Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Dray Agha Profile picture
@Purp1eW0lf
Aug 16, 2022 13 tweets 7 min read Read on X
Scrolly
Cobalt Strike ain't 💩

Let's chat about how to unravel Cobalt Strike and deny the adversary further access

As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑‍🍳 🧵
Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.

The alert here was PowerShell based....so let's dig a lil deeper
Go collect C:\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx , and go get my favourite tool - Chainsaw.

Take note your detection time (06:43).

Point chainsaw at your PwSh log, with this time
Cutting through the PowerShell evtx, we're shown the offending bit of PwSh that triggered the alert

It's the threat actor reaching out to a Chinese public IPv4, to download further tooling.
Our nefarious friend wanted to pull their tools down from http://101[.]132[.]112[.]124:88/Horizon

Why don't we help them with that?

Via whatever secure means you care to deploy, let's pull their tools down to our analysis machine
Carve out the big blob base64, and hop over to gchq.github.io/CyberChef

The results are not useful, yet, because we need to unravel some of the trivial obstacles Cobalt Strike has in store for us.

From base64, cyberchef advises us the resulting data is gzip.
So add the gunzip option, and take a look at human readable data.

Though it's readable, we ain't done - notice there are more obfuscating obstacles to waste our time
Extract out the second base64 , and open an additional cyberchef tab

Decoding this layer doesn't produce anything useful because there's an additional obstacle.

Scroll to the bottom of our previous script, which should be in the tab to your left.

Take a note of `xor` line
Copy the number, pop back to your junk data tab, and pick the Xor option in cyberchef

Change it to decimal, and add the number you just copied.
From here, you'll start to have recognisable data!

The MZ header will make some people think mission accomplished. And I guess you can look at the strings to find some IoCs....

But what if we had an additional step that made our lives much easier?
Save the output of our MZ data into a file - I called mine cobalt.exe, because my imagination knows no bounds

Now go and get @DidierStevens's 1768.py, a script aptly named after the boiling point of cobalt the metal.

raw.githubusercontent.com/DidierStevens/…
Simply point 1768.py at your cobalt strike file

The results are huge. We're told incredibly useful information that we can immediately action - for example, let's add the server IP to our firewall deny list
I hope this has demystified any supposed complexities of Cobalt Strike.

It's just a tool. It comes with various obstacles that are a pain in the behind, but trivial to overcome; 161% tryna waste our time.

Thanks to @DidierStevens for the great script
👨‍🍳

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Dec 5, 2022
Think hiring is slowing down??

@HuntressLabs is hiring remote a Threat Operations Analyst 🇬🇧. UK citizenship is non-negotiable

You'll be working with myself, @xorJosh, @PonchoSec, and the rest of the squad!

I have some tips for those applying 🧵

boards.greenhouse.io/huntress/jobs/…
I don't care about about degrees 📜

I barely care about certs.

I care about what your contributions have been to your community.

Do you have a github, a blog, a summary of a CTF you did ? GREAT, put the link in your resume
We're gonna teach you what you need to know in this role👨‍🎓

But I need to know from your resume, covering letter, and interview that you take extreme ownership and accountability for yourself.

Meaning, you're constantly learning and trying to execute high quality, accurate work
Read 7 tweets
Dray Agha Profile picture
Oct 11, 2022
For cyber security investigations, internal silos will make or break your efforts 🧱🧱🧱

I'll show you the power from a LACK of siloing, with a piping hot, fresh @HuntressLabs case @xorJosh and I worked

🧵🧶
What are 'silos'.

@keydet89 educated me on the industry problem where departments cannot easily share findings; a threat intel department doesn't have a way to share findings with DFIR department, for example.

IMO, Silos occur when data & people cannot be circulated easily
We aren't perfect by any means at @HuntressLabs, but it's a testament to our founders, engineers, devs (etc) that our infrastructure sets us up for success.

It's difficult for analysts NOT to share reports and data by default; our infrastructure & culture doesn't foster silos
Read 15 tweets
Dray Agha Profile picture
Sep 29, 2022
Investigating an intrusion? 🕵️🔍

Start with the security solution on the machine. DON'T work hard to timeline the adversaries' activities, work smart👩‍🔬

In a @HuntressLabs case with @nosecurething and Jordan Sexton, we leveraged ESET's data before anything forensically complex🧵 Image
This gave us a tonne of starter info
🟡 Timestamps threat actor operated in

🔴 Directories they liked to operate in, the user account they likely controlled, AND that the threat actor liked to use PwSh

🔵 Registry key they had used for persistence.

This saved us time....⏲️
..as we used these findings to pivot:

🟡 We had date/time anchor points when leveraging other data

🔴 We focused on the user, those directories, and PwSh. Found more malicious activity straight away

🔵 We eradicated persistence and identified their IPv4: 5[.]255[.]103[.]142 ImageImageImage
Read 5 tweets
Dray Agha Profile picture
Sep 8, 2022
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭

Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
🧵
I kept finding LogonType 3s (network)

However only RDP was externally exposed on the machine, which usually records LogonType 10....

When this has happened before, I usually just assume its Windows jank and continue with my investigation 🤷‍♂️

But this time, I wanted to know WHY
The wise @DaveKleinatland suggested Network Layer Authentication (NLA) would explain this:

"
NLA takes place before the session is started... without NLA things can be exposed before any sort of authentication.... like domain name, usernames, last logged on user, etc
"
- Dave 🧙‍♂️
Read 10 tweets
Dray Agha Profile picture
Aug 17, 2022
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY

@0gtweet’s NPPSPY was fascinating to dissect and remediate.

Huge thanks to @keydet89 for guidance and wisdom
Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product
IOCs and Behavior
- T1003

- Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
◦For our case: logincontroll

- Unexplained entries in HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
◦For our case: logincontroll
Read 5 tweets
Dray Agha Profile picture
May 18, 2022
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.

sans.org/posters/window… Image
The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.

This is a specific use case I know. But it's something I find myself needing every day at work
Our conversation is about a singular machine, and the transparency, ease-of-access, and security-value of the logs and raw data of various security solutions. We’ll be staying in Windows world for this particular thread.

In our scenario, we have no GUI access to the AV
Read 33 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(