the thumbnail looks like its from a movie, great work John!

it's fun to see how this thing works after speding two days patching all my exchange servers. Thanks.

whole, gigantic powershell script, as a big ol’ format string? that’s neat

This is such an excellent primer for this sort of work, and you make it so entertaining! Looking forward to binging all your videos over the next couple of days :)

Title Contains: Post Exploitation Me: Oh Yeah, This is gonna be good

I want to thank you John because you took me to another stage in the cyber world

I thoroughly enjoyed the premiere + live chat replay feature here, as well as the content itself obviously. Keep up the good work my dude, im already recommending your channel to my friends!!!

Thank you John !! Once again, I had fun and learned as much as I could (only some but that's in the right direction). You're awesome !

This is interesting stuff. We've had so many interesting (& super dangerous) exploits and vulnerabilities in last few years. At 22:30 , it's a trick to add timestamps into URL. That's probably easiest way to make sure responses are not cached at any point. Of course it could be just lazy coding and used for monitoring purposes. But little bit later John downloaded the payload (or w/e it turned out be) without the timestamp in URL. I'd always recommend to download payloads with exact same syntax. It's way too easy for malware developer to try to mislead here. If they had some nasty next stage, they could make it look like just like a boring and usual looking malware. And misleading the analysis is absolutely part of the game.

Your videos are great! I'm glad I found your channel. You have great information in a lot of topics I cover at work.

This high of production quality and you were able to put this out the same day you were prodding around. I appreciate the work you're doing, its extremely informative so thank you.

I wasn't feeling good at all today. This video revamped me and bumped me up. Thanks John for not being just educational. But, entertaining and fun to watch too. Sending love and hoping ur having a great day

Thanks John. As a newbie, this was great. Love how you broke it up and explain this so much!!!!

I don't know how you do it but whenever I watch one of your videos about malware analysis the time simply passes so quickly. Very entertaining thank you!

Been a software dev for a long time. Never seen this type of analysis done before... and watching this was absolutely fascinating.

I never commented on youtube videos before, but, I really want to thank you John Hammond for all the good work you're doing. You are F awesome and please keep it up. BTW, you are my favorite cyber-related KZfaqr!

Thank you for your efforts and time, I really appreciate it.

I'm absolutely Stoked for the NahamCon CTF!!!!

Best instructor I have come across. New subscriber here! Thank you good sir!

Excellent work John, love your work mate!

Thanks for bringing awareness to such hacks. Right after the video, i checked the last few customers that still has on-premises exchange, and 75% of them were affected. We could mitigate the risk and apply fixes before anything worse happened. Thanks for this John Hammond.

You’re a good guy. Don’t let the others bring you down just because you’re compiling open source information and sharing it in a logical and comprehensive manner. Though I consider myself a home brewed IT craptastistic person, I appreciate the information given every time you put up a video.

Great content John. Education and humour smashed. Big thumbs up for this one. Thanx

Amazing work, thank you for sharing

Addicted to this content. How can I watch this whole video without any break? Inner me : You found new love !

It's been a pleasure, John!

Nice, You helped me a lot to understand the Threat!

Wonderful as always, great video!

i love all these type of videos, can't wait for more such that solarwinds or more of this helps!

Great reversing. Subscribed

Finishing up my final year in cybersecurity in college and videos like these make me so much more intrigued about this field, and that much more excited and motivated to learn more. Thank you for all the hard work you put into these!

Thank you, this is very helpful!

Thanks John, learnt a lot.

Great Video!!! Can't wait for more.

T`han`ks for making the video! Good stuff down the rabbit hole. UGH, Empire is scary.

Great video, thanks for sharing this!

How John doesn't have millions of followers is beside me. Thank you for all this info John. Being 45 I missed the boat in the early 2000's but a year in Im hooked. Thanks to YOU David Bombal and Network Chuck you guys have helped this construction old guy immensely

You're doing a great job Hammond

This was awesome man thanks!

John, you make it very entertaining even though it makes my brain ache!

Great video & I'm installing my fax machine again ;-)

Thanks for doing this. Very interesting.

Also the powershell explosion + guy fawkes mask was hilarious :D

Thank you, learned alot

As someone who knows next to nothing on malware analysis I had a funny feeling mimikatz would turn up haha. I have learnt so much from these exploration videos only knowing intro level programing and just learning cyber security, it was awesome to see the obsfucation techniques and layers built into this and connected so many dots for me. Awesome video.

Thank you John Very intresting

This is professional evilness thanks for showing us this John this is very interesting to me! Big like

Great work man!!!

Hopefully no one tries to salem witch trial you for mis speaking because you are human after all.. I'm happy you are sharing public info for education. If someone gets upset about it then they must have ill intentions with that information. Keep up the great work!

interesting. Thanks for sharing!

can you do a longer deep dive into this sort of stuff in the future this is just magic and easy to digest

Great Analysis

Cool thumbnail, cool video, cool person, could not asked for more :D

great content, as usual !

At around 20:54 the $dt is used to ensure cdn caching is bypassed. So the code on the cdn is static, but as soon as it is changed, the client is supposed to request a new copy.

Bro, just want you to know, you are awesome!

Now I just like your content before watching! Its that good!!

Man that was fun and I love the recon of it

I'm watching this as I going through our exchange server logs looking for backdoors :D a nice coincidance

Love it !!!

Crazy Thumbnail John!!

Thank u! This has been a fun one. Unfortunately not out of the water yet. 🥶

Thumbnail looks 🔥

Thank you John. As always you are very helpful and I appreciate you going through the reverse engineering process. See you on the next one! --Sage

Most GREAT channel between others

Got mind blown by that huge Powershell script made only for building an fstring piece by piece. Insane stuff!

these videos are so fun!

Thanks!

John looks intimidating in this thumbnail

Man, around 45:00 min in you weren't even exaggerating about that being an epiphany 😂 What a cool obfuscation technique!

Hey I signed up for a CTF randomly on CTFtime, and was pleasantly surprised to see it was one you created! Lol, I'm looking forward to it!

"I know this is really painful on 'human being' eyeballs" John just confirmed he is a robot.

OMG, that puzzle script is so cool

video looks great

That is some next level PS scripting! Thanks for the video, John. I really enjoyed it.

I like what ya’ did with the thumbnail

Thanks for the good laugh when you copy and paste that big file! :) I would have done the same thing haha

You have the coolest tech glasses 👓

Us application security folks know about "format string vulnerabilities" from our C application experience, but this one is interestingly different and yet also suggests that name. :)

great, had fun

this is what my org got hit by- i really appreciate the analysis!

Im never going to move up from my current position because....my current job has nothing to do with this subject. I am literally addicted to this madness that John keeps on about. I literally cannot quit doing it. Lol .. and so i will integrate this with my ongoing studies (beer drinking) as well as continue to try to keep up.

Welldone

i'm not a programmer - but i love your videos!

Perfect, as it should be xD

Not sure if it was mentioned...but the hig versus low would have shown up in the web logs and help identify instances with higher permissions (Administrator) versus lower permissions (non-Administrator).

Seems like an easy way to get around this set of scripts in particular would be to have your environment variable something non-standard.

This 1Hr of video teaches more than what I have learnt in past 25 years of my life. Truly appreciate the knowledge you shared and for free.

The natural etc. strings are the join types in SQL, presumably part of SQLite

your videos are great

Quick one: The long dot separated number strings at 1:04:50 such as "1.3.6.1.5.5.7.3.2" or "1.3.6.1.4.1.311.20.2.2" are SNMP MIB OIDs (en.wikipedia.org/wiki/Object_identifier).

Creating shellcode in a piece of malware that base64 encodes to McBAD is next level. Bravo to that 👏 👏

The image in the photo makes John look like some secret agent

This'll be fun

as a computer profesional i love these videos please keep doing the good work you are do.

That was cool to watch , thx. Respect. And what about the ecp/y.js and webshell (aspx) files ?

Hi, cool thumbnail!

ThankYou Jon for this detailed Video. Do you also help us with some video to fix the issue?

Serious John thumbnail exists. Mom come pick me up I am scared

thanks.