Share this page!

inversecos ᐡ ꒳ ᐡ Profile picture
Twitter logo
Oct 13 7 tweets 3 min read
1\ #DFIR: How to investigate insider threats

Sharing the forensic methodology I follow when I'm investigating insiders 😍

This is where an employee sells creds/changes configs/runs malware leading to full DA compromise and then say they didn't do it O_o

inversecos.com/2022/10/how-to…
2\ The questions that I use to guide the analysis and prioritisation of analysis are:

1. How was the device accessed around the suspected behaviour?

2. Where was the user/device when this occurred?

3. Was the insider active on their system?

4. What did the user do?
3\ To answer the first question, I look at SRUM, specifically the App Timeline Provider details.

I pull:
> Execution time of the malicious thingz
> Duration of execution
> User SID

Then, I cross correlate that user info with their corresponding ActivitiesCache.db. #DFIRISS3XY
4\ Now we know the user, we need to address how the logon occurred.

I pull:
> Logon events
> System wake/hibernation times
> Network SSID it was connected to (SRUM + Software reg + evtx)

Generally logon is not remote & the SSID tells you the physical location they did this.
5\ Sometimes the users say they were on the system but not "active" ...*cries in awkward*

My fave artefact for this (amongst several) is AppSwitched under the "Feature Usage" registry key.

This tracks when a user ACTIVELY switches from one app to another in the taskbar.
6\ You might ask how common are insider threats? I would say around 10% of cases I worked in the past year were insider.

I am obviously not an industry white paper :P so I'm not the best source for this. Also i notice an automatic assumption that everything is an external TA..
7\ Lastly, this blog is NOT about the cases where a user just puts files on a usb or uploads it to the cloud when they quit or something.

We do not work those type of cases.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with inversecos ᐡ ꒳ ᐡ

inversecos ᐡ ꒳ ᐡ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

inversecos ᐡ ꒳ ᐡ Profile picture
Aug 23
1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)

inversecos.com/2022/08/how-to…
2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)
3\ Review permissions requested in the scope field (I'll show you where else to find these permissions in the logs).

Take note of these:
- User.Read
- User.ReadWrite
- User.ReadWrite.All
- Mail.ReadWrite
- Calendars.ReadWrite
- Files.ReadWrite
- User.Export.All
Read 6 tweets
inversecos ᐡ ꒳ ᐡ Profile picture
Aug 5
1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇
inversecos.com/2022/08/detect…
2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3
3\ As you can see, this has caught an instance of timestomping where you can observe the creation time is after the access time.

You can query the db using this command:
sqlite3 *filesystem.db .dump | grep <filename>
Read 5 tweets
inversecos ᐡ ꒳ ᐡ Profile picture
Jun 22
1\ #ThreatHunting: How to detect Linux anti-forensics log tampering

Attackers can alter the utmp, wtmp, btmp files to hide malicious logon attempts by:

> Zeroing entries out in hex
> Overwriting the files with a malicious copy

BLOG POST BELOW 👇 UwU
inversecos.com/2022/06/detect…
2\ Method 1: Zeroing entries in hex

This leaves OBVIOUS AF traces. Look for entries with zeros, and datetime defaulting to 1970. You can also review timestamps (covered in thread 4).

I highlighted in purple where you zero out the data in hex.
3\ Method 2: Overwriting the file

Overwrite the entire entry with a "cleaned" version. In this example I removed all lines pertaining to "sansforensics" logging in. Timestamp detection is the best method to discover this technique.
Read 4 tweets
inversecos ᐡ ꒳ ᐡ Profile picture
May 19
1\ #ThreatHunting: How to detect fileless Linux malware

Look for processes in /proc/<PID>/exe where the path shows "(deleted)"

Here are two examples👇
1. BPFDoor deleted binary
2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk.
2\ To recover/extract these binaries running in memory - you can copying them out from this location:

/proc/<PID>/exe

Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.
3\ You can also review what command line spawned the pid by reviewing:

/proc/<PID>/cmdline

This screenshot shows the cmdline used for the memdf_create() reverse shell. There are a lot of other interesting things you can also review in /proc/PID
Read 4 tweets
inversecos ᐡ ꒳ ᐡ Profile picture
Apr 28
1\ How to detect file timestomping 👀

APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈

Did you also know it's possible to timestomp $FN time?

👇👇 BLOG & TL;DR BELOW 👇👇

bit.ly/3KsX1ua
2\ Most IR analysts are taught to detect timestomping using two methods:

> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds

These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!
3\ Why should you care?

Most forensic courses teach these 2 detections without introducing more variables. A lot of analysts treat what they are taught as the "bible" without questioning it and when it comes to detecting these anomalies... critical evidence may be missed.
Read 6 tweets
inversecos ᐡ ꒳ ᐡ Profile picture
Apr 6
1\ #DefenceEvasion Technique: Maliciously Modifying Registry Timestamps 👿👀

This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...

Read my blog for technique + detection:
bit.ly/3r7jfuO

TL;DR 👇👇 ImageImageImage
2\ Why should you care?

During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...

> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...
3\ The native API "NtSetInformationKey" specifically allows a TA to overwrite a registry "Last Write" timestamp in an extremely trivial manner.

The param KEY_SET_INFORMATION_CLASS being passed the value KEY_WRITE_TIME_INFORMATION is what performs this.

undocumented.ntinternals.net/UserMode/Undoc… Image
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(