How to Proxy Command Execution: "Living Off The Land" Hacks

Подписаться 1,9 млн

Просмотров 52 тыс.

50% 1

j-h.io/plextrac Special thanks to PlexTrac for sponsoring this video -- try their premiere reporting & collaborative platform in a FREE one-month trial! Spend more time hacking, and less time reporting 😎
Grzegorz Tworek: / 0gtweet
His tpmtool.exe tweet: / 1581185123218690048
🔥 RU-vid ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Опубликовано:

2 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 67

@Counterhackingsafe Год назад

John, you are a master of the craft. Every time I watch one of your videos, I learn something new and valuable. The way you explain "Living off the Land" hacks is clear and easy to understand, making it accessible to all levels of cyber enthusiasts. Keep up the great work and thank you for all the knowledge you share with the community.

@RealCyberCrime Год назад

Living off the land - a nightmare for script kiddies

@guitarware Год назад

lol

@whateverppl1229 Год назад

just give me my botnet so I can press the funny button. Ion cannon go brr

@notme4526 Год назад

Ion cannon wasn't a botnet? It was just software that spammed request from your computer only to specified site that you started by running it there were no c2's, it was dependent on many people launching the tool at once following others. DDoS will probably go down in history as the method of attack from people with zero knowledge.

@goodnightmr5892 Год назад

Best Comment Ever!

@ytg6663 Год назад

@@whateverppl1229 what is your botnet price

@Logan-vw8bg Год назад

John! Thanks for everything you put into this community. I started my cyber career path last year and you've been a tremendous resource. Thanks again and cheers to the new year!

@netscout2451 Год назад

Getting to see how you used procmon to investigate the scenario was awesome. Well done

@daiceman825 Год назад

I wonder if this will be patched anytime soon... What level of privilege did calc.exe end up spawning with? Could this be a possible avenue for privesc, or is it meant only as a means of obfuscation? As always, love the content!

@0xbitbybit Год назад

I just tried it, it runs as the user who ran tpmtool.exe, so no privesc.

@evilcorp3037 Год назад

Wow, this is amazing. Thank you for your hard work, John!

@jorisschepers85 Год назад

This content is gold. Thanks for explaining it in a calm and step by step way. Keep it going John.

@mikeuk1927 Год назад

You could pronounce his name more less like this: Ghsheghosh Tvorek ;)

@purplesprout5774 Год назад

ok, off to test if the xdr detects this and if not rule creation and more testing! Thanks John, the red perspective is a great way to continue to build the blue fortress!

@DarkFaken Год назад

Your content is always top notch! Thanks for everything ❤️

@hamzarashid7579 Год назад

John your videos make me motivated, Thank you so much for these amazing videos.

@dmadden999 Год назад

Intel, now PlexTrac. Do you feel dirty, reading off these scripted ads?

@cybersploit7378 Год назад

Interesting! We’d love more videos like this

@patrickslomian7423 Год назад

Happy New Year guys ! : ) John, I love your content , please keep up the great work! :) ! Btw. Grzegorz Tworek is a great teacher, his knowledge about Windows security is legendary .

@LindomarkBiohazardYTB Год назад

hum uma boa falha execution remote do windowns genial

@kyputer Год назад

Great video! Love it :D

@sentinelaenow4576 Год назад

Magnificent! Thanks a million! You rock Sir!

@eddiesalinas Год назад

Thank you John for your content!

@first-thoughtgiver-of-will2456 Год назад

This shows how we really need to rework our operating systems.

@centdemeern1 Год назад

6:32 - Tip: the windows equivalent to “which” is “where”, so you can do “where tpmtool”

@jcc6495 9 месяцев назад

Great stuff as always John!!!

@MygenteTV Год назад

I wanted something like this weeks ago the problem is Windows will stop any weird exec you try to save into the machine

@slavik1513 8 месяцев назад

same as ark game

@oinatzgarciagorrotxategi7120 3 месяца назад

Sinapsis

@utensilapparatus8692 Год назад

Buying time - gr8 tutorial

@ThiagoSouza-oo6fj Год назад

OMG! Awesome Content John, as always!

@asdfasddfs5484 Год назад

Sweet

@maxxthecoder5974 Год назад

Great video John!!!!!

@SzymekCRX Год назад

Polska!

@guilherme5094 Год назад

👏👍

@NoportOfbot Год назад

good content as always

@CharlesManch Год назад

😳😲

@SumanRoy.official Год назад

They patched it, it now uses full path of cmd.exe 😂

@_JohnHammond Год назад

Which version/patch of Windows are you seeing this on? On a fully updated Windows 11 box it still seems to work just fine for me.

@emmetgwilliam6527 Год назад

@@_JohnHammond windows 11 my old computer had a lot of problems with my linux terminals on there never working like Ubuntu and Debian do u use windows 11?

@AP-rv6kk Год назад

Wonder if this can work as another applocker bypass

@ChiefYOUtuber Год назад

👌

@petermayagibson Год назад

Wow!

@codrindumitrescu Год назад

hey john, could you please make a video on uninstalling microsoft edge via your windows emulator?

@samuelirungu5324 Год назад

Actually, tried this and loved it. kudos John...

@demon1058 Год назад

Can you teach how to make malware persistent

@corruption781 Год назад

bro do it your self dont be a *SKID*

@demon1058 Год назад

@@corruption781i can't find anything related to that

@watchmehope6560 Год назад

@@demon1058 i highly doubt that lol.

@JoakimBB Год назад

Sektor7

@0xbitbybit Год назад

@@demon1058 If you can't Google and find information or education resources, then don't bother going any further to be a hacker, it's probably THE most important skill, to be able to find things out.

@ftechnologies1 Год назад

Nice one

@ashishkhanduri1327 Год назад

U always want to be politicaly correct...or I can watch ur words more than hacking community person does...hahah

@Shintowel Год назад

Mantap

@vanillafromnekopara Год назад

Damn

@murderbunnies Год назад

do you make more money from youtube or from pentesting?

@cumMan270 Год назад

Interesting insight! I really wonder if AV providers look out for something like this. The AV's detection for this would heavily depend on how that malware behaves.

@0xbitbybit Год назад

Hard part is probably getting the malware on there in the first place, let alone executing it.

@foeyloozer6299 Год назад

Any good AV detects a lot of living off the land techniques. At least well known ones

@_JohnHammond Год назад

Which "good, at least well known" AVs are you referring to that would detect living off the land techniques?

@foeyloozer6299 Год назад

@@_JohnHammond Sorry for the late reply I barely saw this. EDRs Ive gone against in my testing (elastic, crowdstrike and sentinel one) all detect basic LOLbin techniques. Especially ones commonly used by threat actors. Rundll32, RegSvr, MSHTA, MsBuild etc. This technique that youre looking at is a bit more advanced, messing with some nuances in the commandline of a spawned LOLBIN that doesnt specify a full path. In a way this is similar to DLL hijacking, they do not specify the full path of the target dll to load (just like the full path to logman isnt specified) and therefore it loads whatever is in the current directory first before going through the standard search order. Edit: I forgot to mention even basic Windows Defender will detect a lot of LOLBIN techniques, and it wasnt my payload getting detected it was the techniques themselves. Also in my initial comment I meant well known as in “well known LOLBIN techniques”, not well known AVs, sorry about that. Either way it should still stand