Malware Analysis & Threat Intel: UAC Bypasses

Рет қаралды 63,091

Ай бұрын

jh.live/anyrun-ti || ANYRUN has just released their latest Threat Intelligence feature set, and it is super cool to track and hunt for malware families or observed tradecraft -- try it out! jh.live/anyrun-ti
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZbin ALGORITHM ➡ Like, Comment, & Subscribe!

Пікірлер: 69

@IAmmlskOG Ай бұрын

dude you move through this file like butter

@nickadams2361 Ай бұрын

he did it before, this is a planned demo. Normal stuff you should be able to do at work

@user-sx4zy5hn2f 23 күн бұрын

@@nickadams2361😊😊😊😊😊😊😊😊😊

@gabriell4815162342 Ай бұрын

I love your videos, as a foreigner and because I don't speak native English, I feel very comfortable and can understand everything because of the calm and concise way you speak. In addition to practicing my English, I learn a lot about cyber security

@Alfred-Neuman Ай бұрын

I learned English by watching lot of KZbin videos like this. If you are curious enough and/or determined, you'll be able to write some English poetry pretty soon. ;D

@severinghams 4 күн бұрын

@@Alfred-Neuman I don't understand foreigners' fascination with English poetry. Why is poetry something that so many non-English speakers flock to when they learn English? Why not debate, or music, or popular speeches, or literature- why _specifically_ poetry? What is so special about poetry?

@Alfred-Neuman 4 күн бұрын

@@severinghams How many languages do you speak outside of English?

@markcentral Ай бұрын

Thanks for the video. Is the anyrun segment part of a sponsored deal? If not, I would have preferred you continued to demonstrate how to deconstruct the malware locally. There's a lot of educational value and wisdom potential being lost by moving things to an online platform that requires a subscription vs local

@BryanLu0 Ай бұрын

He did in the video, but he hit a roadblock with the Google Drive file. I assume he did the anyrun before, so the anyrun was able to download the file. (And the file was remcos) So he pretty much showed the entire deconstruction

@hedgehogform Ай бұрын

VSCode has a powershell formatter

@HachikoTanuki Ай бұрын

I feel like such a casual that I know none of the tools John is using, while VSCode is too casual for John to know it has a Powershell formatter 😭

@nezu_cc 18 күн бұрын

with the right extension VSCode has a formatter for basically anything, ofthen times it's the only editor with support for some obscure language.

@Adkali Ай бұрын

Love the threat analysis using the dynamic analysis. Again, thanks john for another fun schooling video

@Supstone8519 Ай бұрын

Very insightful. Thank you for doing this video.

@valk9789 Ай бұрын

Treat at the end~ love John's laugh😅❤

@PMM619 Ай бұрын

hey fan from Morocco, all the love !!

@antifreeze44 Ай бұрын

You're take on the Apex stuff was AWESOME, thanks John!

@cypher2226 Ай бұрын

I didn't know about that UAC bypass

@Streetrack Ай бұрын

I really like this one!!

@YuKonSama 22 күн бұрын

I kind of like the sublime approach to clean the sample up but I also would be interested into automating stuff like this (guess R.E.M has tools for this). For example, deleting variables that are assigned but never used should be a pretty easy task.

@k.g.c.karunathilaka9781 25 күн бұрын

Thanks

@Duy1P3 27 күн бұрын

I'd really like to see your homelab setup and see how you run things and do your investigations and with what tools and stuff.

@dipongkorroy6424 Ай бұрын

Love from Bangladesh ❤

@user-lq3tv4nd8w Ай бұрын

Why did you bang ladesh tho, poor fella

@ShayBlez Ай бұрын

Never thought Id see Bonzi Buddy again.. XD

@carsonjamesiv2512 Ай бұрын

NICE!😃

@allofabout7064 Ай бұрын

I hope you discuss Qlin Ransomware, and how to overcome it (recovery)

@Carambolero 28 күн бұрын

Nice start, but next time if you want to promote a tool, just go to the point and state it in the Title. Tx.

@capability-snob Ай бұрын

What was the intended use of this .ini file and the class named by the guid?

@user-yi4ef2gk1o 29 күн бұрын

NICE this is really menace :)

@codytrout3257 29 күн бұрын

Pro tip- change the speed to slower if you cant keep up with the commands fully, yet, like me.

@memeconnect4489 Ай бұрын

a lot of danish words in that code

@7YBzzz4nbyte 28 күн бұрын

Seems to be fluff to obfuscate the code itself. Seems like Danish-inspired gobbledegook, words stacked without meaning, though a scanner would not know (at least not before AI). 😮

@eikichi9050 Ай бұрын

Hello Mr Hammond it is possible to defend against these type of attacks? Sorry for my english

@UnfiItered Ай бұрын

If your end users don't use/run vbs/batch/PS1 scripts. You can make a group policy to require UAC to run them or disable them completely.

@johnvardy9559 26 күн бұрын

I love y john

@learnsomething564 Ай бұрын

First one ooooo now i have millions in my account

@JohnSmith-jc7dk Ай бұрын

why vbs is required to deploy remcos and not deploying remcos directly?

@UnfiItered Ай бұрын

Vbs was just a stager to build the powershell to run. Basically the hacker was trying to hide what they were doing behind a bunch of dead end code.

@U20E0 Ай бұрын

The point is that anyone who finds the malware but doesn't know how to handle this (including antiviruses) will likely not try to, which hopefully buys some more time before it gets logged into a malware registry. Inflated file sizes also stop VirusTotal and some antiviruses from analysing the file

@mdfourhadkhan1842 Ай бұрын

❤❤❤❤❤❤

@psbharathkumarachari4005 Ай бұрын

hi man fan from india

@carteldebellamy677 Ай бұрын

Awesome video

@RandomytchannelGD Ай бұрын

@Hacker_Solo Ай бұрын

Where can we obtain this sample for free

@nezu_cc 18 күн бұрын

on the website shown in the video, literally. They are one of the very few that don't lock it behind a paywall. just look up the hash and grab it, you might need a free account though

@Monothefox Ай бұрын

It's in Danish.

@liljeep3631 Ай бұрын

You guys use uac?

@UnfiItered Ай бұрын

? Everyone in the AD world uses UAC. You don't want your end users in a lower privilege group policy to just download and run anything without UAC. You're opening yourself up to so many threat vector by doing that.

@liljeep3631 Ай бұрын

@@UnfiItered vector these nuts

@UnfiItered Ай бұрын

@@liljeep3631 okay, obviously you're a troll.

@liljeep3631 Ай бұрын

@@UnfiItered don’t need uac

@nezu_cc 18 күн бұрын

@@UnfiItered yes and no. Do you need admin to read (and steal) user files? no. Do you need admin to encrypt user files? no. Do you need admin to access the network? no. Do you need admin for persistence? In many cases also no. Congrats, that's 90% of attacks nowadays. Why would I need admin where all the actually valuable data is accessible without it.