https://chw41.github.io/tags/techtalks/Recent content in Techtalks on chw㉿world:~$Hugozh-twWed, 19 Nov 2025 00:00:00 +0000https://chw41.github.io/b1og/cybersec-2025-%E8%87%BA%E7%81%A3%E8%B3%87%E5%AE%89%E5%A4%A7%E6%9C%83-operations-security-opsec--%E7%B4%85%E9%9A%8A%E4%B8%8D%E8%A2%AB%E6%8A%93%E5%88%B0%E7%9A%84%E7%A7%98%E5%AF%86-steven-meow/Wed, 19 Nov 2025 00:00:00 +0000https://chw41.github.io/b1og/cybersec-2025-%E8%87%BA%E7%81%A3%E8%B3%87%E5%AE%89%E5%A4%A7%E6%9C%83-operations-security-opsec--%E7%B4%85%E9%9A%8A%E4%B8%8D%E8%A2%AB%E6%8A%93%E5%88%B0%E7%9A%84%E7%A7%98%E5%AF%86-steven-meow/<h1 id="cybersec-2025-臺灣資安大會-operations-security-opsec--紅隊不被抓到的秘密-steven-meow"> CYBERSEC 2025 臺灣資安大會 「Operations Security (OPSEC) — 紅隊不被抓到的秘密！」 (Steven Meow) </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#cybersec-2025-臺灣資安大會-operations-security-opsec--紅隊不被抓到的秘密-steven-meow">CYBERSEC 2025 臺灣資安大會 「Operations Security (OPSEC) — 紅隊不被抓到的秘密！」 (Steven Meow)</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#conference-info">Conference Info</a></li> <li><a href="#presentation-technical-content">Presentation Technical Content</a> <ul> <li><a href="#introduction">Introduction</a> <ul> <li><a href="#edr--antivirus-偵測">EDR / Antivirus 偵測</a></li> </ul> </li> <li><a href="#case-study">Case Study</a> <ul> <li><a href="#ioc-indicator-of-compromise">IoC: Indicator of Compromise</a></li> <li><a href="#--appitobexe">- appitob.exe</a></li> <li><a href="#--zasys">- za.sys</a></li> <li><a href="#--svcexe">- svc.exe</a></li> <li><a href="#--beacon_x64exe">- beacon_x64.exe</a></li> </ul> </li> <li><a href="#edr-killer--byovd-attack">EDR Killer – BYOVD Attack</a> <ul> <li><a href="#byovd">BYOVD</a></li> <li><a href="#lol-drivers">LoL Drivers</a></li> <li><a href="#weaponize-projectterminator">Weaponize Project：Terminator</a></li> </ul> </li> <li><a href="#c2-network-hiding--lol-c2">C2 Network Hiding – LoL C2</a> <ul> <li><a href="#--tunnel-based-c2">- Tunnel-Based C2</a></li> <li><a href="#--cloud-based-c2">- Cloud Based C2</a></li> <li><a href="#--legitimate-software-as-c2">- Legitimate Software as C2</a></li> <li><a href="#-how-to-detect-https-host">🔵 How to detect HTTPS Host</a></li> </ul> </li> <li><a href="#static--dynamic-bypass">Static / Dynamic Bypass</a> <ul> <li><a href="#static-obfuscate">Static Obfuscate</a></li> <li><a href="#dynamic-obfuscate">Dynamic Obfuscate</a></li> </ul> </li> <li><a href="#conclusion">Conclusion</a> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/devcore-conference-2024-%E7%89%86%E3%81%AE%E8%AA%BF%E6%9F%A5%E8%87%B4-waf-%E5%89%8D%E7%9A%84%E4%BD%A0-mico/Mon, 17 Nov 2025 00:00:00 +0000https://chw41.github.io/b1og/devcore-conference-2024-%E7%89%86%E3%81%AE%E8%AA%BF%E6%9F%A5%E8%87%B4-waf-%E5%89%8D%E7%9A%84%E4%BD%A0-mico/<h1 id="devcore-conference-2024-牆の調查致-waf-前的你-mico"> DEVCORE CONFERENCE 2024 「牆の調查：致 WAF 前的你」 (Mico) </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#devcore-conference-2024-牆の調查致-waf-前的你-mico">DEVCORE CONFERENCE 2024 「牆の調查：致 WAF 前的你」 (Mico)</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#conference-info">Conference Info</a></li> <li><a href="#presentation-technical-content">Presentation Technical Content</a> <ul> <li><a href="#http-request">HTTP Request</a></li> <li><a href="#boundary-可以簡化">boundary 可以簡化</a></li> <li><a href="#waf-處理流程">WAF 處理流程</a> <ul> <li><a href="#請求進入">請求進入</a></li> <li><a href="#預處理">預處理</a></li> <li><a href="#解析">解析</a></li> <li><a href="#稽核輸入">稽核輸入</a></li> <li><a href="#轉送後端">轉送後端</a></li> </ul> </li> <li><a href="#夢回-2009-繞-waf">夢回 2009 繞 WAF</a> <ul> <li><a href="#2009-案例-i">2009 案例 I</a></li> <li><a href="#2009-案例-ii">2009 案例 II</a></li> <li><a href="#2009-案例-iii">2009 案例 III</a></li> </ul> </li> <li><a href="#waf-繞過技巧">WAF 繞過技巧</a></li> <li><a href="#近兩年實戰案例">近兩年實戰案例</a> <ul> <li><a href="#繞過案例-一-boundary-mutation---任意讀檔">繞過案例 (一): Boundary Mutation - 任意讀檔</a></li> <li><a href="#繞過案例-二-content-type-confusion---sqli">繞過案例 (二): Content-Type Confusion - SQLi</a></li> <li><a href="#繞過案例-三-form-header-confusion--content-type-confusion---file-upload">繞過案例 (三): Form Header Confusion &amp; Content-Type Confusion - File upload</a></li> </ul> </li> <li><a href="#總結">總結</a> <ul> <li><a href="#致紅隊">致紅隊</a></li> <li><a href="#致藍隊">致藍隊</a></li> </ul> </li> </ul> </li> <li><a href="#personal-reflections">Personal Reflections</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>https://chw41.github.io/b1og/cybersec-2024-%E8%87%BA%E7%81%A3%E8%B3%87%E5%AE%89%E5%A4%A7%E6%9C%83-ad-%E5%B7%B2%E7%B6%93%E9%98%B2%E4%B8%8D%E5%AE%8C%E4%BA%86%E6%80%8E%E9%BA%BC%E9%82%84%E6%9C%89%E5%80%8B-azure-adsteven-meow/Mon, 10 Feb 2025 00:00:00 +0000https://chw41.github.io/b1og/cybersec-2024-%E8%87%BA%E7%81%A3%E8%B3%87%E5%AE%89%E5%A4%A7%E6%9C%83-ad-%E5%B7%B2%E7%B6%93%E9%98%B2%E4%B8%8D%E5%AE%8C%E4%BA%86%E6%80%8E%E9%BA%BC%E9%82%84%E6%9C%89%E5%80%8B-azure-adsteven-meow/<h1 id="cybersec-2024-臺灣資安大會-ad-已經防不完了怎麼還有個-azure-adsteven-meow"> CYBERSEC 2024 臺灣資安大會 「AD 已經防不完了，怎麼還有個 Azure AD？」(Steven Meow) </h1><h1 id="table-of-contents"> Table of Contents </h1><nav class="chw-toc"> <details open> <nav id="TableOfContents"> <ul> <li><a href="#cybersec-2024-臺灣資安大會-ad-已經防不完了怎麼還有個-azure-adsteven-meow">CYBERSEC 2024 臺灣資安大會 「AD 已經防不完了，怎麼還有個 Azure AD？」(Steven Meow)</a></li> <li><a href="#table-of-contents">Table of Contents</a></li> <li><a href="#conference-info">Conference Info</a></li> <li><a href="#presentation-technical-content">Presentation Technical Content</a> <ul> <li><a href="#introduction-to-aad">Introduction to AAD</a> <ul> <li><a href="#azure-role-based-access-control-rbac">Azure Role-Based Access Control (RBAC)</a></li> <li><a href="#azure-attribute-based-access-control-abac">Azure Attribute-Based Access Control (ABAC)</a></li> <li><a href="#azure--aad-常用工具"><strong>Azure / AAD 常用工具</strong></a></li> </ul> </li> <li><a href="#enumeration">Enumeration</a> <ul> <li><a href="#tenant">Tenant</a></li> <li><a href="#brute-force--password-spraying">Brute-Force / Password Spraying</a></li> <li><a href="#authenticated-enumeration">Authenticated Enumeration</a></li> <li><a href="#enumerate-tools">Enumerate Tools</a></li> </ul> </li> <li><a href="#exploitation">Exploitation</a> <ul> <li><a href="#consent-and-permission">Consent and Permission</a></li> <li><a href="#managed-identityapp-service-account">Managed Identity(APP Service Account)</a></li> </ul> </li> <li><a href="#lateral-movement">Lateral Movement</a> <ul> <li><a href="#azure-automation-account">Azure Automation Account</a></li> <li><a href="#vm-instance-run-command">VM Instance run command</a></li> <li><a href="#microsoft-intune-endpoint-manager-deploy-script">Microsoft Intune (Endpoint Manager) Deploy Script</a></li> </ul> </li> <li><a href="#exfiltration--persistent">Exfiltration &amp; Persistent</a></li> <li><a href="#cloud--on-premise">Cloud ←→ On Premise</a> <ul> <li><a href="#on-premise-to-cloud---pass-the-cookie-mimikatz">On-Premise to Cloud - Pass the Cookie: Mimikatz</a></li> <li><a href="#on-premise-to-cloud---pass-the-prt-mimikatz">On-Premise to Cloud - Pass the PRT: Mimikatz</a></li> <li><a href="#hybrid-identity">Hybrid Identity</a></li> </ul> </li> </ul> </li> <li><a href="#summary">Summary</a> <ul> <li> <ul> <li></li> </ul> </li> </ul> </li> </ul> </nav> </details> </nav><p>[TOC]</p>