Share this page!

Maybe Scrolly?
Dray Agha Profile picture
Twitter logo
Aug 16 13 tweets 7 min read
Cobalt Strike ain't 💩

Let's chat about how to unravel Cobalt Strike and deny the adversary further access

As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑‍🍳 🧵
Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.

The alert here was PowerShell based....so let's dig a lil deeper
Go collect C:\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx , and go get my favourite tool - Chainsaw.

Take note your detection time (06:43).

Point chainsaw at your PwSh log, with this time
Cutting through the PowerShell evtx, we're shown the offending bit of PwSh that triggered the alert

It's the threat actor reaching out to a Chinese public IPv4, to download further tooling.
Our nefarious friend wanted to pull their tools down from http://101[.]132[.]112[.]124:88/Horizon

Why don't we help them with that?

Via whatever secure means you care to deploy, let's pull their tools down to our analysis machine
Carve out the big blob base64, and hop over to gchq.github.io/CyberChef

The results are not useful, yet, because we need to unravel some of the trivial obstacles Cobalt Strike has in store for us.

From base64, cyberchef advises us the resulting data is gzip.
So add the gunzip option, and take a look at human readable data.

Though it's readable, we ain't done - notice there are more obfuscating obstacles to waste our time
Extract out the second base64 , and open an additional cyberchef tab

Decoding this layer doesn't produce anything useful because there's an additional obstacle.

Scroll to the bottom of our previous script, which should be in the tab to your left.

Take a note of `xor` line
Copy the number, pop back to your junk data tab, and pick the Xor option in cyberchef

Change it to decimal, and add the number you just copied.
From here, you'll start to have recognisable data!

The MZ header will make some people think mission accomplished. And I guess you can look at the strings to find some IoCs....

But what if we had an additional step that made our lives much easier?
Save the output of our MZ data into a file - I called mine cobalt.exe, because my imagination knows no bounds

Now go and get @DidierStevens's 1768.py, a script aptly named after the boiling point of cobalt the metal.

raw.githubusercontent.com/DidierStevens/…
Simply point 1768.py at your cobalt strike file

The results are huge. We're told incredibly useful information that we can immediately action - for example, let's add the server IP to our firewall deny list
I hope this has demystified any supposed complexities of Cobalt Strike.

It's just a tool. It comes with various obstacles that are a pain in the behind, but trivial to overcome; 161% tryna waste our time.

Thanks to @DidierStevens for the great script
👨‍🍳

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Aug 17
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY

@0gtweet’s NPPSPY was fascinating to dissect and remediate.

Huge thanks to @keydet89 for guidance and wisdom Image
Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product Image
IOCs and Behavior
- T1003

- Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
◦For our case: logincontroll

- Unexplained entries in HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
◦For our case: logincontroll
Read 5 tweets
Dray Agha Profile picture
May 18
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.

sans.org/posters/window… Image
The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.

This is a specific use case I know. But it's something I find myself needing every day at work
Our conversation is about a singular machine, and the transparency, ease-of-access, and security-value of the logs and raw data of various security solutions. We’ll be staying in Windows world for this particular thread.

In our scenario, we have no GUI access to the AV
Read 33 tweets
Dray Agha Profile picture
Mar 17
SRUM is maybe one of the best Windows digital forensic artefacts, if you’re willing to roll your sleeves up.

You can get proof of execution and execution runtime, as well as proof of network communication and the bytes sent and received

Let's take a look in this #DFIR thread🧵
Since Win8, System Resource Usage Monitor (SRUM) monitors a bunch!

What we’re most interested in is its detailed record of programs and network activity.

SRUM has a LONG memory compared to some of the other more ephemeral artefacts📜
To put SRUM to forensic work, grab its .DAT file

C:\Windows\System32\sru\SRUDB.dat

To gain extra contextual data, we're advised to also collect the SOFTWARE hive.

I didn't do that however, because I am a bad person 😞 Image
Read 16 tweets
Dray Agha Profile picture
Mar 9
As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵
When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…
I expected some internal test data, or even results from previously identified activity.

So you can imagine my surprise when I saw results that were from a handful of hours ago
Read 19 tweets
Dray Agha Profile picture
Feb 28
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too. Image
Read 19 tweets
Dray Agha Profile picture
Feb 19
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(