Discover and read the best of Twitter Threads about #DFIR

Most recents (24)

For everyone who responded to this #DFIR question below. I gathered all your feedback and put it into a repository which can be found below. I'll continue to update with everything related. #DigitalForensics #AntiForensics…
I will add what we already cover in our anti-forensics course already
JFYI, if you check my past publications, you'll notice I've covered so many of what have been mentioned here back in 2015/2016 ... but I want to see if I'm missing anything new and it turned out YES, there is one/two that I did now know. Thank you all for sharing, appreciate it.
Read 5 tweets
During my last #DFIR training for 2022; I did many new video recording. Some have already been added to the #CCDFA course, while others will be added very soon. The course "currently" has 55+ hands-on labs, 50+ videos, and over 40 Q&As.

Why am I saying this? 1/3
Because @cyber5w and @hexordia are both running a 30% discount on all #DFIR courses and training which ends tomorrow! Therefore, I highly recommend you take advantage of this discount and register for the #CCDFA course. 2/3…
Check the syllabus below & you'll be surprised with what is covered in each section. Also, this is the only #DFIR course that we currently have that covers disks, volumes, and file system forensics (FAT+NTFS) #EOM…
Read 4 tweets
1/ #Azure In a recent case, the TA was able to compromise the user despite MFA (MFA fatigue).

After logging in, the attacker registered another mobile number as "Alternate Mobile Phone Call".

In the audit logs, we see this event within "Authentication Methods":

2/ The audit logs are a goldmine for finding suspicious behavior in an Azure tenant.

If we filter by "Core Directory", "UserManagement" and "Update user" ..
3/ .. we also see the ModifiedProperties (the modifications done by the attacker).

Notice, the primary Phone Number is a Swiss mobile phone (+41), and the attacker added a number from the United Arab Emirates (+971).

Suspicious? You bet!
Read 4 tweets
#DFIR Android 13 is keeping track of when apps are launched and from where in the database “SimpleStorage” found in USERDATA/data/ The table storing the info is “EchoAppLaunchMetrcisEvents” /1
Columns of importance: timestampMillis, packageName, and launchLocationId. First two are self explanatory. The third provides what its name suggest: from where an app was launched. There are several numerical values in the column. /2
Observed values so far are:
1 - Home Screen
2 - Suggested Apps (bottom of Home Screen - New in Android 12)
4 - App Drawer
7 - Suggested Apps (top of App Drawer)
8 - Search (top of App Drawer or QuickSearchBox)
12 - Recent Apps/Multi-tasking
1000 - Notification
Read 4 tweets
In this Mega thread, you will find 10 FREE online courses with a certificate of completion from :

1 - ISC ²
2 - Cisco Academy
3 - Fortinet
4 - EC-Council
5 - AWS

#CyberSecurity #Cisco #AWS #dfir #infosec #infosecurity #threats #Python #100DaysOfHacking
1⃣ Free Cybersecurity Training

- Information Security Awareness
- The Evolution of Cybersecurity
- NSE 2 Cloud Security
- NSE 2 Endpoint Security
- NSE 2 Threat Intelligence
- NSE 2 Security Information & Event Management
- Security Operations &
2⃣ Introduction to Dark Web, Anonymity, and Cryptocurrency

Learn to access Dark Web, and Tor Browser and know about Bitcoin cryptocurrency

Read 12 tweets
At #IWCON2022, we have 15+ amazing #cybersecurity speakers from around the world 🌍

To share unique methods and findings with y’all 😍🙌

Get ready with your questions. Our experts will answer you live 🔥

Book your ticket:

Meet our speakers 🧵👇 Image
#1 Gabrielle Hempel @gabsmashh, #security engineer @Netwitness 🥳

Her topic: #Threat hunting in #cloud environments 🌩️

Time: 17th Dec, 7:30 pm IST

Want to attend this talk? 😍

Book your ticket here:

#cloudhunting #threathunting Image
#2 Luke Stephens @hakluke, founder of @haksecio 🔥

His topic: How I used #recon techniques to identify a prolific #scammer 👊

Time: 17th Dec, 6:30 pm IST ❤️

Don't wanna miss it?

Register today:

#infosec #hacking #hackingthehacker Image
Read 18 tweets
#IWCON2022 — The much-awaited virtual #Infosec conference is happening in a month 😍🙌

We have expert talks covering NINE major #security verticals🔥🔥

Join us & learn new skills before 2022 ends: 👊

Here are the session topics 🧵👇 Image
#1 Cloud Security:

1. #Threat #hunting in cloud environments by @gabsmashh (#security engineer @Netwitness)

2. #Hacking #cloud: for fun and profit by Dhiyaneshwaran B (#AppSec #researcher at @pdiscoveryio)
#2 Bug Bounty:

1. My approach to accessing #admin panels by @hunter0x7 (admin pwner)

2. Reading #RFCs for #hacking by @securinti (head of #hackers @intigriti)
Read 12 tweets
#Qakbot Infection New TTPs 🚨

[+] Deliver ISO (T1204.002)
[+] DLL Search Order Hijacking (T1574.001)🔥
[+] Regsvr32 (T1218.010)
[+] Process Hollowing (T1055.012)
[+] Discovery (TA0007)
[+] Credentials from Web Browsers (T1555.003)
[+] Data from Local System (T1005)
#Qakbot C2 server:
IP: 92.27.86[.]48
Port: 2222

Additional C2 IP:
#Qakbot initial exec flow #DFIR:
ISO > LNK > cmd.exe /c control.exe > e:\control.exe > regsvr32.exe msoffice32.dll > Injection
Read 4 tweets
#Qakbot New TTPs IMG File Infection

[+] IMG File instead of ISO 🔥
[+] VBS Script (ShellExecute) instead of LNK 🔥
[+] .tmp (DLL loader) exec via Regsvr32.exe
[+] Process Injection
[+] Discovery commands
[+] C2 connection

#DFIR exec flow: img > vbs > tmp > injection
Thank you @pr0xylife for sharing the sample:…
#Qakbot C2 server:

IP: 70.121.198[.]103
Port: 2078
Artifact: POST /t5 HTTP/1.1

Additional C2 IPs:
Read 4 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

#Malware #RE
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]Detection[.]ISOMount

Author: @ConorQuinn92

After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.

This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
When downloaded, container files will have the MOTW attribute because they were downloaded from the internet. However, the document inside, such as a macro-enabled spreadsheet, will not.
Read 12 tweets
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link:… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
Read 9 tweets
1\ #DFIR: Chrome Forensics - How to Recover CLEARED History

If a user just cleared their browser history, you can still recover everything they were just looking at from the session files:

%appdata%\Local\Google\Chrome\User Data\Default\Sessions…
2\ In some instances (more on this) the session and tab files inside that folder show the webkit/chrome date for when the session was exited.

This allowed me to put together a full timeline of what this naughty boy was doing *BONK*
3\ Historically, evidence of cleared history was in the Favicons file, but this is INCONSISTENT. Specifically under the table named "icon_mapping".

%appdata%\Local\Google\Chrome\User Data\Default\Favicons
Read 7 tweets
1\ #DFIR: How to investigate insider threats

Sharing the forensic methodology I follow when I'm investigating insiders 😍

This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o…
2\ The questions that I use to guide the analysis and prioritisation of analysis are:

1. How was the device accessed around the suspected behaviour?

2. Where was the user/device when this occurred?

3. Was the insider active on their system?

4. What did the user do?
3\ To answer the first question, I look at SRUM, specifically the App Timeline Provider details.

I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID

Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY
Read 7 tweets
🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows[.]Detection[.]BinaryRename'

Author: @mgreen27

Link:… Image
This artifact will detect renamed binaries commonly abused by adversaries.

Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Here, we can see 'cmd.exe' was renamed in an attempt to appear as a legitimate instance of 'lsass.exe': Image
Read 6 tweets
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭

Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
I kept finding LogonType 3s (network)

However only RDP was externally exposed on the machine, which usually records LogonType 10....

When this has happened before, I usually just assume its Windows jank and continue with my investigation 🤷‍♂️

But this time, I wanted to know WHY
The wise @DaveKleinatland suggested Network Layer Authentication (NLA) would explain this:

NLA takes place before the session is started... without NLA things can be exposed before any sort of authentication.... like domain name, usernames, last logged on user, etc
- Dave 🧙‍♂️
Read 10 tweets
🔔I published a new script to parse the log of #AppLocker🔒 , which I called Get-AppLockerEventlog.ps1

It compiles all the useful data needed in #threathunting and #DFIR

You can find the script and the documentation here:
2/ Also, You can save the output as a CSV.
3/ It comes with 04 cases (block, all, allow, audit)
Read 3 tweets
1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇…
2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3
3\ As you can see, this has caught an instance of timestomping where you can observe the creation time is after the access time.

You can query the db using this command:
sqlite3 *filesystem.db .dump | grep <filename>
Read 5 tweets
1/ Windows Error Reporting (WER) can provide investigators with a wealth of data including:
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
2/ WER files are found in the following locations which include a range of information to typically address an application crash, however we can use it for investigation!

3/ The "Report.wer" file includes binary information and binary path. In Windows 10 and above the field "TaskAppId" contain the SHA1 hash of the process (similar to Amcache).
Read 9 tweets
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets

1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?

"powershell.exe" -windowstyle hidden

#CyberSecurity #dfir
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell
Read 7 tweets
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.

#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.

The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
Read 8 tweets
Quick 5 minute on quickly analyzing Linux exes...even if you don't know how to do malware analysis. Hopefully this is helpful to someone.

Got a log4j hit on a Tomcat honeypot I set up. Used cyberchef and it decodes to download malware (1/8)

After dl'ing it on an analysis system (a mac), my first step is to run file to see what we are dealing with. I always run file - it saves steps and gives valuable info.

A Linux ELF executable, so can't just cat it out to see its contents. (2/8)
Next I ran strings. I love strings. It almost always gives you some hints. Note that I limited it to 6 chars and above to reduce random strings shown (-n 6).

Strings indicate this is UPX packed. (3/8)
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!