Share this page!

Maybe Scrolly?
Dray Agha Profile picture
Twitter logo
Mar 9 19 tweets 10 min read
As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵
When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…
I expected some internal test data, or even results from previously identified activity.

So you can imagine my surprise when I saw results that were from a handful of hours ago
Evidence of lateral movement?! In front of my very eyes!!

So I honed in the host machine in question. The aim here was to contextualise the activity, and identify what other facets of the adversarial campaign were visible

But the results were complicated....
@HuskyHacksMK later commented on this with the exact mix of emotions I was feeling.
An executable - nddc.exe - was directly associated with this lateral movement-like activity.

Instead of MORE malicious evidence, the existing 'malicious' evidence was brought into question.

For comparison, I have included what Impacket's WMIExec would look like in the SIEM
My next step was to go the host itself. Initially, I was going to reverse engineer the executable under the assumption it was malicious.

But something felt 'off' about treating it like malware.

It seemed too legit in it's directory placement
Some like to turn to Google straight away. This is a valid approach

Before I go down search tunnels, I let the 'data speak'. This means I do not impose a hypothesis or conclusion but let the evidence guide me.

Google will add context, but it will not let YOUR data speak. 📢
Instead, I leveraged global prevalence as @MaxRogers5 would advise.

If a significant number of machines display the same behaviour, this is an informative finding.

And we got back fascinating results: other machines in other domains are also displaying this behaviour, uniformly
Drilling down further on a machine, we can see that this weird NDDC.exe activity also has a ‘beaconing’ pattern, which suggests it is scheduled with precise regularity
Once I've saturated the raw data and it can't tell me any more, I turn to google to fill in the gaps.

My initial searches were just to ascertain what NDDC is.

I find out its Network Detective Data Collector, a Kaseya-related tool.

This by itself doesn't absolve the activity.
Reading the docs justifies why Network Detective (nddc.exe) behaves this way with SMB shares during a network audit.

It doesn't really explain HOW though.

rapidfiretools.com/nd/RapidFire_N…
The hypothesis and objectives you start with in an investigation may morph as time goes on 🥼⏳

Our investigation changed from focusing on activity that looked like Impacket's WMIexec to focusing on Network Detective's auditing practices.
Others had run malware analysis on nddc.exe, but no one had yet documented this false positive.

Remember I mentioned how I don't turn to Google first?
This isn't to flex.

It's just that I know for obscure and weird shit, Google won't help me as much as the raw data will.
Network Detective's activity was a false positive; similar to Impacket’s lateral movement but not malicious

Lets document and share our novel findings about this false positive.

@mttaggart's WTFBins is an excellent resource we can contribute to: wtfbins.wtf
Contributing was frictionless and the response from @mttaggart and @HuskyHacksMK was great!
And the end result of our investigation was to contribute to an awesome, growing repo of false positive behaviours.
The efforts of our investigation on Network Detective mean the infosec community may not have to go to these lengths next time.

Instead, they can benefit from our findings! 🤝

This is what it's all about: contributing back to the community that we all borrow tools and tips from
In conclusion, we pulled on a suspicious thread that we ultimately unraveled as legitimate (but weird), and shared our findings with our peers via WTFbins.

I hope this thread proves useful!

I can't wait to see @mttaggart's WTFbins grow!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Feb 28
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too. Image
Read 19 tweets
Dray Agha Profile picture
Feb 19
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
Read 13 tweets
Dray Agha Profile picture
Feb 13
This is a cool bit of offensive Nim from @WhyDee86

Let's unravel this from a Defenders point of view 🧵

We'll start with some basic reverse engineering analysis, and then move into monitoring this from an ELK stack

TLDR: A decent SIEM setup will catch this.
Let's start off by compiling it.

We'll then analyse it like we don't know the source code, and we're investigating malware on a machine.

If your compile fails, you'll likely need to download winim library.

[Winim github.com/khchen/winim#i…]
First, let's throw StringSifter at the EXE.

What catches my eye are the ranked strings to do with NIM as well as the AMSI DLL reference.

From a basic strings, I'd already be sus of an unknown EXE like this on a host.

[StringSifter github.com/mandiant/strin…]
Read 15 tweets
Dray Agha Profile picture
Feb 7
This is awesome, thank you @x86matthew.

I wanted to share a blue team perspective on monitoring and hunting for this kind of LNK -> EXE bamboozling

We'll use the example PoC if that's alright with you 🧵
Let's execute the PoC of the .LNK, which brings a pop up.

@x86matthew was kind enough to create a non-malicious PoC. But of course an adversary will not be so kind.

So let's take a look at our logs: Image
Let's assume we're rolling with SysMon.

We get an Event 11 for a strange tmp*.exe being created. This of course could be called something different if re-engineered by an adversary IRL.

But for now let's focus on this tmp*.exe Image
Read 8 tweets
Dray Agha Profile picture
Nov 22, 2021
This article contains DFIR techniques I've used IRL, in investigations where the event logs can't be used.

The real hard work has been done by the articles' referenced tool creators and educators
@davisrichardg / @13CubedDFIR
@scudette / @velocidex
@EricRZimmerman
🧵
1/6
The first technique in the article discusses how to retrieve the PowerShell history for every user account via the 'ConsoleHost_History file' (typically enabled on Windows 10 endpoints)
2/6
The second leverages @EricRZimmerman's PECmd tool to examine Prefetch, an application caching system that we can use to evidence execution
3/6
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @Purp1eW0lf has new unrolls!

Check out other threads from @Purp1eW0lf!

Read all threads by @Purp1eW0lf

:(