PRESENÇA DE ANINHA: 2023

Hi there

How would you like to earn a 35% commission for each sale for life by
selling SEO services

Every website owner requires the use of search engine optimizaztion (SEO)
for their websites. Think about it, this is really hot

Simply register with us, generate your affiliate links and incorporate them
on your websites, thats it.
It takes only a few minutes to set up everything and the payouts are sent
by each end of the month

Click here to sign up with us, totally free:
https://www.creative-digital.co/join-our-affiliate-program/

See you inside
Shontae

View this email as Webpage

PM Certification Package - Qualified Applicants can Receive a Waiver from Further Exams

EARN YOUR CERTIFICATION TODAY OF: CIPM CERTIFIED INTERNATIONAL PROJECT MANAGER ®

ACCREDITED CERTIFICATION PROGRAM - QUALIFIED APPLICATIONS GET APPROVAL WITHTOUT MORE EXAMS

Are you interested in achieving PM Graduate Project Management Certification for your career enhancement. If you already have a accredited diploma and experience in project management, or you have military/government experience, they you may apply here: https://certifiedprojectmanager.us/Register.html

Package Includes:
• Assessment of your Qualifying Credentials
• Certification in one or more areas of Project Management or Management Consulting
• Membership in a Gloally Recognized PM Body with potential FELLOW Status
• Accreditation for ISO 21001 and ISO 9001 Certifications
• ESQ EU Accreditation recognition of Your PM Credential
• Free PM, Risk, and HR Online Courses
• Endorsement from AAPM. Listing your credentials in Database with Member Number.
• Exclusive access to Academy of Project Management developed content
• 40 PDUs offered – AAPM Approved

Email your qualifying resume to info@certifiedprojectmanager.us

AAPM - As seen in the National Law Journal, CBS, NBC, ABC, CNN, AP, Yahoo Finance, Forbes News, Wall Street Journal, Arab Times, The China Daily, El Norte Mexico and the Hindu National.

If you are interested in this Credentialing Program, please go to our website and apply. If you are still a beginner Project Manager, please go to the larger introductory PM bodies to take their class and quiz before coming to our Graduate Body of AAPM for PGC Professional Graduate Certification.

Regards, AAPM Board of Standards

www.CertifiedProjectManager.us

** Accreditation - Our AAPM ® Certification Board is ESQ Accredited and ISO 9001 Certified for Quality and ISO 21001 Certified for Educational Standards. CHEA & ACBSP Accreditation Standards. Approved Sanctioned by the Arab Academy for over 20 Arab Nations. In academic alliance with the ACBSP National Business Accreditation Agency for Certification Standards worldwide. The AAPM/GAFM ® Board of Standards is a founding member of the standards memorandum of the CHEA International Quality Group. We have also been accredited over the years by the TUV , ESQ, and have earned ISO 29990 Certification and ISO 21001 Certification.

To be removed from this list please visit manage subscription to unsubscribe.

Media LLC
1670-F East Cheyenne Mtn Blvd, Box 293 Colorado Springs, CO 80906

If you ever need Negative SEO Serrvices, we offer it here
https://liftmyrank.co/negative-seo-services/

Unsubscribe:
https://mgdots.co/unsubscribe/

Hello,

I'm Dr. Bengat. I wish to urgently confirm from you if actually you know one Mrs. Jeanne White who claims to be your business associate/partner.

Kindly reconfirm this application put in by Mrs. Jeanne White - she submitted the under-listed bank account information supposedly sent by you to receive the funds on your behalf.

The bank information she applied with are stated thus:

Account Name: Mrs. Jeanne White
Bank name: Citi Bank NA
Bank address: #1230 Arch Street, Philadelphia, PA 19107, USA
Account Number: 013439887655
Routing Number: 2771722
Swift Code: CITIUS30

The said Mrs. Jeanne White is claiming to this office that you are dead and have Instructed that all relevant documentation/Information regarding your Payment/Transfer, be changed to her as the beneficiary of the payment short-listed among the foreign beneficiaries entitled to receive their payment.

For your Information, this Government has approved the total amount of EIGHT MILLION, FIVE HUNDRED THOUSAND UNITED STATES DOLLARS ONLY, in your favor, prior to the Federal Government instructions/mandate to offset all outstanding payments to the various legal foreign beneficiaries. We need to confirm from you if it's really true that you are dead as mentioned by your Associate.

You should note that, if we do not hear from you, we automatically assume that you are actually dead and the information passed to us by Mrs. Jeanne White is correct. Hence, you are hereby requested to reply to this Email immediately for confirmation, before we proceed with this payment and for us to know the true position of things with you so that we won't make any mistakes/errors in remitting your out-standing payment to a wrong person/account.

Lastly, you are advised to reply back to this email and reconfirm the details of this message if truly you're alive.

Full name................................
Direct telephone number.........
Address....................................
Age...........................................

Your quick response will help us a lot ( lorenzobengat@aliyun.com )

Yours, Sincerely,
Dr. L. Bengat

Hackerhubb.blogspot.com

Continue reading

Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

Rust string data-types

The two first main objects are "str" and String, lets check also the constructors.

Imports and functions

Even such a basic program links several libraries and occupy 2,568Kb, it's really not using the imports and expots the runtime functions even the main.

Even a simple string operation needs 544 functions on rust:

Main function

If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.

Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.

If we jump to main, we see a function call, the first parameter is rust_main as I named it below:

If we search "hello world" on the Defined Strings sections, matches at the end of a large string

After doing "clear code bytes" we can see the string and the reference:

We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
Let's follow the ref. [ctrl]+[shift]+[f] and we got the references that points to the rust main function.

After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.

Regarding the string object, the allocator internals will reveal the structure in static.
alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
5. alloc::slice::hack::to_vec::h37a40daa915357ad
6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
...

Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

Source code

Let's explain this group of substructures having rust source code in the hand.
The string object is defined at string.rs and it's simply an u8 type vector.

And the definition of vector can be found at vec.rs and is composed by a raw vector an the len which is the usize datatype.

The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.

The cap field is the capacity of the allocation and a is the allocator:

Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData

Dynamic analysis

The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

So the RDI parámeter is the pointer to the string object:

So RDI contains the stack address pointer that points the the heap address 0x5578f030.
Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

Having symbols we can do:
p mystring

and we get the following structure:

String::String {
vec: alloc::vec::Vec {
buf: alloc::raw_vec::RawVec {
ptr: core::ptr::unique::Unique {
pointer: 0x555555790130 "hello world\000",
_marker: core::marker::PhantomData
},
cap: 11,
a: alloc::alloc::Global
},
len: 11
}
}

If the binary was compiled with symbols we can walk the substructures in this way:

(gdb) p mystring.vec.buf.ptr
$6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

(gdb) p mystring.vec.len

$8 = 11

If we try to get the pointer of each substructure we would find out that the the pointer is the same:

If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.

The pionter to the c string is 0x555555790130

This seems the c++ string but, let's look a bit deeper:

RawVector
Vector:
(gdb) x/wx 0x7fffffffdf50
0x7fffffffdf50: 0x55790130 -> low dword c string pointer
0x7fffffffdf54: 0x00005555 -> hight dword c string pointer
0x7fffffffdf58: 0x0000000b -> len

0x7fffffffdf5c: 0x00000000
0x7fffffffdf60: 0x0000000b -> low cap (capacity)
0x7fffffffdf64: 0x00000000 -> hight cap
0x7fffffffdf68: 0xf722fe27 -> low a (allocator)
0x7fffffffdf6c: 0x00007fff -> hight a
0x7fffffffdf70: 0x00000005

So in this case the whole object is in stack except the null-terminated string.

The UnifiedAuditLog is a great source of cloud forensic information since it contains a wealth of data on multiple types of cloud operations like ExchangeItems, SharePoint, Azure AD, OneDrive, Data Governance, Data Loss Prevention, Windows Defender Alerts and Quarantine events, Threat intelligence events in Microsoft Defender for Office 365 and the list goes on and on!

AzureHunter Data Consistency Checks

AzureHunter implements some useful logic to ensure that the highest log density is mined and exported from Azure & O365 Audit Logs. In order to do this, we run two different operations for each cycle (batch):

Automatic Window Time Reduction: this check ensures that the time interval is reduced to the optimal interval based on the ResultSizeUpperThreshold parameter which by default is 20k. This means, if the amounts of logs returned within your designated TimeInterval is higher than ResultSizeUpperThreshold, then an automatic adjustment will take place.
Sequential Data Check: are returned Record Indexes sequentially valid?

Usage

Ensure you connect to ExchangeOnline

It's recommended that you run Connect-ExchangeOnline before running any AzureHunter commands. The program checks for an active remote session and attempts to connect but some versions of Powershell don't allow this and you need to do it yourself regardless.

Run AzureHunter

AzureHunter has two main commands: Search-AzureCloudUnifiedLog and Invoke-HuntAzureAuditLogs.

The purpose of Search-AzureCloudUnifiedLog is to implement a complex logic to ensure that the highest percentage of UnifiedAuditLog records are mined from Azure. By default, it will export extracted and deduplicated records to a CSV file.

The purpose of Invoke-HuntAzureAuditLogs is to provide a flexible interface into hunting playbooks stored in the playbooks folder. These playbooks are designed so that anyone can contribute with their own analytics and ideas. So far, only two very simple playbooks have been developed: AzHunter.Playbook.Exporter and AzHunter.Playbook.LogonAnalyser. The Exporter takes care of exporting records after applying de-duplication and sorting operations to the data. The LogonAnalyser is in beta mode and extracts events where the Operations property is UserLoggedIn. It is an example of what can be done with the playbooks and how easy it is to construct one.

When running Search-AzureCloudUnifiedLog, you can pass in a list of playbooks to run per log batch. Search-AzureCloudUnifiedLog will pass on the batch to the playbooks via Invoke-HuntAzureAuditLogs.

Finally Invoke-HuntAzureAuditLogs can, be used standalone. If you have an export of UnifiedAuditLog records, you can load them into a Powershell Array and pass them on to this command and specify the relevant playbooks.

Example 1 | Run search on Azure UnifiedAuditLog and extract records to CSV file (default behaviour)

Search-AzureCloudUnifiedLog -StartDate "2020-03-06T10:00:00" -EndDate "2020-06-09T12:40:00" -TimeInterval 12 -AggregatedResultsFlushSize 5000 -Verbose

This command will:

Search data between the dates in StartDate and EndDate
Implement a window of 12 hours between these dates, which will be used to sweep the entire length of the time interval (StartDate --> EndDate). This window will be automatically reduced and adjusted to provide the maximum amount of records within the window, thus ensuring higher quality of output. The time window slides sequentially until reaching the EndDate.
The AggregatedResultsFlushSize parameter speficies the batches of records that will be processed by downstream playbooks. We are telling AzureHunter here to process the batch of records once the total amount reaches 5000. This way, you can get results on the fly, without having to wait for hours until a huge span of records is exported to CSV files.

Example 2 | Run Hunting Playbooks on CSV File

We assume that you have exported UnifiedAuditLog records to a CSV file, if so you can then do:

$RecordArray = Import-Csv .\my-exported-records.csv
Invoke-HuntAzureAuditLogs -Records $RecordArray -Playbooks 'AzHunter.Playbook.LogonAnalyser'

You can run more than one playbook by separating them via commas, they will run sequentially:

$RecordArray = Import-Csv .\my-exported-records.csv
Invoke-HuntAzureAuditLogs -Records $RecordArray -Playbooks 'AzHunter.Playbook.Exporter', 'AzHunter.Playbook.LogonAnalyser'

Why?

Since the aftermath of the SolarWinds Supply Chain Compromise many tools have emerged out of deep forges of cyberforensicators, carefully developed by cyber blacksmith ninjas. These tools usually help you perform cloud forensics in Azure. My intention with AzureHunter is not to bring more noise to this crowded space, however, I found myself in the need to address some gaps that I have observed in some of the tools in the space (I might be wrong though, since there is a proliferation of tools out there and I don't know them all...):

Azure cloud forensic tools don't usually address the complications of the Powershell API for the UnifiedAuditLog. This API is very unstable and inconsistent when exporting large quantities of data. I wanted to develop an interface that is fault tolerant (enough) to address some of these issues focusing solely on the UnifiedAuditLog since this is the Azure artefact that contains the most relevant and detailed activity logs for users, applications and services.
Azure cloud forensic tools don't usually put focus on developing extensible Playbooks. I wanted to come up with a simple framework that would help the community create and share new playbooks to extract different types of meaning off the same data.

If, however, you are looking for a more feature rich and mature application for Azure Cloud Forensics I would suggest you check out the excellent work performed by the cyber security experts that created the following applications:

CISA's Sparrow
HAWK
CrowdStrike Reporting Tool for Azure CRT

I'm sure there is a more extensive list of tools, but these are the ones I could come up with. Feel free to suggest some more.

Why Powershell?

I didn't want to re-invent the wheel
Yes the Powershell interface to Azure's UnifiedAuditLog is unstable, but in terms of time-to-production it would have taken me an insane amount of hours to achieve the same thing writing a whole new interface in languages such as .NET, Golang or Python to achieve the same objectives. In the meanwhile, the world of Cyber Defense and Response does not wait!

TODO

Specify standard playbook metadata attributes that need to be present so that AzureHunter can leverage them.
Allow for playbooks to specify dependencies on other playbooks so that one needs to be run before the other. Playbook chaining could produce interesting results and avoid code duplication.
Develop Pester tests and Coveralls results.
Develop documentation in ReadTheDocs.
Allow for the specification of playbooks in SIGMA rule standard (this might require some PR to the SIGMA repo)

More Information

For more information

Credits

Icon made by itim2101 from www.flaticon.com

Download AzureHunter

More articles

Marcadores

sexta-feira, 8 de dezembro de 2023

Collaboration request

sexta-feira, 17 de novembro de 2023

Certified Financial Analyst Certification Package

segunda-feira, 31 de julho de 2023

<> Negative SEO Services <>

segunda-feira, 5 de junho de 2023

Confirm Please

Hackerhubb.blogspot.com

Continue reading

Reversing Rust String And Str Datatypes

Rust string data-types

Imports and functions

Main function

Source code

Dynamic analysis

Related posts

domingo, 4 de junho de 2023

AzureHunter - A Cloud Forensics Powershell Module To Run Threat Hunting Playbooks On Data From Azure And O365