Pepe Berba has created a nice overview of linux persistence techniques as a map: https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/
Linux persistence techniques as a map
Git for Windows - Git uses certificate from internal PKI
If you initially want to git clone a repository from an internal git system from a windows system and the internal git system uses a certificate from a internal PKI, you'll receive an error: SSL certificate problem: self signed certificate in certificate chain
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk> git clone https://git.domain.tld/ansible-playbooks/carbonblack-threatfeeds.git
Cloning into 'carbonblack-threatfeeds'...
fatal: unable to access 'https://git.domain.tld/ansible-playbooks/carbonblack-threatfeeds.git/': SSL certificate problem: self signed certificate in certificate chain
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk>
Check your windows git settings with git config -l
. In the attribute http.sslcainfo
is the ca-cert-bundle-file, which is used by git as certification authority certificate store.
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk> git config -l
diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
http.sslbackend=openssl
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
core.autocrlf=true
core.fscache=true
core.symlinks=false
pull.rebase=false
credential.helper=manager-core
credential.https://dev.azure.com.usehttppath=true
init.defaultbranch=master
user.email=flo@some.mail
user.name=flo
core.editor="C:\Users\flo\AppData\Local\Programs\Microsoft VS Code\Code.exe" --wait
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk>
So append your CA certificate in the file "C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
". Then it works:
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk> git clone https://git.domain.tld/ansible-playbooks/carbonblack-threatfeeds.git
Cloning into 'carbonblack-threatfeeds'...
remote: Enumerating objects: 104, done.
remote: Counting objects: 100% (104/104), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 104 (delta 50), reused 93 (delta 40), pack-reused 0 eceiving objects: 34% (36/104)
Receiving objects: 100% (104/104), 20.03 KiB | 2.86 MiB/s, done.
Resolving deltas: 100% (50/50), done.
PS C:\Users\flo\Splunk>
PS C:\Users\flo\Splunk>
Cribl - Change values to lowerCase
Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...
-
Howto add a route with a specific interface into the windows routing-table. This can be useful for example if you have a tunnel-all vpn...
-
If you are running a Windows Server 2016, are using the integrated Windows Server Backup utility and you want to save the backup to a remote...
-
You can either use the GUI of the FortiGate to list all certificates, or use the CLI. Either using the commands: Using the "get&qu...