Share this page!

Maybe Scrolly?
Dray Agha Profile picture
Twitter logo
Feb 19 13 tweets 7 min read
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
But which data? From where exactly? We don't have all the time in the world to take a full forensic image for every alert.

To specify which data, I go to the docs on Velociraptor's implementation of KAPE.

Searching with ctrl+f is my genius technique

github.com/Velocidex/velo…
My even clevererer technique for sourcing specific data on a machine is Google.

Googling: "ScreenConnect dfir", will bring up @_bjmac_ 's excellent blog post on digging deeper on ScreenConnect.

So from Velo and @_bjmac_ we have ideas to further investigate our initial alert.
For this investigation, we'll stick with pulling EVTXs*. But on some occasions we might go and get some forensic artefacts that will offer even MORE context for us.

*The pic below isn't how we pull logs IRL at work, but I do use this script in my homelab

gist.github.com/Purp1eW0lf/e0b…
Now we have some logs extracted, I'll deploy Chainsaw

We see ScreenConnect with EventID 7045, which offers insight into how it was first installed.

We now have a starting point for the first alert : it seems like ScreenConnect was installed, and shady activity followed.
Btw, because I leverage Chainsaw a tonne, I've ended up creating an alias.

This means I only have to type one word in my terminal and it will let rip on the hardcoded directory I always put data in.

github.com/countercept/ch…
It's worth noting how Chainsaw knew to bring this up for us.

Chainsaw leverages Sigma rules, which can pick specific parameters to alert a Defender for.

Using Sigma this way lets Chainsaw carve through our extracted logs with a very clever 'grep'.

github.com/SigmaHQ/sigma/…
Okay now we have a couple of things: our first alert about the PowerShell script, and a potential installation date.

To make these logs go further, I leverage Security Onion - specifically in the more lightweight, performant IMPORT deployment

[docs.securityonion.net/en/2.3/archite…]
Think of Security Onion's Import architecture like a rapid, smart ELK stack.

I use Security Onion a bunch, and have an alias that relies on password-less ssh key auth. It then transfers the EVTXs over to our Onion, and imports and ingests the logs.
Once in ELK, we can best contextualise ScreenConnect's activity, and determine that if the proceeding and subsequent activity around installation could be considered SUS

I'm not going to share more than that - mainly because we went back to our partner on this one👀
And thats all for now! Thanks to all the tool creators.

I recreated the real data so I could share a System.evtx log* and anyone interested can follow along this tweet thread and deploy the tools, as well as drop some un-redacted screenshots:

* mega.nz/file/IqQhFAAD#…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Feb 13
This is a cool bit of offensive Nim from @WhyDee86

Let's unravel this from a Defenders point of view 🧵

We'll start with some basic reverse engineering analysis, and then move into monitoring this from an ELK stack

TLDR: A decent SIEM setup will catch this.
Let's start off by compiling it.

We'll then analyse it like we don't know the source code, and we're investigating malware on a machine.

If your compile fails, you'll likely need to download winim library.

[Winim github.com/khchen/winim#i…]
First, let's throw StringSifter at the EXE.

What catches my eye are the ranked strings to do with NIM as well as the AMSI DLL reference.

From a basic strings, I'd already be sus of an unknown EXE like this on a host.

[StringSifter github.com/mandiant/strin…]
Read 15 tweets
Dray Agha Profile picture
Feb 7
This is awesome, thank you @x86matthew.

I wanted to share a blue team perspective on monitoring and hunting for this kind of LNK -> EXE bamboozling

We'll use the example PoC if that's alright with you 🧵
Let's execute the PoC of the .LNK, which brings a pop up.

@x86matthew was kind enough to create a non-malicious PoC. But of course an adversary will not be so kind.

So let's take a look at our logs: Image
Let's assume we're rolling with SysMon.

We get an Event 11 for a strange tmp*.exe being created. This of course could be called something different if re-engineered by an adversary IRL.

But for now let's focus on this tmp*.exe Image
Read 8 tweets
Dray Agha Profile picture
Nov 22, 2021
This article contains DFIR techniques I've used IRL, in investigations where the event logs can't be used.

The real hard work has been done by the articles' referenced tool creators and educators
@davisrichardg / @13CubedDFIR
@scudette / @velocidex
@EricRZimmerman
🧵
1/6
The first technique in the article discusses how to retrieve the PowerShell history for every user account via the 'ConsoleHost_History file' (typically enabled on Windows 10 endpoints)
2/6
The second leverages @EricRZimmerman's PECmd tool to examine Prefetch, an application caching system that we can use to evidence execution
3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Like this author's thread?

Get emails when @Purp1eW0lf has new unrolls!

Check out other threads from @Purp1eW0lf!

Read all threads by @Purp1eW0lf

:(