Share this page!

Wes Lambert Profile picture
Twitter logo
Oct 28 12 tweets 5 min read
🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]Detection[.]ISOMount

Author: @ConorQuinn92

Link: docs.velociraptor.app/exchange/artif…
After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.

This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
When downloaded, container files will have the MOTW attribute because they were downloaded from the internet. However, the document inside, such as a macro-enabled spreadsheet, will not.
When the document is extracted from the container, the user will still have to enable macros for the malicious code to automatically execute, but document will not be considered as coming from the internet.
Aside from usage of macro-enabled documents, threat actors can also used container files to distribute payloads directly. These container files may included files such as, the following (which can install a malicious payload) :

- LNKs
- DLLs
- EXEs
One way we can look for this type of activity is through identification of ISO mounting.

This artifact searches through the 'Microsoft-Windows-VHDMP-Operational' Windows event log looking for specific event IDs and the .iso file extension to identify ISO mounting.
We can see the following information around an ISO mount event:

- Time of the event
- Computer on which the file was mounted
- User that mounted the file
- Event ID/channel/record ID
- Message
- Event data
- Filename (what file was mounted)
Here, we can see the contents of the ISO via File Explorer. 👀

- AllTheThingsx64.dll
- document (LNK/shortcut)
In this case, the 'document.lnk' file is executed from the 'AllTheThings.iso'.

The LNK file then executes 'cmd.exe' and rundll32 to in order to load and execute 'AllTheThingsx64.dll' from the ISO, which spawns 'calc.exe'. 😜

('Windows[.]Forensics[.]Lnk' - parse the .lnk)
Why spawn 'calc.exe'? This a test from Atomic Red Team!

You can try this out, by following the instructions here:
github.com/redcanaryco/at…
While the example provided may not have been truly malicious, it illustrates how a TA might use similar tactics/techniques.

An example of real-world usage similar to the above can be found in this research published by Proofpoint discussing Bumblebee:

proofpoint.com/us/blog/threat…
That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the following resources for more information!

MITRE ATT&CK - MOTW Bypass:
attack.mitre.org/techniques/T15…

Obscure WELs:
nasbench.medium.com/finding-forens…

Post-Macro/Containers:
proofpoint.com/us/blog/threat…

#DFIR

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wes Lambert

Wes Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @therealwlambert

Wes Lambert Profile picture
Oct 29
🦖Day 38 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]Pslist

Link: docs.velociraptor.app/artifact_refer… Image
This artifact enumerates the running processes on a Linux system. This can be useful to check for proper configuration or misalignment across a fleet of hosts, or for identifying suspicious processes generated by, or leveraged by malware.
Some of the Information provided by the artifact:

- Process ID
- Parent process ID
- Command line
- Executable
- Hash
- Username
- Created time
- RSS (how much memory allocated to the process)
Read 5 tweets
Wes Lambert Profile picture
Oct 27
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
Read 9 tweets
Wes Lambert Profile picture
Oct 5
🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows[.]Detection[.]BinaryRename'

Author: @mgreen27

Link: docs.velociraptor.app/exchange/artif… Image
This artifact will detect renamed binaries commonly abused by adversaries.

Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Here, we can see 'cmd.exe' was renamed in an attempt to appear as a legitimate instance of 'lsass.exe': Image
Read 6 tweets
Wes Lambert Profile picture
Sep 25
🦖Day 4 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows.System.Services'

Link: docs.velociraptor.app/artifact_refer… Image
One might use this artifact to generate a baseline of normal Windows services, and look for services out of the ordinary. We can filter on display/service name, as well as DLL, path, etc. We can also calculate hashes and provide signing info for associated executables/DLLs. ImageImage
Sorting on the 'Created' column shows the most recently created services (assuming no other manipulation, etc.). Here, we see a service named 'win32times', similar to the native Windows Time Service. We also see 'evilscript.ps1' being called by 'cmd', and no signing info.🦹🔍 Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(