#hack100days : day 21d : Tinkered with schedtask and eventviewer. Exported a task set to go off of 4801 (Previous post said 4800, because another Windows 10 used this. So, gonna have to unpack that weirdness...) I imported it on another box, but no joy. Perms issue. Redid it in the context of the schedtask app and import worked, but stuck it in an unexpected location. Tried to run as system instead of my defined user... ...so, that's interesting. ...? #redteam #windows #persistence #cososec

#hack100days : day 20d : Worked on #hackthebox Jet fortress. Got another flag. More php tricks. #ctf #infosec #cososec

#hack100days : day 19d : Worked on #hackthebox new release, investigation and managed to get user and root. I used to be strong in perl... ...it was in the last century, though! LOL. #ctf #infosec #cososec

#hack100days : day 18d : Looked at MITRE ATT&CK technique T1547.001 (https://attack.mitre.org/techniques/T1547/001/) for more scoop on scheduled tasks and run keys. Poked at schedtsk and powershell commands for tasks. Not seeing how to use cli to set up a task triggering off of eventid 4800. I found this article, https://cyber.wtf/2022/06/01/windows-registry-analysis-todays-episode-tasks/, which suggests doing it manually on a lab box, export it, and then import via cli on the target. So, this will be something to lab up. #redteam #infosec #persistence #cososec

#hack100days : day 17d : Poking around some more at #windows #persistence. Scheduled Tasks is fun. Out of the box, users can do this. Should they in a business environment? Extra fun, via Scheduled Tasks or via Event Viewer, a task can be set up to trigger of Event IDs. Like event id 4800, which is when a user unlocks their workstation... Me likey. #redteam #infosec #cososec

#hack100days : day 16d : Looked at establishing #persistence w/via registry run and runonce and via Startup. Only the beginning, really. #blueteamers are you watching those keys and folders?

#redteam #windows #infosec #cososec

#hack100days : day 15d : Watched Alh4zr3d twitch stream. PHP assert is interesting. Read up on #redteaming #azuread Phishing is out of scope, so spending time thinking through additional threat vectors. #infosec #cosocec

#hack100days : day 14d : Watched Mudge’s lateral movement video for #cobaltstrike. #activedirectory and #windows refresher. #redteam #infosec #cososec

@sjvn Time woulds all heels.

#hack100days : day 13d : Took a crack at #hackthebox Fortress lab Jet. I'm about a third of the way through. I keep breaking the box trying to get the next flag. Reckon that's a hint what I'm doing is the wrong path for this one. #redteam #sharpenthesaw #infosec #cososec

@rych Hope any wounds are minor.

#hack100days : day 12d : Banged around on #hackthebox release arena's stocker box. It's rated easy, but the foothold was new territory for me, so not too easy. Learned some new stuff, so that's good. #infosec #ctf #sharpenthesaw #cososec

@LindaGoodliffe I have a sneaking suspicion they were read and thought to be instruction manuals.

#hack100days : day11d : More #cobaltstrike. Watched a couple of videos on artifact kit. Weird how Mudge said in one of the videos to not use or stay in rundll32 or svchost, but that's exactly how artifact kit rolls. I've got some more to figure out with that one. Also watched a couple of viddys on beacon object files--I suspect *that* is going to be something to explore more of. #redteam #infosec #cososec