Malware Analysis & Threat Intel: UAC Bypasses
jh.live/anyrun-ti || ANYRUN has just released their latest Threat Intelligence feature set, and it is super cool to track and hunt for malware families or observed tradecraft -- try it out! jh.live/anyrun-ti
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZread ALGORITHM ➡ Like, Comment, & Subscribe!
Пікірлер: 67
dude you move through this file like butter
@nickadams2361
2 ай бұрын
he did it before, this is a planned demo. Normal stuff you should be able to do at work
@user-sx4zy5hn2f
2 ай бұрын
@@nickadams2361😊😊😊😊😊😊😊😊😊
@IOwnThisHandle
20 күн бұрын
It is rehearsed
VSCode has a powershell formatter
@HachikoTanuki
2 ай бұрын
I feel like such a casual that I know none of the tools John is using, while VSCode is too casual for John to know it has a Powershell formatter 😭
Thanks for the video. Is the anyrun segment part of a sponsored deal? If not, I would have preferred you continued to demonstrate how to deconstruct the malware locally. There's a lot of educational value and wisdom potential being lost by moving things to an online platform that requires a subscription vs local
I love your videos, as a foreigner and because I don't speak native English, I feel very comfortable and can understand everything because of the calm and concise way you speak. In addition to practicing my English, I learn a lot about cyber security
@Alfred-Neuman
2 ай бұрын
I learned English by watching lot of KZread videos like this. If you are curious enough and/or determined, you'll be able to write some English poetry pretty soon. ;D
@severinghams
Ай бұрын
@@Alfred-Neuman I don't understand foreigners' fascination with English poetry. Why is poetry something that so many non-English speakers flock to when they learn English? Why not debate, or music, or popular speeches, or literature- why _specifically_ poetry? What is so special about poetry?
@Alfred-Neuman
Ай бұрын
@@severinghams How many languages do you speak outside of English?
Very insightful. Thank you for doing this video.
Love the threat analysis using the dynamic analysis. Again, thanks john for another fun schooling video
hey fan from Morocco, all the love !!
Treat at the end~ love John's laugh😅❤
I didn't know about that UAC bypass
You're take on the Apex stuff was AWESOME, thanks John!
I really like this one!!
Thanks
I'd really like to see your homelab setup and see how you run things and do your investigations and with what tools and stuff.
I kind of like the sublime approach to clean the sample up but I also would be interested into automating stuff like this (guess R.E.M has tools for this). For example, deleting variables that are assigned but never used should be a pretty easy task.
a lot of danish words in that code
@7YBzzz4nbyte
2 ай бұрын
Seems to be fluff to obfuscate the code itself. Seems like Danish-inspired gobbledegook, words stacked without meaning, though a scanner would not know (at least not before AI). 😮
Never thought Id see Bonzi Buddy again.. XD
What was the intended use of this .ini file and the class named by the guid?
NICE!😃
Nice start, but next time if you want to promote a tool, just go to the point and state it in the Title. Tx.
I hope you discuss Qlin Ransomware, and how to overcome it (recovery)
Love from Bangladesh ❤
@user-lq3tv4nd8w
2 ай бұрын
Why did you bang ladesh tho, poor fella
Hello Mr Hammond it is possible to defend against these type of attacks? Sorry for my english
@UnfiItered
2 ай бұрын
If your end users don't use/run vbs/batch/PS1 scripts. You can make a group policy to require UAC to run them or disable them completely.
NICE this is really menace :)
First one ooooo now i have millions in my account
I love y john
why vbs is required to deploy remcos and not deploying remcos directly?
@UnfiItered
2 ай бұрын
Vbs was just a stager to build the powershell to run. Basically the hacker was trying to hide what they were doing behind a bunch of dead end code.
@U20E0
2 ай бұрын
The point is that anyone who finds the malware but doesn't know how to handle this (including antiviruses) will likely not try to, which hopefully buys some more time before it gets logged into a malware registry. Inflated file sizes also stop VirusTotal and some antiviruses from analysing the file
Pro tip- change the speed to slower if you cant keep up with the commands fully, yet, like me.
❤❤❤❤❤❤
Awesome video
Where can we obtain this sample for free
Hi
hi man fan from india
You guys use uac?
@UnfiItered
2 ай бұрын
? Everyone in the AD world uses UAC. You don't want your end users in a lower privilege group policy to just download and run anything without UAC. You're opening yourself up to so many threat vector by doing that.
@liljeep3631
2 ай бұрын
@@UnfiItered vector these nuts
@UnfiItered
2 ай бұрын
@@liljeep3631 okay, obviously you're a troll.
@liljeep3631
2 ай бұрын
@@UnfiItered don’t need uac
@UnfiItered
2 ай бұрын
@@nezu_cc other than stealing files via emails and accessing network, everything else should require UAC via group policy (cmd, pwsh, windows native file encryption tools, vbs, portable exe etc..). Even then, group policy should dictate which user have access to which network drive. Outlook is the only email client used. Attachment is disallowed unless sending to internal email.
Chapters please?
sure love assimilationist one hundred thirty nine
Whole lot of Danish word in that sample..
I... i got so fucking lost. To be fair idk shit but i still find coding nonsense interesting
mom
voice
@#
It's in Danish.
Fucking intel
mobile no.
ur audio sounds weird
@nordgaren2358
2 ай бұрын
What's weird about it?
bhabhi