Up on the @defcon stage with @pwnEIP and @NopResearcher who hosts the @RedTeamVillage_ CTF. Thanks to our friends in @bootplug_ctf for playing with us this weekend! @ctfzup @mmklarz @webhak

We won the @RedTeamVillage_ CTF @defcon 30 🎉

EPT pool party @ Garden Of The Gods!

Two in a row! First @OsloBSides , and now we won the @BSidesSF CTF. Thanks for the fun challenges 👊

We had great fun at @OsloBSides yesterday. Thanks for a superb ctf (and afterparty) @bootplug_ctf 👊

🎉🎉 see you there!

x.com/OsloBSides/sta…

We won the #cactuscon #ctf last weekend 🥳 Thanks for great challenges and awesome prizes. @pwnEIP @offsectraining @hackthebox_eu @PentesterLab @SANSOffensive @zeropointsecltd

We are hosting our very first CTF tomorrow. Check it out!

ctf.equinor.com

Our team member iLoop just won a voucher for @offsectraining's OSEP (PEN-300) course from @RedTeamVillage_'s CTF! Thank you so much for sponsoring RTV CTF at DC29 #DEFCON this year! @pwnEIP

If you run the code, it will remove the ACL for all the services in the serviceHashList list. On reboot, these services will not start.

#sunburst is as we know stealthy, and does not reboot the computer, it rather waits for the computer to be rebooted.

#sunburst will iterate over all entries in the registry, and if it finds a match, clear the ACL of that key, and then set the owner to the local Administrator account.

#sunburst does not kill the process of the AV, it rather changes the ownership and permissions of the service entry in HKLM:/System/CurrentControlSet/services

cc @MalwareJake @GossiTheDog @SwiftOnSecurity

The reason it aborts when sysmon is running, is probably that sysmon creates an event log if the service is not able to start after a reboot.

raw.githubusercontent.com/ept-team/sunbu…

The assemblyTimeStamps (process list) is used to see if any of these processes are running, if so, the execution aborts.

We are currently playing the #ekoparty #eko2020 #mainctf. TWEETING FOR TEH POINTZ.