Discover and read the best of Twitter Threads about #DFIR

Most recents (24)

After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Read 20 tweets
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much...
Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Let's start with the basics of tracking pixels.

I'm not attending @RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?
Read 11 tweets
BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc…
@FireEye @citrix @Mandiant The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR
@FireEye @citrix @Mandiant Lots of late nights and work on the weekend/holiday to get this out. Many thanks to @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick for help making it happen.
Read 11 tweets
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
Read 15 tweets
Stoked to share these free resources to expand your #infosec and technical skill set.

Each is a career path in its own right, the rabbit hole goes down as far as you follow.

Check these out and make 2020 count! 🎊

#30DaysOfThreads #BlackTechTwitter
#latinxintech
Begin your road into #pentesting with this staple book and free VM to practice hacking into 💻

Metasploit The Penetration Testers Guide : archive.org/details/Metasp… via @internetarchive

offensive-security.com/metasploit-unl…
A requirement for all in #dfir is being able to read and understand network traffic. It’s how our systems communicate!

Practical packet analysis: using Wireshark to solve real-world network problems : Sanders, Chris

archive.org/details/Practi…
Read 9 tweets
A #DFIR analysis series of thoughts:

Individual artifacts (a Registry key or value, a Windows Event Log record, etc.) may be a high fidelity indicator, but lack the context we usually find in artifact clusters. Artifact clusters, or "clusters of clusters", are
what we often refer to as "behaviors", particularly when they are a clear demonstration of "humanness".

During active IR, we have to be aware of artifact or evidence "oxidation", as the elements of the clusters begin to dissolve over time. (2/n)
Log entries and deleted files are overwritten, artifacts are updated, OS and application updates are applied, etc. All of this occurs due to the passage of time as the system continues to operate.

Not grasping the full scope of the artifact clusters, and understanding (3/n)
Read 6 tweets
Apparently new #DFIR information I just discovered:

Running Defender’s “MpCmdRun.exe -GetFiles” will put MpSupportFiles.cab in the Support directory, which contains Cache_filename_dump-xxxx.bin.

This holds a list of 35,000+ entries of recently-seen PE files on the disk. 👀
Oh, it’s not just PE files, it includes MOF and MSI and INF and binary and other file types too. Its some kind of performance cache for Defender. Unclear the exact reasons it logs something in here.
!!!!! It includes the USN integer for timeline analysis as well. Quite a treat 👀
Note: If -GetFiles doesn’t work for you it may be an older platform version. Find the latest MpCmdRun.exe in C:\ProgramData\Microsoft\Windows Defender\Platform\
Read 4 tweets
More stories from the front. #ManagedDefense and @Mandiant successfully confront adversaries intent on a disruptive outcome. Thwarting intrusions prior to mission complete is what it is all about. That is what winning looks like. #DFIR
fireeye.com/blog/threat-re…
@Mandiant An under mentioned benefit of #ManagedDefense is the timeliness and operationalization of threat information prior to the release of finished intelligence. Seconds, minutes, and hours can be the difference in this environment. Seamless integration is key to gaining an advantage.
@Mandiant In traditional intelligence, this kind of information is considered "actionable intelligence" in that it can be utilized immediately without having gone through a complete intelligence cycle. Often this is the kind of information security operators need.
Read 3 tweets
Poll time, because I'm curious as to your position. Is a non-disclosure agreement a security measure/control? You can elaborate in the comments, and please retweet for greater visibility. #dfir #infosec #threatintel #security
Almost even on answers so far. Let's get more.
These numbers are so close, so this is clearly not a clean cut issue here. Bumping for more participation.
Read 3 tweets
Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR
Read 13 tweets
@Hexacorn @cglyer @HackingDave @DerbyCon This was a technique largely outside of my typical purview - thanks for the context @Hexacorn!

Here are some rules 📏 & in-the-wild history 📆 to share for .url persistence.

Rules: gist.github.com/itsreallynick/… (CC @cyb3rops)

A quick history on the two kinds of .URL files so far...
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 The reason for the two rules are the options
URL=file:///<local file>
*and*
URL=file://<remote resource URL>

I liked the second one more
As with all Windows scripting techniques, there are no doubt creative launch methods to replace "file://" here that are worth exploring 🤔
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 Quick history time!
(I didn't undertake a retrohunt, basing this on info at-hand)

🔍URL=file:///<local file>

At some point in ~2017 "local" .url persistence was added to commercial backdoors
Example 2017-05-03 06:07:14 (.iso dropper) virustotal.com/gui/file/8b9da…
...
Read 11 tweets
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.

If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
Read 9 tweets
Some ideas for „KPI“ in Security Operation Centers (Thread).
Most important and first: Don’t create wrong incentives for your analysts, i.E. „time to alert close“ pushes your analysts in laxity.
To check for anomalies in your data sources: Top x alarm sources, Least x alarm sources
Read 9 tweets
We have a new intern at work who I'm training up on how to be an expert threat hunter, which has prompted me to do a little thread here on one important component of how to do threat hunting right.
The topic of today's rambling twitter thread is:
Paranoia.
Paranoia is just a thing for spies, dictators, and conspiracy theorists though, right, Hexa? Yes. But also it's a thing for anyone whose job it is to recognize patterns left by a malicious hand.
One of the most famous paranoids who I like to use as an example when I talk about this topic is a guy named James Angleton. A man who @NatSecGeek and I squabble over on an almost daily basis.
Read 15 tweets
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe

2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Read 9 tweets
Only about two months later than I originally planned, but here we go. I'll summarise areas we are hiring into in the thread 👇, along with a steer on experience and location where possible (all UK, but happy to make introductions elsewhere).
We have space for a mix of junior and experienced folks in most roles, and there is also a mix of location and partial remote working options depending on the role, so please DM to ask clarification questions or to ask about applying :) A little background on the team:
Cyber Threat Operations is PwC's front-line technical security services group, responsible for a portfolio of blue & red team services to global clients. Blue includes subscription & bespoke #threatintel & research services, short-term & managed endpoint/network threat hunting,
Read 18 tweets
I've got a story to share. Not as exciting as the exploits of @TinkerSec, @HydeNS33k, or @_sn0ww, but a story nonetheless. #DFIR & #BlueTeam in nature. 1/
I worked for a service provider back in the day. And we provided email accounts to customers. 2/
This was back when most places would slap #SquirrelMail or #Horde on top of a #dovecot server. 3/
Read 13 tweets
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x
We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x
For starts, we could use some perspective to make sure there’s not more we’re missing in regards to lateral movement.

We are aware of email spreading and browser password scraping plugins. However, we like to scope this to stopping local self-propagation of the bot first. 3/x
Read 13 tweets
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac blog.alyac.co.kr/2089
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
Read 8 tweets
لا أكاد أذكر حادثة من الحوادث الأمنية التي عملت عليها و لم يُستخدم فيها webshell في مرحلة من المراحل، خصوصاً الحوادث التي عملت فيها في منطقتنا (الشرق الأوسط). مجموعة تغريدات عن الـ webshells و أفكار لصيدها (hunting). #threathunting #dfir
الـ webshell عبارة عن malware في شكل script يستهدف الـ web servers (غالباً التي يمكن الوصول إليها من الإنترنت) و يدعم مجموعة من العمليات يستفيد من المهاجم مثل: نقل ملفات/بيانات من و إلي الـنظام، تنفيذ أوامر، عمل tunnels، و هلم جرا...
الـ webshells تستخدم في أكثر من مرحلة من مراحل الهجوم (attack life cycle) مثل:
— Initial Foothold: بعد ايجاد ثغرة تمكن من رفع ملفات علي web server، المهاجم قد يستعمل الثغرة لتحميل webshell علي الخادم مما يعطيه موضع قدم منه يكمل.
Read 18 tweets
One #DFIR / #INFOSEC thing that is useful to me that I wished I had learned sooner: the art of PDB path pivoting for #threatintel and mal analysis. This is pretty easy, but can be a crazy strong pivot for anyone studying large, tenured threat groups such as many espionage actors.
PDB Path Pivoting Primer

This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.

3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy
What are PDBs?

Program Data Base (PDB) files are used to store debugging info about a program when it is compiled. The PDB stores symbols, addresses, names of resources etc. Malware devs often have to debug their code and end up creating PDBs as a part of their dev process.
Read 15 tweets
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze 😅

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube 🤞
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!