Share this page!

inversecos Profile picture
Twitter logo
Feb 17 7 tweets 2 min read
1\ How to prove malicious macro was enabled & clicked? 👀 #DFIR

HKEY_LOCAL_MACHINE\USERDAT\Software\Microsoft\Office\<VERS>\<PROGRAM>\Security\Trusted Documents\TrustRecords

Look ONLY for values where last four bytes are "FF FF FF 7F".

These files had macros enabled

👇👇👇
2\ In light of the recent Emotet campaigns, make sure you check INetCache Outlook folder as it stores the attachments that were opened in Outlook.

If AV quarantines the file this wont exist.

C:\Users\<name>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<Folder>\
3\ Next check the macro settings for that user as this user had macros set to auto enabled (VBAWarnings=1)

NTUSERDAT\Software\Microsoft\Office\<vers>\<program>\Security

Disable all macros w/o notification : 2, 4
Disable all macros except signed macros: 3
Enable all macros: 1
4\ Next step is to check recent files viewed/visited... you can look at:

> NTUSER.DAT artefacts
> LNK / Jmplists
> Microsoft Recent Files (C:\Users\<usr>\appdata\roaming\Microsoft\office\Recent)
6\ You can look for the OST/PST files but usually the INetCache covers this. You can look for this here

%UserProfile%\appdata\local\microsoft\outlook\
6\ In terms of execution of word/excel/outlook ... just look at the usual execution artefacts. You can do this using Prefetch, Shimcache (amcache likely not too relevant if this is user workstation) etc.

And also Security.evtx Event ID 4688 <3
7\ This is awesome, hopefully they extend this to more than just Excel!
bleepingcomputer.com/news/microsoft….

Happy hunting!! x

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with inversecos

inversecos Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

inversecos Profile picture
Jan 31
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:

> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED

Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:

> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread

The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
Read 4 tweets
inversecos Profile picture
Oct 21, 2021
1\ #MobileForensics Tip: Did you know iOS, by default, tracks all locations that you visit to build a map of your life.

Artefacts:
> cache.sqlite
> cloud.sqlite
> local.sqlite

Tracked by IoS:
> When you arrived
> When you left
> Long/Lat

😝Photo is a parsed local.sqlite file
2\ In your iPhone the local.sqlite will render like this - as you can see I went to a grocery store 13 times. I was in lockdown don’t judge me.
3\ You can parse these using DB browser for sqlite - there are field names including longitude, latitude and also tracks when you arrived / left so it understands your dwell time. There are also fields pertaining to vehicle events i.e. you parked your car.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Like this author's thread?

Get emails when @inversecos has new unrolls!

Check out other threads from @inversecos!

Read all threads by @inversecos

:(