fukusuket
commented
1 week ago Sounds good!! Yes! I would love to implement it!💪
Open YamatoSecurity opened 1 week ago
fukusuket
commented
1 week ago Sounds good!! Yes! I would love to implement it!💪
YamatoSecurity
commented
1 week ago @fukusuket Thanks!
fukusuket
commented
1 day ago wmic /node:dc /user:vagrant /password:vagrant process get name
schtasks /Create /S dc /U vagrant /P vagrant /SC DAILY /TN MyTask /TR C:/Path/To/MyScript.vbs /ST 14:00
net user testuser Password!#@$ /add
psexec \\dc -u dc\vagrant -p vagrant systeminfo
I'd like to create a command that tries to identify commands that were entered that contain usernames or passwords. Similar to what is explained here: https://practicalsecurityanalytics.com/extracting-credentials-from-windows-logs/ There is a risk that administrators will enter plaintext username and passwords into the command line which gets logged in 4688 events and sysmon 1 events. Attackers may abuse this for offensive purposes as described in the article, so it is important for blue teams as well to understand if these plaintext passwords are being leaked in command line option logging. (If the blue team finds credentials being logged, they can inform the user to change their password/API key and warn them of the risks)
We should also include a regular expression check to look for API keys being leaked in the event logs as well.
Output to the terminal can be a table with the following information:
Timestamp, Computer, Event (Sec-4688 or Sysmon 1), Username, Password, API Key, Commandlineor output to a CSV file.@fukusuket Could I ask you to do this one?