1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK (buff.ly/3BHn9iR): The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK#ThreatHunting
3/ 🔍 Sigma(buff.ly/3q12WOC ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma#SIEM
4/ 🤖 Caldera (buff.ly/3pTdLGe): Caldera is an automated adversary emulation system that performs post-compromise adversarial behaviour within networks, giving blue teams realistic attack scenarios for training and response planning. #Caldera#AdversaryEmulation
5/ 🛡️ DetectionLab (buff.ly/2EsdykJ): Although not actively maintained, DetectionLab can still be used to automate the setup of a small network for simulating real-world attack scenarios and to test blue team detection capabilities. #DetectionLab#NetworkSecurity
6/ 💥 Atomic Red Team (buff.ly/3u6iiSC): A library of tests mapped to the MITRE ATT&CK® framework, allowing security teams to quickly, portably, and reproducibly test their environments against known attack techniques. #AtomicRedTeam#MITREATTACK
7/ 🚗 LOLDrivers (buff.ly/3pTPpMx ): This project compiles vulnerable, malicious, and known malicious Windows drivers in one repository, helping security teams understand and defend against Living Off The Land attacks. #LOLDrivers#WindowsSecurity
8/ 📚 LOLBAS (buff.ly/3MBO4TG): The LOLBAS project aims to document every binary, script, and library that can be used for #LivingOffTheLand techniques, providing valuable knowledge for blue teams to better detect and defend against such attacks. #LOLBAS
9/ 🛡️ UnProtect Project (buff.ly/3WhZnDU): UnProtect focuses on classifying evasion techniques to better understand and analyze malware, aiding blue teams in strengthening their detection capabilities against such techniques. #UnProtect#MalwareAnalysis
10/ 📚 MSTICpy (buff.ly/34wem2P): A powerful library for investigations & hunting in Jupyter Notebooks. Features include querying logs, Threat Intel enrichment, advanced analysis & interactive visualizations.#JupyterNotebooks
11/ 📊 EDR-Telemetry (buff.ly/41L5tOe): Shameless plug of a project of mine that compares & evaluates the telemetry of various EDR products, helping security teams choose the right #EDR solution for their orgs and enhance their telemetry visibility. #EndpointSecurity
12/ 🎯 These are my top 10 blue team's most valuable projects. Some of the ones I mentioned are new, and others have been around for some time.
Regardless, they taught me a lot, and I am grateful to anyone who has contributed to these projects!
/end I will also be making a list of the top 10 tools soon. Be sure to check them out and contribute to the open-source community! #InfoSec#GitHub
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Many security teams scrutinize inbound connections, but they tend to overlook traffic leaving the network. Here are a couple of things I consider when #Threat_hunting for ExMatter or similar tools: 🧵👇
1⃣Create your baseline:
It is difficult to find anomalous activity if...
...you don't know what normal looks like.
🔹Gather historical network data of outbound connections. The longer the baseline, the better the results.
....⤵️
2⃣Initial Analysis
🔹Query for outbound connections towards protocols that are used for transferring files and data over a network, e.g. SSH, FTP, TELNET, SFTP etc.
🔹Filter out expected traffic with the help of your baseline.
🔹Checkout the most & least frequent conn occurrence
Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:
👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host
Using Action1, they are seen executing commands, scripts and binaries. To do that, they must first create a "policy" or an "app". The name of those will show up in the command line during execution:
⚙️App Deployment:
➡️action1_agent.exe -> <binary running as system>
⚙️Command/Script execution:
➡️action1_agent.exe -> powershell.exe/cmd.exe
💡The action1_agent.exe cmdline contains the name of the policy set by the TAs.(see screenshot for details)
💡Command/Script will run with SYSTEM privs
1/x For the past couple of weeks, #IcedID has been hitting hard, with post-exploitation activities beginning within ~1 hour from the initial infection.
Here are some TTPs and IOCs from these post-exploitation activities that will keep defenders ready.
🧵👇
2/x 🎯TTPs
➡️IcedID use of VNC
💡Over port 8080
➡️Multiple Cobalt Strike DLLs on disk
💡Overused directories - "C:\Windows\Tasks" & - "%user%\AppData\Local\Temp"
➡️Heavy use of PowerShell
💡Downloading payloads, exec PowerShell Cobalt Strike Loaders & other processes
3/x ➡️Used multiple privilege escalation methods
💡zerologon, Invoke-Kerberoast, Invoke-EnvBypass
➡️Reverse proxy via Cobalt Strike and then RDPing into the network
➡️Invoke-BloodHound & Invoke-ShareFinder for network and open-shares discovery
#BruteRatel is difficult to detect without having access to WinAPI, NTAPI, and Syscalls as everything is done in memory. This hurts our efforts to hunt across behaviors upon executing the BRC4 payload.
Although all hope is not lost,there are some good indicators in the wires🧵👇
Looking into the unencrypted network traffic, there are some indicators we can hunt for and create detections based on the default BRC4 profile:
➡️Multiple POST requests against certain destinations
➡️All responses (apart from initial check-in) have 0 content with 200 status👇
➡️Base64 encoded body and encrypted upon deobfuscation
➡️Default user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
As a defender, I read reports to stay up to date with recent threats reported by others in the industry. It also helps me generate ideas for future research, threat hunting, detection, or a deeper dive into TA's infra.
This is what I am looking for when I read them🧵
1/11
I'll use a couple of good and one not-so-good report example from this week's awesome collection of reports from thisweekin4n6.com.
🔥Useful reports🔥
- Bitter APT adds Bangladesh to their targets (@TalosSecurity)
- Cozy Smuggled Into The Box (@cluster25_io)
2/11
The above reports are jam-packed with tactical and operationally actionable threat intelligence. They both provide a solid description of the threat actor's activities as well as how the intrusion unfolded. Finally, they feature detections in the form of Yara/Sigma rules.
3/11
Last week, @TheDFIRReport received a MS-themed phishing email with an HTML attachment. The email made a significant effort to appear legitimate.
When we open the file, the code renders into what appears to be an HTML page mirroring the official MS account login page.
1/🧵
@TheDFIRReport Looking into the code of the HTML file, we notice a couple of layers of obfuscation. Without much effort, we decoded the content. The script element contains URL and Base64 encoded code that will be executed by the browser. 2/
@TheDFIRReport When the user opens the HTML file, the browser will initiate a GET request to alufohaicement[.]com/monochrome.js containing the victim's and attacker's email addresses passed as base64 encoded parameters to a PHP script configured by the attacker. 3/