rando

PS> netsh int ipv4 show int

chris greer

John hammond - registry fileless persistence

HKCU - run/runonce on 64 & 32

HKLM - run/runonce on 64 & 32

GitHub - mandiant/SharPersistGitHub

In sysmon update sysmon every hour

Dll is unhooked when whisper is used

`Iconv -t UTF-16LE` makes encoding like windows

Encoding - data integrity

Payload

Stageless(s) is huge

Staged is small

Port protocol host

80 HTTP 192.168.100.1

Not many files on system are within last year

Look for file before 2019 - there are alot

Check wef, user group

Ran in memory

Cr.dll crjit.dll explorer.exe

.net framework - svchost

Security. Automation. Analytics.STRONTIC

- use for cyber/internal fury

Look for imp hash that looks up malicious family

What the function calls are related to

GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub

Can you verify with cobalt strike what kind of keyboard

Register, /var/log - where usb is saved

Powershell profiles

Comm hijacking

BITS - background intelligence transfer server