Discover and read the best of Twitter Threads about #dfir

Most recents (24)

In this Mega thread, you will find 10 FREE online courses with a certificate of completion from :

1 - ISC ²
2 - Cisco Academy
3 - Fortinet
4 - EC-Council
5 - AWS

#CyberSecurity #Cisco #AWS #dfir #infosec #infosecurity #threats #Python #100DaysOfHacking
1⃣ Free Cybersecurity Training

- Information Security Awareness
- The Evolution of Cybersecurity
- NSE 2 Cloud Security
- NSE 2 Endpoint Security
- NSE 2 Threat Intelligence
- NSE 2 Security Information & Event Management
- Security Operations &
🖇️
training.fortinet.com
2⃣ Introduction to Dark Web, Anonymity, and Cryptocurrency

Learn to access Dark Web, and Tor Browser and know about Bitcoin cryptocurrency

🖇️
codered.eccouncil.org/course/introdu…
Read 12 tweets
#Qakbot Infection New TTPs 🚨

[+] Deliver ISO (T1204.002)
[+] DLL Search Order Hijacking (T1574.001)🔥
[+] Regsvr32 (T1218.010)
[+] Process Hollowing (T1055.012)
[+] Discovery (TA0007)
[+] Credentials from Web Browsers (T1555.003)
[+] Data from Local System (T1005)
#Qakbot C2 server:
IP: 92.27.86[.]48
Port: 2222

Additional C2 IP:
23.111.114[.]52
#Qakbot initial exec flow #DFIR:
ISO > LNK > cmd.exe /c control.exe > e:\control.exe > regsvr32.exe msoffice32.dll > Injection
Read 4 tweets
#Qakbot New TTPs IMG File Infection

[+] IMG File instead of ISO 🔥
[+] VBS Script (ShellExecute) instead of LNK 🔥
[+] .tmp (DLL loader) exec via Regsvr32.exe
[+] Process Injection
[+] Discovery commands
[+] C2 connection

#DFIR exec flow: img > vbs > tmp > injection
Thank you @pr0xylife for sharing the sample:

bazaar.abuse.ch/sample/ac7c130…
#Qakbot C2 server:

IP: 70.121.198[.]103
Port: 2078
Artifact: POST /t5 HTTP/1.1

Additional C2 IPs:
200.93.14[.]206
174.115.87[.]57
102.157.73[.]215
98.30.233[.]14
94.70.37[.]145
82.31.37[.]241
172.90.139[.]138
Read 4 tweets
🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]Detection[.]ISOMount

Author: @ConorQuinn92

Link: docs.velociraptor.app/exchange/artif…
After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.

This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
When downloaded, container files will have the MOTW attribute because they were downloaded from the internet. However, the document inside, such as a macro-enabled spreadsheet, will not.
Read 12 tweets
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
Read 9 tweets
1\ #DFIR: Chrome Forensics - How to Recover CLEARED History

If a user just cleared their browser history, you can still recover everything they were just looking at from the session files:

%appdata%\Local\Google\Chrome\User Data\Default\Sessions

inversecos.com/2022/10/recove…
2\ In some instances (more on this) the session and tab files inside that folder show the webkit/chrome date for when the session was exited.

This allowed me to put together a full timeline of what this naughty boy was doing *BONK*
3\ Historically, evidence of cleared history was in the Favicons file, but this is INCONSISTENT. Specifically under the table named "icon_mapping".

%appdata%\Local\Google\Chrome\User Data\Default\Favicons
Read 7 tweets
1\ #DFIR: How to investigate insider threats

Sharing the forensic methodology I follow when I'm investigating insiders 😍

This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o

inversecos.com/2022/10/how-to…
2\ The questions that I use to guide the analysis and prioritisation of analysis are:

1. How was the device accessed around the suspected behaviour?

2. Where was the user/device when this occurred?

3. Was the insider active on their system?

4. What did the user do?
3\ To answer the first question, I look at SRUM, specifically the App Timeline Provider details.

I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID

Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY
Read 7 tweets
🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows[.]Detection[.]BinaryRename'

Author: @mgreen27

Link: docs.velociraptor.app/exchange/artif… Image
This artifact will detect renamed binaries commonly abused by adversaries.

Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Here, we can see 'cmd.exe' was renamed in an attempt to appear as a legitimate instance of 'lsass.exe': Image
Read 6 tweets
🧵 I started with the Pelican 1510 travel case. I bought this one at a surplus store near me for much cheaper than a new one. #DFIR #Forensics
It had the foam already cut out for the most part but I customized a few spots.
As for what is in it, I have numerous USB drives with all sorts of Mac and PC forensic software on them like FTK, portable apps, volatility, screen captures, every variant of Paladin, mouse jigglers, extra blank USB drives, etc. All organized and labeled.
Read 11 tweets
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭

Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
🧵
I kept finding LogonType 3s (network)

However only RDP was externally exposed on the machine, which usually records LogonType 10....

When this has happened before, I usually just assume its Windows jank and continue with my investigation 🤷‍♂️

But this time, I wanted to know WHY
The wise @DaveKleinatland suggested Network Layer Authentication (NLA) would explain this:

"
NLA takes place before the session is started... without NLA things can be exposed before any sort of authentication.... like domain name, usernames, last logged on user, etc
"
- Dave 🧙‍♂️
Read 10 tweets
🔔I published a new script to parse the log of #AppLocker🔒 , which I called Get-AppLockerEventlog.ps1

It compiles all the useful data needed in #threathunting and #DFIR

You can find the script and the documentation here:
👉github.com/RomaissaAdjail…
2/ Also, You can save the output as a CSV.
3/ It comes with 04 cases (block, all, allow, audit)
Read 3 tweets
1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇
inversecos.com/2022/08/detect…
2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3
3\ As you can see, this has caught an instance of timestomping where you can observe the creation time is after the access time.

You can query the db using this command:
sqlite3 *filesystem.db .dump | grep <filename>
Read 5 tweets
1/ Windows Error Reporting (WER) can provide investigators with a wealth of data including:
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
2/ WER files are found in the following locations which include a range of information to typically address an application crash, however we can use it for investigation!

C:/Users/*/AppData/Local/Microsoft/Windows/WER
C:/ProgramData/Microsoft/Windows/WER
3/ The "Report.wer" file includes binary information and binary path. In Windows 10 and above the field "TaskAppId" contain the SHA1 hash of the process (similar to Amcache).
Read 9 tweets
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets
#ThreatHunting:

1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?

"powershell.exe" -windowstyle hidden

#CyberSecurity #dfir
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell
Read 7 tweets
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.
1/8

#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.

The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8

github.com/WazeHell/sam-t…
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
3/8
Read 8 tweets
Quick 5 minute on quickly analyzing Linux exes...even if you don't know how to do malware analysis. Hopefully this is helpful to someone.

Got a log4j hit on a Tomcat honeypot I set up. Used cyberchef and it decodes to download malware (1/8)

#dfir
After dl'ing it on an analysis system (a mac), my first step is to run file to see what we are dealing with. I always run file - it saves steps and gives valuable info.

A Linux ELF executable, so can't just cat it out to see its contents. (2/8)
Next I ran strings. I love strings. It almost always gives you some hints. Note that I limited it to 6 chars and above to reduce random strings shown (-n 6).

Strings indicate this is UPX packed. (3/8)
Read 8 tweets
A thread on the (suspected) Okta compromise from an incident response perspective 🧵

#okta #LAPSUS$ #dfir #incidentresponse
1. Collect and preserve all Okta logs, focus on the Okta System Log as it's the main audit trail for Okta activities
Need more info on this log check (developer.okta.com/docs/reference…)
2. Search your audit log for suspicious activity focus on your superuser/admin Okta accounts as they pose the largest risk
Read 21 tweets
SRUM is maybe one of the best Windows digital forensic artefacts, if you’re willing to roll your sleeves up.

You can get proof of execution and execution runtime, as well as proof of network communication and the bytes sent and received

Let's take a look in this #DFIR thread🧵
Since Win8, System Resource Usage Monitor (SRUM) monitors a bunch!

What we’re most interested in is its detailed record of programs and network activity.

SRUM has a LONG memory compared to some of the other more ephemeral artefacts📜
To put SRUM to forensic work, grab its .DAT file

C:\Windows\System32\sru\SRUDB.dat

To gain extra contextual data, we're advised to also collect the SOFTWARE hive.

I didn't do that however, because I am a bad person 😞 Image
Read 16 tweets
1\ How to detect what command line spawned a process with no EDR/AV? 👀 #DFIR

If you have a memory sample, this is how you can figure out what cmd spawned the processes by using volshell and memory forensics.

STEP BY STEP GUIDE BELOW

👇 👇 👇 👇 

#MemoryForensics
2\ Each process in Windows is represented by an "EPROCESS" structure.

These EPROCESS blocks are joined in a doubly linked list structure. The flink (forward link) tells you the next process running and blink (backwards link) tells you the previous process.
3\ When you see a list of processes on a live system, often times this is gathered by walking this doubly-linked structure of EPROCESS blocks.

Of course malware can unlink a process in this doubly linked list to hide from detection :P
Read 13 tweets
#DFIR thoughts 💭
Expectations from paid multipurpose #DFIR tools (#4n6 focused):
🔂 Ingest multiple images at the same time or sequentially in a automated fashion. If the GUI doesn't allow it provide for a way to script it. Terminal / CMD line at a minimum.
1/
🪵 Support well know data sources natively in a report they gives context. Ex. If the field is called 'abcd' but the data in it is a Last Modified Timestamp call it as such in the report. For context tie the item to a particular app, service, or function if known.
2/
🖼 Provide general purpose viewers for well known file types. Bonus if there is a way to pick and choose keys and values for custom report generation.
3/
Read 9 tweets
1\ How to prove malicious macro was enabled & clicked? 👀 #DFIR

HKEY_LOCAL_MACHINE\USERDAT\Software\Microsoft\Office\<VERS>\<PROGRAM>\Security\Trusted Documents\TrustRecords

Look ONLY for values where last four bytes are "FF FF FF 7F".

These files had macros enabled

👇👇👇
2\ In light of the recent Emotet campaigns, make sure you check INetCache Outlook folder as it stores the attachments that were opened in Outlook.

If AV quarantines the file this wont exist.

C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<Folder>\
3\ Next check the macro settings for that user as this user had macros set to auto enabled (VBAWarnings=1)

NTUSERDAT\Software\Microsoft\Office\<vers>\<program>\Security

Disable all macros w/o notification : 2, 4
Disable all macros except signed macros: 3
Enable all macros: 1
Read 7 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!