Comments for Shells.Systems

Comment on Extracting Plaintext Credentials from Palo Alto Global Protect by Ian

Ian — Wed, 11 Dec 2024 13:47:06 +0000

Hi Jack

Thank you for your feedback. Tested config was

Device name – Panorama
Model – Panorama
System Mode – Panorama

Software Version – 10.2.10-h7
App ver – 8917-9092 (11/20/2024)
AV version – 5008-5526 (11/20/2024)
Device Dictionary version – 151-555 (11/08/2024)
Wildfire version – 928070-932001 (11/21/2024)

Plugin VM-Series – vm_series-3.0.8

Plugin GlobalProtect Cloud Service – cloud_services-3.2.1-h41

GlobalProtect 6.2.4-652

The methodology worked for a couple of months before the release and those details were obtained so not sure how many updates happened in that time. Hope that helps
Ian

Comment on Extracting Plaintext Credentials from Palo Alto Global Protect by Jack Daniel

Jack Daniel — Wed, 11 Dec 2024 13:28:27 +0000

Thank you for sharing this information. One thing I did not see in the article, were the versions of PANOS and the GlobalProtect. My apologies if I missed it. Would you mind sharing the version information? Or was this across multiple combinations of PANOS and GlobalProtect?

Comment on Defeat Bitdefender total security using windows API unhooking to perform process injection by sha16

sha16 — Thu, 25 Jan 2024 16:34:47 +0000

Thank you so much! great explanation!

Comment on Customising an existing evilginx phishlet to work with modern Citrix by Nate

Nate — Thu, 31 Aug 2023 16:45:17 +0000

Nice write-up!

I have two questions.

Q1: Does the ‘/PATH’ string need to change in,

js_inject:
– trigger_domains: [“domain”]
trigger_paths: [“/PATH”]
trigger_params: []

based on the origin of the Checkbox?

Q2: For example, does you ‘/PATH’ look like?:

js_inject:
– trigger_domains: [“domain”]
trigger_paths: [“/…msg-setclient.js”]
trigger_params: []

Comment on Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log by Threat hunt from Windows Event log – dpalbd

Threat hunt from Windows Event log – dpalbd — Mon, 17 Oct 2022 08:52:59 +0000

[…] Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log […]

Comment on Cacti v1.2.8 authenticated Remote Code Execution (CVE-2020-8813) by Penetration_Testing_POC-About 渗透测试有关的POC、EXP、脚本、提权、小工具等 – 源码巴士

Penetration_Testing_POC-About 渗透测试有关的POC、EXP、脚本、提权、小工具等 – 源码巴士 — Mon, 10 Oct 2022 14:43:44 +0000

[…] […]

Comment on Oh my API, abusing TYK cloud API management to hide your malicious C2 traffic by John Cutter

John Cutter — Sun, 21 Aug 2022 16:20:41 +0000

Nice write up Askar, one point which might help is the content categorization of the TYK.io domain and subdomains by the major proxy players. It’s up to each org in how they block or allow various categories, and different products have different methods for recategorizing sites, but mentioning the default categorization would help.

Comment on Unveiling Octopus: The pre-operation C2 for Red Teamers by Prince

Prince — Sun, 26 Jun 2022 01:24:22 +0000

How can we get the web based c2domain

Comment on Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log by Форензика

Форензика — Thu, 16 Jun 2022 18:25:53 +0000

[…] Более подробно про APT Hunter […]

Comment on Octopus v1.0 stable: Cobalt Strike deployment & much more! by Octopus - Open Source Pre-Operation C2 Server Based On Python And Powershell - Haxf4rall

Fri, 20 May 2022 17:44:22 +0000

[…] Octopus v1.0 stable: Cobalt Strike deployment & much more! […]