You are browsing the archive for Random ideas.

Trivial Anti-BlueTeam trick #2

February 2, 2019 in Random ideas, Silly

This is a silly idea for hiding stuff on a Windows system. A bit similar to the one I described here, but even more lame 🙂

The Documents and Settings folder is a legacy location where Windows used to store users’ files. It has been replaced by the Users folder looong time ago (in Vista, year ~2006), and no one really writes or even uses a software that relies on this location anymore. And on newer versions of Windows it’s just a junction:

c:\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users

So, we can simply delete the junction, and re-create the folder as a real directory. Since everyone ‘knows’ that this directory is mapped to c:\Users, we could place legitimately looking files there and potentially fool some junior analysts.

Don’t stress about a bit of stress testing #2

January 25, 2019 in Anti-*, EDR, Random ideas

Yesterday I tested 100K Run keys, today I test 100K Sysmon rules.

Sysmon is visibly struggling:

The CPU goes high, and the logs are not being added. I let it ran for a couple of minutes, but this state has not changed. No idea if it just takes that long to ingest so many rules? So… not sure if Sysmon has any upper limits for the number of rules, but I guess we can assume it is not 100K, but less. Why? I tried 1K, 10K, and 25K of identical rules and for these numbers sysmon worked pretty well. Once sysmon digested the rules the logs started appearing almost immediately.

Update:

It looks like 100K is definitely a killer number. After ~20 minutes the program bailed out stating that there is not enough memory:

The test was not very methodical, I used a bit of a naughty rule that was testing a presence of a long substring within a string representing an image of each created process. Assuming that sysmon has to test 1K, 10K, 25K, 100K rules on each process, it should affect the processing speed.

It’s obviously not a biggie, because one needs to modify config to disrupt the processing so much, but it is good to know that too many rules may not be a very healthy idea. Still, since a typical config won’t cross 1-5K rules it should work for you like a charm…