Share this page!

Dray Agha Profile picture
Twitter logo
Aug 17 5 tweets 2 min read
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY

@0gtweet’s NPPSPY was fascinating to dissect and remediate.

Huge thanks to @keydet89 for guidance and wisdom
Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product
IOCs and Behavior
- T1003

- Values under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
◦For our case: logincontroll

- Unexplained entries in HKLM\SYSTEM\CurrentControlSet\Services\<here>\NetworkProvider
◦For our case: logincontroll
- Unexplained DLLS in folders (very difficult to detect)
◦For our case: C:\windows\system32\lsass.dll

- Files being continually written too (essentially impossible to detect this IMO)
◦For our case: C:\Windows\Temp\tmpCQOF.tmp
If you’re interested in more details, have a lil read of this huntress.com/blog/cleartext…

As always, thank you to our content team, @rachelbishop723 and Lily Teplow

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dray Agha

Dray Agha Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Purp1eW0lf

Dray Agha Profile picture
Aug 16
Cobalt Strike ain't 💩

Let's chat about how to unravel Cobalt Strike and deny the adversary further access

As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑‍🍳 🧵
Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.

The alert here was PowerShell based....so let's dig a lil deeper
Go collect C:\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx , and go get my favourite tool - Chainsaw.

Take note your detection time (06:43).

Point chainsaw at your PwSh log, with this time
Read 13 tweets
Dray Agha Profile picture
May 18
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.

sans.org/posters/window… Image
The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.

This is a specific use case I know. But it's something I find myself needing every day at work
Our conversation is about a singular machine, and the transparency, ease-of-access, and security-value of the logs and raw data of various security solutions. We’ll be staying in Windows world for this particular thread.

In our scenario, we have no GUI access to the AV
Read 33 tweets
Dray Agha Profile picture
Mar 17
SRUM is maybe one of the best Windows digital forensic artefacts, if you’re willing to roll your sleeves up.

You can get proof of execution and execution runtime, as well as proof of network communication and the bytes sent and received

Let's take a look in this #DFIR thread🧵
Since Win8, System Resource Usage Monitor (SRUM) monitors a bunch!

What we’re most interested in is its detailed record of programs and network activity.

SRUM has a LONG memory compared to some of the other more ephemeral artefacts📜
To put SRUM to forensic work, grab its .DAT file

C:\Windows\System32\sru\SRUDB.dat

To gain extra contextual data, we're advised to also collect the SOFTWARE hive.

I didn't do that however, because I am a bad person 😞 Image
Read 16 tweets
Dray Agha Profile picture
Mar 9
As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵
When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…
I expected some internal test data, or even results from previously identified activity.

So you can imagine my surprise when I saw results that were from a handful of hours ago
Read 19 tweets
Dray Agha Profile picture
Feb 28
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵
We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
According to this graph I didn’t fact check, Chrome and Safari dominate the game.

Investigating Edge is similar to Chrome, so we’ll look at that too. And Firefox is 4th place, so we'll take a look here too. Image
Read 19 tweets
Dray Agha Profile picture
Feb 19
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵
We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
I don't want to waste anyone's time by highlighting false positives.

So we'd need to dig a bit deeper on the host, and see if any findings can contextualise this activity as legitimate or malicious.

To start, I'd like to pull some data from the machine
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(