 |
Post AriyzTAWcMW2M2hkum by [email protected] |
 |
More posts by [email protected] |
|
Post #AripesJj1RlYgM74Km by [email protected] |
|
0 likes, 2 repeats |
|
|
|
I need to do a blog post on this, but it seems like a lot of old tricks have be… |
|
|
|
Post #AripiVO6DPxKj4tEtE by [email protected] |
|
0 likes, 1 repeats |
|
|
|
And what's interesting, using procmon, this is how the os interprets them. |
|
|
|
Post #AripqrcXRDIBzrd5JQ by [email protected] |
|
0 likes, 1 repeats |
|
|
|
And you can do the normal wildcards like this: |
|
|
|
Post #AripxMIGJFWqrgF59s by [email protected] |
|
0 likes, 1 repeats |
|
|
|
And some, but not all, Unicode normalization can be exploited. |
|
|
|
Post #AriqQczDKDjX2CHzxA by [email protected] |
|
0 likes, 1 repeats |
|
|
|
And here's another fun one, I'll let you figure out what's going on… |
|
|
|
Post #Arir0ysPPnZrLoROHQ by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@m8urnett, that's not entirely true. This is the information handed to the … |
|
|
|
Post #ArirH0HDycS0KKgjK4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@INIT6 Sorry, I should have said that is how cmd interprets it, not the OS. The… |
|
|
|
Post #Aris0AD7tCsqASIzfk by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@m8urnett have you seen https://argfuscator.net |
|
|
|
Post #Aris0ALdNZgmaqHmvw by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@darkcyberman no I haven't, thanks. |
|
|
|
Post #AritF0X2G1UiRmGA76 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@m8urnett good god this thread is gold, thanks for the share from a young blood |
|
|
|
Post #AriyzTAWcMW2M2hkum by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@darkcyberman @m8urnett Reminded me of argfuscator as well! Potentially interes… |
|
|
|
Post #Arj01OHdqrxBjjVti4 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@m8urnett Oh, this is fun 🤣 |
|
|
|
Post #Arj0n9dJcnfICPQW5A by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@m8urnett it all gets logged in process creation normally. So where the majorit… |
|
|
|
Post #Arj12I3eaG4mfixnMW by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@acalarch Right, those were mostly examples to demonstrate the concept, but yes… |
|
|
|
Post #Arj8soqsbKND7Nz1u4 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@m8urnett @INIT6 Could this technique be used by a threat actor to run/download… |
|
|
|
Post #Arj8sozO5hB9XlxpAG by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@RaulV @m8urnett This is more about living off the land and command execution t… |
|
|
|
Post #Arjbgf9JkMCGDoAAi0 by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@m8urnett So any detection rules based on regex patterns to exact match process… |
|
|
|
Post #Arjbm0MCKAArRbjdEu by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@trizzo they always were |
|
|
|
Post #ArkKsKwZBzsGy28izg by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@m8urnett TBH: "wtf" was my first thought. For me, all of them are so… |
|
|
|
Post #ArkKsL3eldXtK1SO2q by [email protected] |
|
0 likes, 1 repeats |
|
|
|
@mbeddedDev Just undocumented wildcards. |
