Discover and read the best of Twitter Threads about #DFIR

Most recents (22)

Apparently new #DFIR information I just discovered:

Running Defender’s “MpCmdRun.exe -GetFiles” will put MpSupportFiles.cab in the Support directory, which contains Cache_filename_dump-xxxx.bin.

This holds a list of 35,000+ entries of recently-seen PE files on the disk. 👀
Oh, it’s not just PE files, it includes MOF and MSI and INF and binary and other file types too. Its some kind of performance cache for Defender. Unclear the exact reasons it logs something in here.
!!!!! It includes the USN integer for timeline analysis as well. Quite a treat 👀
Note: If -GetFiles doesn’t work for you it may be an older platform version. Find the latest MpCmdRun.exe in C:\ProgramData\Microsoft\Windows Defender\Platform\
Read 4 tweets
More stories from the front. #ManagedDefense and @Mandiant successfully confront adversaries intent on a disruptive outcome. Thwarting intrusions prior to mission complete is what it is all about. That is what winning looks like. #DFIR
fireeye.com/blog/threat-re…
@Mandiant An under mentioned benefit of #ManagedDefense is the timeliness and operationalization of threat information prior to the release of finished intelligence. Seconds, minutes, and hours can be the difference in this environment. Seamless integration is key to gaining an advantage.
@Mandiant In traditional intelligence, this kind of information is considered "actionable intelligence" in that it can be utilized immediately without having gone through a complete intelligence cycle. Often this is the kind of information security operators need.
Read 3 tweets
Poll time, because I'm curious as to your position. Is a non-disclosure agreement a security measure/control? You can elaborate in the comments, and please retweet for greater visibility. #dfir #infosec #threatintel #security
Almost even on answers so far. Let's get more.
These numbers are so close, so this is clearly not a clean cut issue here. Bumping for more participation.
Read 3 tweets
Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR
Read 13 tweets
@Hexacorn @cglyer @HackingDave @DerbyCon This was a technique largely outside of my typical purview - thanks for the context @Hexacorn!

Here are some rules 📏 & in-the-wild history 📆 to share for .url persistence.

Rules: gist.github.com/itsreallynick/… (CC @cyb3rops)

A quick history on the two kinds of .URL files so far...
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 The reason for the two rules are the options
URL=file:///<local file>
*and*
URL=file://<remote resource URL>

I liked the second one more
As with all Windows scripting techniques, there are no doubt creative launch methods to replace "file://" here that are worth exploring 🤔
@Hexacorn @cglyer @HackingDave @DerbyCon @cyb3rops @QW5kcmV3 Quick history time!
(I didn't undertake a retrohunt, basing this on info at-hand)

🔍URL=file:///<local file>

At some point in ~2017 "local" .url persistence was added to commercial backdoors
Example 2017-05-03 06:07:14 (.iso dropper) virustotal.com/gui/file/8b9da…
...
Read 11 tweets
We're doing a special #StateOfTheHack episode this week with two of the technical experts who worked for months to graduate the activity clusters into #APT41. I'm sure @cglyer will pepper in #DFIR war stories.

If you've read the report (below),
what QUESTIONS do you still have?
I plan to go deeper on #APT41's:
1️⃣ Supply chain compromises (and nuanced attrib)
2️⃣ Linux & Windows MBR bootkits and how they were found 😉
3️⃣ Third party access 🌶️
4️⃣ Legitimate web services use (and their obsession with Steam)
+concurrent ops, overlaps!
content.fireeye.com/apt-41/rpt-apt…
@FireEye 📺 #StateOfTheHack Stream
"Double Dragon: The Spy Who Fragged Me" 🎮
#APT41 with Jackie, Ray, and @cglyer
pscp.tv/FireEye/1vAGRW…
Read 9 tweets
Some ideas for „KPI“ in Security Operation Centers (Thread).
Most important and first: Don’t create wrong incentives for your analysts, i.E. „time to alert close“ pushes your analysts in laxity.
To check for anomalies in your data sources: Top x alarm sources, Least x alarm sources
Read 9 tweets
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets
Someone's trying to backdoor "hexcalc.exe" from GitHub and not doing a great job. Here's a quick exploration of the VT tester's 6 files, the corresponding PDB anomalies, PS1 & Cobalt Strike shellcode, and Yara #hunting rules.

Thread 1/n
The first file tested by the VT account is hexcalc.exe
0433aeff0ed2cdf5776856f2c37be975
PDB: D:\codes\WinHexCalc\Release\hexcalc.pdb

This led me to search for the original (shady) project from Github: github.com/azlan/WinHexCa…
and this indeed contains this initial hexcalc.exe

2/n
They attempt to backdoor the file 4 different times with PS1 shellcode, uploading all to VT:
ae73fe66415edbfd5669ab567793536b
d7c7c9ef1c1725f497ef5feaa654fc2e
7feaa6255459dcba370252e8905a9a4a
ddc442bd5e5d157011ae79c48ee2189a
PDB: F:\Devel\WinHexCalc-master\Release\hexcalc.pdb
3/n
Read 9 tweets
Only about two months later than I originally planned, but here we go. I'll summarise areas we are hiring into in the thread 👇, along with a steer on experience and location where possible (all UK, but happy to make introductions elsewhere).
We have space for a mix of junior and experienced folks in most roles, and there is also a mix of location and partial remote working options depending on the role, so please DM to ask clarification questions or to ask about applying :) A little background on the team:
Cyber Threat Operations is PwC's front-line technical security services group, responsible for a portfolio of blue & red team services to global clients. Blue includes subscription & bespoke #threatintel & research services, short-term & managed endpoint/network threat hunting,
Read 18 tweets
I've got a story to share. Not as exciting as the exploits of @TinkerSec, @HydeNS33k, or @_sn0ww, but a story nonetheless. #DFIR & #BlueTeam in nature. 1/
I worked for a service provider back in the day. And we provided email accounts to customers. 2/
This was back when most places would slap #SquirrelMail or #Horde on top of a #dovecot server. 3/
Read 13 tweets
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x
We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x
For starts, we could use some perspective to make sure there’s not more we’re missing in regards to lateral movement.

We are aware of email spreading and browser password scraping plugins. However, we like to scope this to stopping local self-propagation of the bot first. 3/x
Read 13 tweets
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac blog.alyac.co.kr/2089
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
Read 8 tweets
لا أكاد أذكر حادثة من الحوادث الأمنية التي عملت عليها و لم يُستخدم فيها webshell في مرحلة من المراحل، خصوصاً الحوادث التي عملت فيها في منطقتنا (الشرق الأوسط). مجموعة تغريدات عن الـ webshells و أفكار لصيدها (hunting). #threathunting #dfir
الـ webshell عبارة عن malware في شكل script يستهدف الـ web servers (غالباً التي يمكن الوصول إليها من الإنترنت) و يدعم مجموعة من العمليات يستفيد من المهاجم مثل: نقل ملفات/بيانات من و إلي الـنظام، تنفيذ أوامر، عمل tunnels، و هلم جرا...
الـ webshells تستخدم في أكثر من مرحلة من مراحل الهجوم (attack life cycle) مثل:
— Initial Foothold: بعد ايجاد ثغرة تمكن من رفع ملفات علي web server، المهاجم قد يستعمل الثغرة لتحميل webshell علي الخادم مما يعطيه موضع قدم منه يكمل.
Read 18 tweets
One #DFIR / #INFOSEC thing that is useful to me that I wished I had learned sooner: the art of PDB path pivoting for #threatintel and mal analysis. This is pretty easy, but can be a crazy strong pivot for anyone studying large, tenured threat groups such as many espionage actors.
PDB Path Pivoting Primer

This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.

3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy
What are PDBs?

Program Data Base (PDB) files are used to store debugging info about a program when it is compiled. The PDB stores symbols, addresses, names of resources etc. Malware devs often have to debug their code and end up creating PDBs as a part of their dev process.
Read 15 tweets
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze 😅

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube 🤞
Read 4 tweets
I imagine the #sonytruthers playing armchair #DFIR investigators will emerge from wherever they’ve been hiding in order to dispute the #DPRK #indictment. My advice: you were wrong in 2014-2015, and you’d still be wrong today. HT ⁦@JohnHultquistint.nyt.com/data/documenth…
Because #attribution is inherently political per @RidT and @BuchananBen, you need more than “hacking” knowledge to assess national policy. Experience w/ #cybersecurity clearly helps, but gov internals, intel agency processes, bureaucracy, trade, diplomacy, LE, are all important.
I think it’s slowly changing, but a failure of #cybersecurity has been to think “soft” areas are much easier than coding, so any leet hacker is inherently qualified to address political science, history, economics, and related topics by virtue of their ability to code in ASM.
Read 4 tweets
In light of the #FIN7 "Combi Security" DOJ indictment, we've released our massive technical post and indicator release: fireeye.com/blog/threat-re…

We reveal new information from @Mandiant IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today.
#FIN7 targeted other financial data when they encountered encryption in POS networks. New information today - and certainly helped stack up the charges against Combi Security.

Also @BarryV @stvemillertime first shared SEC filing targeting in March 2017: fireeye.com/blog/threat-re…
Crime doesn't pay. Unless you worked for Combi Security, in which case it paid a pretty decent wage for Russian/Ukrainian "pen testers" 😄

Sidenote: @FireEye's red team is hiring but their operations *are* authorized and the only payment card hijinks is over who expenses dinner.
Read 8 tweets
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved
If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Opposite end of spectrum - if attacker has been there for months/years - it will take at the very (and I mean very) least a few days to get bare minimum handle on infected systems & how accessing the environment. Bigger challenge is client ability to take "big" remediation steps
Read 8 tweets
I've been thinking about the recent conspiracy theory of "where is the physical DNC server".



Here is a thread on the "missing" DNC server and my experience/advice from conducting similar investigations.
First, some background for my comments. Over the last decade, I've personally led investigations at over 100 organizations & taught dozens of classes for both federal law enforcement and the private sector on incident response and digital forensics.
I've never once physically acquired a server or asked someone to physically acquire a server. Literally the first thing you learn in digital forensics is how to take a forensic image (or in laymen's terms a complete copy of a computer).
Read 18 tweets
Reading justice.gov/opa/pr/russian… today reminded me how I got my start in #DFIR in 2008 investigating FIN1. Let's take a walk down memory lane.
FIN1 (in my experience) has had a few major periods of activity (2007-2009, 2011-2012, and 2014-2015) - each with their own distinct set of TTPs. They've significantly improved their capabilities over the years (even though multiple members have been arrested)
FIN1 in the first period had the following TTPs: 1) didn't use backdoors 2) broke in commonly via SQL Injection 3) uploaded new tools by creating temporary tables and exporting the file via BCP 4) deployed a sniffer named sn.exe to identify systems with track data in memory
Read 9 tweets
Use Sysmon to detect attempts to mess with your event log service and stay on top of red team tactics - #dfir, #EventLog
... and #dfir can surface sysmon-based detections for such in-memory attacks in #AzureSecurityCenter - read how at azure.microsoft.com/en-us/blog/det…
Was asked whether such alerts can be surfaced in the OMS Security & Audit dashboard. 🔥Sure! 🔥Configure Sysmon collection via OMS settings as shown, and see the detection show up in OMS 🎉 !
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!