Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Dray Agha Profile picture
@Purp1eW0lf
Feb 19, 2022 13 tweets 7 min read Read on X
Scrolly
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
But which data? From where exactly? We don't have all the time in the world to take a full forensic image for every alert.

To specify which data, I go to the docs on Velociraptor's implementation of KAPE.

Searching with ctrl+f is my genius technique

github.com/Velocidex/velo…
My even clevererer technique for sourcing specific data on a machine is Google.

Googling: "ScreenConnect dfir", will bring up @_bjmac_ 's excellent blog post on digging deeper on ScreenConnect.

So from Velo and @_bjmac_ we have ideas to further investigate our initial alert.
For this investigation, we'll stick with pulling EVTXs*. But on some occasions we might go and get some forensic artefacts that will offer even MORE context for us.

*The pic below isn't how we pull logs IRL at work, but I do use this script in my homelab

gist.github.com/Purp1eW0lf/e0b…
Now we have some logs extracted, I'll deploy Chainsaw

We see ScreenConnect with EventID 7045, which offers insight into how it was first installed.

We now have a starting point for the first alert : it seems like ScreenConnect was installed, and shady activity followed.
Btw, because I leverage Chainsaw a tonne, I've ended up creating an alias.

This means I only have to type one word in my terminal and it will let rip on the hardcoded directory I always put data in.

github.com/countercept/ch…
It's worth noting how Chainsaw knew to bring this up for us.

Chainsaw leverages Sigma rules, which can pick specific parameters to alert a Defender for.

Using Sigma this way lets Chainsaw carve through our extracted logs with a very clever 'grep'.

github.com/SigmaHQ/sigma/…
Okay now we have a couple of things: our first alert about the PowerShell script, and a potential installation date.

To make these logs go further, I leverage Security Onion - specifically in the more lightweight, performant IMPORT deployment

[docs.securityonion.net/en/2.3/archite…]
Think of Security Onion's Import architecture like a rapid, smart ELK stack.

I use Security Onion a bunch, and have an alias that relies on password-less ssh key auth. It then transfers the EVTXs over to our Onion, and imports and ingests the logs.
Once in ELK, we can best contextualise ScreenConnect's activity, and determine that if the proceeding and subsequent activity around installation could be considered SUS

I'm not going to share more than that - mainly because we went back to our partner on this one👀
And thats all for now! Thanks to all the tool creators.

I recreated the real data so I could share a System.evtx log* and anyone interested can follow along this tweet thread and deploy the tools, as well as drop some un-redacted screenshots:

* mega.nz/file/IqQhFAAD#…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Dec 5, 2022
Think hiring is slowing down??

@HuntressLabs is hiring remote a Threat Operations Analyst 🇬🇧. UK citizenship is non-negotiable

You'll be working with myself, @xorJosh, @PonchoSec, and the rest of the squad!

I have some tips for those applying 🧵

boards.greenhouse.io/huntress/jobs/…
I don't care about about degrees 📜

I barely care about certs.

I care about what your contributions have been to your community.

Do you have a github, a blog, a summary of a CTF you did ? GREAT, put the link in your resume
We're gonna teach you what you need to know in this role👨‍🎓

But I need to know from your resume, covering letter, and interview that you take extreme ownership and accountability for yourself.

Meaning, you're constantly learning and trying to execute high quality, accurate work
Read 7 tweets
Dray Agha Profile picture
Oct 11, 2022
For cyber security investigations, internal silos will make or break your efforts 🧱🧱🧱

I'll show you the power from a LACK of siloing, with a piping hot, fresh @HuntressLabs case @xorJosh and I worked

🧵🧶
What are 'silos'.

@keydet89 educated me on the industry problem where departments cannot easily share findings; a threat intel department doesn't have a way to share findings with DFIR department, for example.

IMO, Silos occur when data & people cannot be circulated easily
We aren't perfect by any means at @HuntressLabs, but it's a testament to our founders, engineers, devs (etc) that our infrastructure sets us up for success.

It's difficult for analysts NOT to share reports and data by default; our infrastructure & culture doesn't foster silos
Read 15 tweets
Dray Agha Profile picture
Sep 29, 2022
Investigating an intrusion? 🕵️🔍

Start with the security solution on the machine. DON'T work hard to timeline the adversaries' activities, work smart👩‍🔬

In a @HuntressLabs case with @nosecurething and Jordan Sexton, we leveraged ESET's data before anything forensically complex🧵 Image
This gave us a tonne of starter info
🟡 Timestamps threat actor operated in

🔴 Directories they liked to operate in, the user account they likely controlled, AND that the threat actor liked to use PwSh

🔵 Registry key they had used for persistence.

This saved us time....⏲️
..as we used these findings to pivot:

🟡 We had date/time anchor points when leveraging other data

🔴 We focused on the user, those directories, and PwSh. Found more malicious activity straight away

🔵 We eradicated persistence and identified their IPv4: 5[.]255[.]103[.]142 ImageImageImage
Read 5 tweets
Dray Agha Profile picture
Sep 8, 2022
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭

Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
🧵
I kept finding LogonType 3s (network)

However only RDP was externally exposed on the machine, which usually records LogonType 10....

When this has happened before, I usually just assume its Windows jank and continue with my investigation 🤷‍♂️

But this time, I wanted to know WHY
The wise @DaveKleinatland suggested Network Layer Authentication (NLA) would explain this:

"
NLA takes place before the session is started... without NLA things can be exposed before any sort of authentication.... like domain name, usernames, last logged on user, etc
"
- Dave 🧙‍♂️
Read 10 tweets
Dray Agha Profile picture
Aug 17, 2022
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY

@0gtweet’s NPPSPY was fascinating to dissect and remediate.

Huge thanks to @keydet89 for guidance and wisdom
Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product
IOCs and Behavior
- T1003

- Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
◦For our case: logincontroll

- Unexplained entries in HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
◦For our case: logincontroll
Read 5 tweets
Dray Agha Profile picture
Aug 16, 2022
Cobalt Strike ain't 💩

Let's chat about how to unravel Cobalt Strike and deny the adversary further access

As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑‍🍳 🧵
Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.

The alert here was PowerShell based....so let's dig a lil deeper
Go collect C:\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx , and go get my favourite tool - Chainsaw.

Take note your detection time (06:43).

Point chainsaw at your PwSh log, with this time
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(