Avi's blog

https://geekswipe.net/technology/computing/swoop-chrome-passwords-decrypt-with-python/  https://www.thepythoncode.com/code/extract-chrome-passwords-python https://www.thepythoncode.com/article/extract-chrome-passwords-python https://null-byte.wonderhowto.com/how-to/hacking-windows-10-steal-decrypt-passwords-stored-chrome-firefox-remotely-0183600/ Avi

https://attack.mitre.org/techniques/T1552/003/   attacker may search bash command history on compromised systems because sometimes users tend to pass username and password over command line to the program.  when user logs out then all the commands are flushed out to .bash_history file. for each user the file resides in the same location. ~/.bash_history  attacker can abuse this by looking through the file for potential credentials.    Mitigation: there are multiple methods of preventing a users command history from being flushed to their .bash_history file, including use of the following commands: off logging: set +o history and set -o history to start logging again.    another way: clean command history: history -c to make sure changes are written to disk, use: history -w   to make more sure the history is cleared when existing a session, the following command comes in handy: cat /dev/null > ~/.bash_history && history -c && exit           permanently disable bash h

you need a windows disk or bootable usb drive to perform this attack.  connect the windows cd/dvd or pen drive and restart the system.  on the windows setup box click on next > repair your computer then navigate to troubleshoot>advanced options>command prompt X:\Sources> d: D:\> dir     (probably d drive is your c drive.) navigate to windows\system32\ D:\Windows\System32> ren utilman.exe utilman_bak.exe D:\Windows\System32> copy cmd.exe utilman.exe cmd has now been replaced by utilman.exe D:\Windows\System32> exit poweroff or restart your pc.    now at the login screen if you click ease of access then command prompt will launch. on the cmd prompt there are many ways to change users password.  type the following: control userpasswords2 from there you can reset the passwords.  another way is: net user <username> <password> now time for revert the change. delete utilman.exe which is in behind cmd.exe now when you up for renaming utilman_bak.exe then you

https://attack.mitre.org/techniques/T1546/008/ https://www.youtube.com/watch?v=dIuQ2sUsZEo  sethc.exe resides on windows\system32 folder. in sethc.exe even administrators does not have full access. only the owner of the system which you can say trustedinstaller has the full access. but you can change the trustedinstaller by clicking the Advanced options. you can change the trustedinstaller by clicking the change button and add a local user who has admin rights.  here action is performed in a domain environment. but you can add your local user as well. as an example i had added my username which is Avi who has admin rights on the system.  now sethc owner has been changed. as you are owner now of sethc so you can now decide whom you want to give full access.   now click on edit. now you can change permissions. give administrators full control permissions. click yes on the popup.  now you can rename the file. so rename the sethc.exe to sethc.exe.bak then make a copy of cmd.exe. then you s

https://attack.mitre.org/techniques/T1562/002/ attackers may disable windows event logging to limit data that can be leveraged for detections and audits. windows event logs record user and system activity such as login attempts, process creation, and much more. this data is used by the security tools and analysts to generate detections.  the eventlog service maintains event logs from various system components and applications. by default the service automatically starts when a system powers on. an audit policy which is maintained by the local security policy (secpol.msc) defines which system events the eventlog service logs.  security audit policy can be changed by running secpol.msc, then navigating to security settings\local policies\audit policy for basic audit policy setting or security settings\advanced audit policy configuration for advanced audit policy configuration.  command line is auditpol.exe to set audit policies.  adversaries may disable event log service by typing the fo

https://pentestlab.blog/2019/12/11/persistence-office-application-startup/ sometimes attacker tries to write files into word startup folder in order to make / maintain persistency using metasploit.  C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1773.tmp during IR and malware cleaning from host, check these location.

https://attack.mitre.org/techniques/T1562/006/  https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63   synopsis: Attacker always wants to cover their tracks. so they delete or disable windows event logs, audit logs, they even interrupt logging system or agent from the host so the host cannot send their logs to siem.  attacker may change the following registry to achieve that: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME\{Provider_GUID} it can also be done by utilizing some administrative utilities like powershell, windows management instrumentation etc.  now the question is how can we know the autologger name, GUID etc? you can know that by navigating to the above registry path. or we can dig deeper the followings: ETW architecture : events providers event tracing sessions event consumers   tracing sessions are responsible for collecting events from event providers and relaying them to log files and consume

How to find out computer name from a registry value: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName