing. Subscribed

Excellent work John, love your work mate!

Great video & I'm installing my fax machine again ;-)

Also the powershell explosion + guy fawkes mask was hilarious :D

T`han`ks for making the video! Good stuff down the rabbit hole. UGH, Empire is scary.

Hey I signed up for a CTF randomly on CTFtime, and was pleasantly surprised to see it was one you created! Lol, I'm looking forward to it!

Wonderful as always, great video!

Amazing work, thank you for sharing

Not sure if it was mentioned...but the hig versus low would have shown up in the web logs and help identify instances with higher permissions (Administrator) versus lower permissions (non-Administrator).

Great Video!!! Can't wait for more.

This is professional evilness thanks for showing us this John this is very interesting to me! Big like

Great Analysis

It's been a pleasure, John!

Thank you John. As always you are very helpful and I appreciate you going through the reverse engineering process. See you on the next one! --Sage

great content, as usual !

You're doing a great job Hammond

interesting. Thanks for sharing!

Thanks for doing this. Very interesting.

Most GREAT channel between others

can you do a longer deep dive into this sort of stuff in the future this is just magic and easy to digest

Thanks John, learnt a lot.

Cool thumbnail, cool video, cool person, could not asked for more :D

Great video, thanks for sharing this!

John, you make it very entertaining even though it makes my brain ache!

Quick one: The long dot separated number strings at 1:04:50 such as "1.3.6.1.5.5.7.3.2" or "1.3.6.1.4.1.311.20.2.2" are SNMP MIB OIDs (en.wikipedia.org/wiki/Object_identifier).

Seems like an easy way to get around this set of scripts in particular would be to have your environment variable something non-standard.

Thank you John Very intresting

Now I just like your content before watching! Its that good!!

Thank you, this is very helpful!

Got mind blown by that huge Powershell script made only for building an fstring piece by piece. Insane stuff!

Thank u! This has been a fun one. Unfortunately not out of the water yet. 🥶

This was awesome man thanks!

as a computer profesional i love these videos please keep doing the good work you are do.

Creating shellcode in a piece of malware that base64 encodes to McBAD is next level. Bravo to that 👏 👏

Thank you, learned alot

That is some next level PS scripting! Thanks for the video, John. I really enjoyed it.

these videos are so fun!

What is a format string and what does it do, when talking about this script?

The red teamers I have reached out to never respond. Or they do then when they discover more about me they disappear and won't work with me

Great work man!!!

Im never going to move up from my current position because....my current job has nothing to do with this subject. I am literally addicted to this madness that John keeps on about. I literally cannot quit doing it. Lol .. and so i will integrate this with my ongoing studies (beer drinking) as well as continue to try to keep up.

The natural etc. strings are the join types in SQL, presumably part of SQLite

Thanks for the good laugh when you copy and paste that big file! :) I would have done the same thing haha

I am very new to this stuff , what is microsoft exchange server vernabilitues as some companys servers were compromised with the vernabolities and how the servers were compromised

this is what my org got hit by- i really appreciate the analysis!

Thanks!

Crazy Thumbnail John!!

Man that was fun and I love the recon of it

Us application security folks know about "format string vulnerabilities" from our C application experience, but this one is interestingly different and yet also suggests that name. :)

video looks great

i can reach the github file that they shows in 6:13, can u?

Where in the Exchange Server log do you get all these informations from? Like e.g. what commands the attacker executed? Are there any prerequs. like anhanced monitoring or so must be enabled?

Love it !!!

"I know this is really painful on 'human being' eyeballs" John just confirmed he is a robot.

Bro, just want you to know, you are awesome!

Might be worth getting VSCode to try use the inbuilt PS code formatter/beautify features on those powershell scripts.

great, had fun

OMG, that puzzle script is so cool

You're using terminator right? How did you search at 35:55 ? When did they add highlighting? Last time I tried to search it was useless. Seems like he's using a plugin or something to search cause it's definitely not highlighting all for me.

I like what ya’ did with the thumbnail

KZbin video quality sh;ts the bed at 36:20 and again at 37:40 when scrolling through megabytes of base64!

I have a ton of malicious scripts that look exactly like this that I have found while trying to reverse engineer the hack that started on my ASUS Chromebook c214 and Galaxy S8 active that has since spread to over a dozen different devices from phones, tablets, laptops, networks and accounts!! I have exhausted every resource possible and have received no help from anyone yet. I am in desperate need of help from someone!

Welldone

nice vid. can you share some pointers on how powershell commad (add-PSSnapin -Name) can be used to fetch mailbox in bulk? what's the command and events created in powershell logs?

no one points out what to do if the system was already compromised. so what next? everybody runs scripts and patches, but what when the system was already infected?

Hello, I need a help, can anybody help me to find ip address of a fbuser, is there anyway I can find it

Its unfortunate that virustotal detects the embedded mimikatz but does not qualify the rest of the binary more specific