user avatar
Nasreddine Bencherchali
@nas_bench
Detection @Splunk & @cisco | previously @nextronsystems | @sigma_hq & @magicswordio maintainer | Eternal Learner
HAL
nasbench.dev
Born September 8
Joined August 2011
1,276
Following
11.6K
Followers
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Mar 30, 2024
    💀
    629K
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Aug 21, 2024
    How did we as a society, looked at the regex syntax and said yep that looks good, use this for pattern matching...
    73K
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Apr 1, 2024
    Honest threat actors be like👀
    45K
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Dec 28, 2021
    CVE-2021-44832
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Dec 30, 2021
    Since everyone patches systems based on what infosec twitter is currently hyping. We should do a weekly hype for old vulnerabilities and pretend that they are new then maybe people will care.
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Aug 30, 2021
    "Svchost.exe" Mind Map covering its cmdline options, logs and "normal" behavior. Link: github.com/nasbench/MindM… #Detection #BlueTeam #Windows
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Jul 23, 2022
    Here is a stupid way to persist on a machine using WindowsTerminal profiles. 1-Modify the "settings.json" located in %localappdata% and add a custom profile that contains your payload 2-Change the "defaultProfile" value and put your GUID 3-Add the value "startOnUserLogin": true
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Sep 26, 2020
    Demystifying the ‘SVCHOST.EXE’ Process and Its Command Line Options #windows #internals #malware
    Demystifying the “SVCHOST.EXE” Process and Its Command Line Options
    From link.medium.com
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Apr 23, 2021
    If you have Symantec SEP installed you can use the "Symantec.SSHelper" COM object to launch processes and download arbitrary files. The "User-Agent: Symantec Agent" can be used to identify requests made by the "HIDownloadURLFile"
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Jun 11, 2022
    In addition to the documented "-e/--exec" flag in #lolbas about the "wsl.exe" binary (lolbas-project.github.io/lolbas/OtherMS…). We can also use the "--system" flag to run Linux (as root) /Windows commands. wsl --system [Command]
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Nov 17, 2023
    A quick DFIR tip for the weekend Now that notepad on Win 11 saves its states and can open tabs. It means history is saved somewhere :) Well that somewhere is in %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState A new location to monitor and
    81K
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Sep 21, 2021
    Windows Services (Creation) Mind Map covering service creation and detection methods. Link: github.com/nasbench/MindM… #Detection #BlueTeam #Windows #Services
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Aug 31, 2021
    By creating the key "telnet.exe" in the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths" registry and setting the "Default" key to any executable. We can call it by running the command: rundll32.exe url.dll,TelnetProtocolHandler
  • user avatar
    Nasreddine Bencherchali
    @nas_bench
    Oct 4, 2024
    whoami /all ipconfig /all systeminfo net group "Domain Admins" /domain
    user avatar
    adam 🇺🇸
    @personofswag
    Oct 1, 2024
    "git status"
    51K