Discover and read the best of Twitter Threads about #dfir

Most recents (24)

Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.

Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
Read 14 tweets
1\ #dfirtips #dfir #infosec

Windows Event Logs can be daunting especially if it's a lot. No one can actually sit in front of their computer to check each of those logs one by one thru a manual approach. Here are some of the newest EVTX tools that can really save our lives as IR
2\ #Zircolite can be very useful where you can use your favorite sigma rules to detect bad stuff

github.com/wagga40/Zircol…
3\ #Chainsaw is such a wonderful tool and it's SO FAST! Whatever EVTX logs you have during your engagement, you can literally get a result in a few minutes. Shoutout to @countercept for having this for free to us!

github.com/countercept/ch…
Read 8 tweets
Dealing with a bunch of memory #forensics lately so I just dump fairly new tools that are useful to all #dfir #incidentresponse out there:
MemProcFS - convenient and easy to use
BulkExtractor - extracts everything into a text file and grep it
SuperMem - CS tool for quick triage
Read 4 tweets
1\ Threat actors leave behind traces on disks that end up incriminating them or giving away that they are Russian/Ukranian.

If you ever see RDP events, you should parse out the RDP bitmap cache. It maps out bitmap images of a user's RDP session.

#DFIR
2\ You can find these bitmaps at this location:

> %APPDATALOCAL%\Microsoft\Terminal Server Client\Cache\

I've seen all kinds of weird and interesting stuff in these RDP sessions. You never know, you might find pieces of info that will really help with the investigation.
3\ This is the tool i recommend github.com/ANSSI-FR/bmc-t…
Read 3 tweets
#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.

Came across this interesting command. What is it doing? 🤔
It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
How can we find out more about this tool? The tool name (comrelg.exe) is faked🤥 and the hash didn't lead anywhere and I didn't have a copy of the sample. (set aside pivoting on imphash etc for now🧠)
Read 8 tweets
mshtml.dll was loaded into winword process, when Microsoft MSHTML used? I guess, it will be nice for #threathunting perspective
based on sample: app.any.run/tasks/36c14029…
possible another suspicious loads: ExplorerFrame.dll, ieproxy.dll

#CVE-2021-40444 #DFIR #BlueTeam
...run query on prod enviroment, last 30 days - 0 FPs hists. via (MDATP) @MSThreatProtect
Read 3 tweets
If you want the quickest and easiest way to try out #SecurityOnion, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM! ImageImageImage
Start Setup and choose Import node: ImageImageImageImage
Read 17 tweets
Living off the land #DFIR. Things you can use during incident response when you can't bring your tools or run scripts:
1 - Use Windows Resource Monitor to see active network traffic by process name, remote IP and destination ports
2- Use advanced searches in Windows Explorer and filter by more specific creation/modification dates use Booleans and Wildcards
3- Use modification and creation date in Prefetch folder to get first and last time of execution.
Read 5 tweets
Here is how to hunt/detect 60% (possibly more than 60%) of lateral movement attacks:
On ALL endpoints, look for EID 4624 with LogonType 9 (NewCredentials), and check TargetOutboundUserName field. 1/4
#threathunting #dfir #lateralmovement
Then, check if the TargetOutboundUserName is supposed to be seen on the endpoint. Here is why:
Attackers most likely spawn a new process on the compromised machine with the credentials/tokens they steal. This is done by using "/NETONLY" flag. 2/4
"/NETONLY" flag generates a new logon on the endpoint with the EID 4624 LogonType 9.
LogonType 9 is quite rare in an environment, usually <1% of all logon events. Therefore, it is quite easy to hunt for this event. 3/4
Read 4 tweets
You see a weird openssl command running on one of your Linux systems. Here's how to investigate whether it's a bindshell backdoor operating on the box and hiding traffic inside an encrypted tunnel. Thread. #DFIR
The server and client to run the attack. The reverse bindshell causes openssl to connect back to us and is encrypted so network monitoring is blind to what is going on. Need to look at the host to figure it out.
We log into the host after seeing the weird outbound connection and need to investigate. Run ps -aux and lsof -p <PID> to see the process. Throw in netstat for good measure. We see openssl and /bin/sh -i running that look strange.
Read 12 tweets
Given recent activity, here's a thread on webshells from a behavioral perspective. Based on my experience over the years I can say the following is true:
- The src ip of the attacker will be seen on few webservers
- The uri of the webshell is likely to be rare
#DFIR 1/?
- There will likely be few uri's visited on the webserver from attacker's ip (< 4)
- With every command issued the response bytes will likely be different
- There will be a high percentage of unique byte counts (think response to different commands issued).
#DFIR 2/?
- Attackers generally interact with the webshell for a few hours in a 24 hour period

Here's a search that accomplishes this.

#DFIR 3/?
Read 7 tweets
Thread.
One of the best things about working at @Mandiant is watching seasoned #DFIR pros join the team and then seeing their jaw drop when they see the bad ass tools we have. We get to spend more time analyzing the data than we do collecting and parsing it.
Want to collect authentication records stored locally on every endpoint and build a time bound graph of all network authentications for privileged users? Sure, click here.
Oh, you want to find every shell bag entries for a domain admin across 100,000 endpoints? Sure. Click here.
Read 11 tweets
So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?

Start here: fireeye.com/blog/threat-re… 🤩

But then what?? Let’s talk about some post-compromise techniques...
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...

We just published more details on what we’ve been finding post-compromise: blogs.microsoft.com/on-the-issues/…
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Within the technical companion blog (msrc-blog.microsoft.com/2020/12/13/cus…) we provide some late stage killchain activity observed many places.

I want to highlight the additional detections pushed to cover these techniques in @MSAzureSentinel (but anyone can use on the UAL for #DFIR) ...
Read 9 tweets
@SandflySecurity was able to spot this malware very quickly and with multiple serious alerts. Let's have a walk-through about what it was up to and de-cloak it. #DFIR #sandflysecurity
Virus total shows very few results. But we saw many serious compromise tactics in use on this Linux system hit with the malware.
The top and ps commands show some odd things. Top is showing 100% of the CPU in use, but no process claiming responsibility. The ps listing shows nothing unusual. Something is hiding. Let's de-cloak it. #DFIR
Read 16 tweets
"Cybersecurity Winter Is Coming"

Let's begin with an oversimplified view of the 2008 housing market crash:

Hedge fund manager John Paulson made a fortune betting against Wall Street's insane belief for an INFINITE annual +14% housing climb
Cybersecurity has enjoyed non-stop growth since the #antivirus industry coalesced in 1988. The Internet bubble's burst didn't even slow us down; in fact, the #antivirus industry saw it as a golden opportunity to prop up then-fledgling trade magazines!
Cybersecurity barely flinched when global markets collapsed in 2008. "The only survivors," we told our bosses, "will be the ones who keep up their cyber guard during their recovery." And they bought it! Hook, line, and sinker!
Read 12 tweets
#Zerologon via @djrevmoon image h/t @ptswarm

> flaw in cryptographic auth Netlogon Remote Protocol
> insecure use of AES-CFB8
> when encrypting msg of all zeroes w all-zero IV, 1 in 256 chance output all zeroes

WP secura.com/pathtoimg.php?…
Test tool github.com/SecuraBV/CVE-2… ImageImageImageImage
Alt exploit #Zerologon by @_dirkjan
dirkjanm.io/a-different-wa…
> NTLM
> jump off CVE-2015-0005 SMB
- weird logic set NetlogonValidationSamInfo4 to 6 nets plain text sessionkey for NTLM auth
> similarly relay to auth to RPC DRSUAPI
> 2 DCs

PoC github.com/dirkjanm/CVE-2…

#respect ImageImageImageImage
Read 4 tweets
#bebaskanravio mas ravio perlu menjelaskan detail device, apps installed, dan timeline bbrp hari terakhir, agar expert diluar sana bisa narrowing possible attack vectornya...

Phising are the easiest way to steal your 2FA keys, social engineering beforehand, MITM etc
Probably ada yang monitoring SMS mas ravio ini, SIM Card providernya apa ?, Android or IOS ?, "Have been registered to another phone", high chances itu sim card swap, according to the clue..

en.wikipedia.org/wiki/SIM_swap_…

#bebaskanravio
cluenya: Mas ravio jelaskan ada panggilan telfon dari nomor2 yang tidak dikenal..

ada orang yg mengetahui data mas ravio, lantas si pelaku (dg SOCENG) menelfon provider untuk convince agar swap number ke sim card baru... its been done already di banyak tempat...
Read 46 tweets
After more than a decade - today is my last day @FireEye.

Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow
When I started @Mandiant in 2009 the infosec space (it was called information security and not cyber security for starters) was so different from today. It was fairly rare for companies to get breached and when they did there was an amazing amount of stigma associated with that.
I was employee 63 (not because there were 63 active employees but because I was the 63rd employee hired since the inception of the company in ~2005). There were offices in 3 cities (DC, NY, LA) & company split roughly 50/50 between consultants and software devs on MIR
Read 20 tweets
Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.

Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.

👉🏽 "Program.cs" #InstallUtil payload with 0 VT detections btw: virustotal.com/gui/file/9193b… ImageImage
@Cneelis @_RastaMouse Uploaded 4 hours ago. (🆕)
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.

Anyway, great payload comments! [more pictured] ImageImage
The #InstallUtil payload is contained within a parent archive “PSByPassCLM-master.zip

#DFIR tip: look out for “-master” in your file names & PDB paths. You’re often one last hop away from Githubtribution 😁

👋This one belonged @padovah4ck 2018 project: github.com/padovah4ck/PSB…
Read 4 tweets
We've all received emails with no attachment and assume it's "safe" to open in a mail client (as long as we don't explicitly click on any URLs). Right?

Not so much...
Let's talk about email tracking pixels for a minute and how sales/marketing (as well as real threat actor's) can use them to evaluate the success of an email marketing (or phishing) campaign...or for information gathering before sending a follow-up payload.

#DFIR #APT32
Let's start with the basics of tracking pixels.

I'm not attending @RSAConference - but I get marketing emails like this one. If you use the Outlook client - have you ever noticed the "to help protect your privacy; Outlook prevented automatic download of some pictures."?
Read 11 tweets
BREAKING - To help organizations identify compromised systems with CVE-2019-19781, @FireEye & @Citrix have released a tool that searches for indicators of compromise associated with attacker activity observed by @Mandiant
fireeye.com/blog/products-…
github.com/fireeye/ioc-sc…
@FireEye @citrix @Mandiant The tool looks for both specific indicators of malware
(coinminers, NOTROBIN and more) as well as methodology indicators that should generically identify compromise (e.g. processes spawned by user nobody, files with 644 user permission...etc.)
#DFIR
@FireEye @citrix @Mandiant Lots of late nights and work on the weekend/holiday to get this out. Many thanks to @williballenthin @MadeleyJosh @_bromiley @jkoppen1 @ItsReallyNick for help making it happen.
Read 11 tweets
🚨 New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
• ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ 👀
@snort 🐷 #detection tricks (negative distance, exploitation flowbits)
👉🔗 fireeye.com/blog/products-…
#DFIR tips ⤵️ ImageImage
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-…

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 😅

As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 🙇🏽‍♂️
Read 6 tweets
So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
Read 15 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!