A Study on Threat Intelligence Platforms (TIPs)

ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of TIP users, developers, vendors and the security research community.

The study channels its efforts into identifying some of the key opportunities and limitations of existing platforms and solutions, since information exchange formats and tools remain central items on the agenda of the cybersecurity community in general, and particularly of incident responders.

The project came as an acknowledgment of the increasing demand for relevant and ‘context aware’ security data, as information security management is becoming a key component of any modern organisation.

For the purpose of this project, ENISA has engaged leading field experts and has performed a research of existing tools, practices and TIPs academic literature. The report concludes with a series of actionable findings and recommendations, so that current TIPs limitations are addressed and overcome.

Continue reading “A Study on Threat Intelligence Platforms (TIPs)”

Advertisements

CrySyS Lab Analysis on NSA’s Territorial Dispute

CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.

See below some interesting points related to the analysis done by CrySyS Lab:

Continue reading “CrySyS Lab Analysis on NSA’s Territorial Dispute”

There is still life for Offensive PowerShell

It is a fact that security controls and detection capabilities against Powershell attacks have been improved during the last years. However, are Powershell attacks still evolving?

Recently, we have read quite a few articles regarding Offensive Powershell:

  1. Invoke-PSImage .  Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed). 
  2. The Invoke-Obfuscation Usage Guide :: Part 1 . Daniel Bohannon provides insights on the lesser-known features of Invoke-Obfuscation. 
  3. The Invoke-Obfuscation Usage Guide :: Part 2 . Daniel Bohannon  elaborates on what to focus  when using Invoke-Obfuscation for both commands and script.
  4. InsecurePowerShell . PowerShell without System.Management.Automation.dll . Ryan Cobb explains how to use the PowerShell without powershell.exe native windows binary as well as with a modified version of System.Management.Automation.dll ! Really interesting stuff.  

    PS> Enjoy! 

WMI Persistence Goes Mainstream

This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.

Continue reading “WMI Persistence Goes Mainstream”

ENISA Report on Tools and Methodologies for CSIRTs and Law Enforcement Collaboration

European Union Agency for Network and Information Security (ENISA) has recently released the report on Tools and Methodologies to Support Cooperation between CSIRTs and Law Enforcement.

The report aims to support the cooperation between CSIRTs – in particular national/governmental CSIRTs – and LEAs in their fight against cybercrime, by providing information on the framework and on the technical aspects of the cooperation, identifying current shortcomings, and formulating and proposing recommendations on technical aspects to enhance the cooperation.

Continue reading “ENISA Report on Tools and Methodologies for CSIRTs and Law Enforcement Collaboration”

Post Exploitation 101

I read the following tweet by Florian Roth a couple of days ago:

I could not agree more with the reply from Florian. See below a list of resources that help tuning detection mechanisms for post exploitation activities.

  1. Windows enumeration commands 
  2. Windows post exploitation resources
  3. Living off the land
  4. Windows commands abused by the attackers
  5. Post Exploitation using WMIC
  6. Post Exploitation in Windows using dir Command
  7. Post Exploitation on Windows PC
  8. Linux post exploitation
  9. Patterns of behaviour

Enjoy and happy hunting ;)

Red Teaming Tips by Vincent Yiu

Vincent Yiu has tweeted some really useful red teaming tips.

  • Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.
  • Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It won’t log cookies or POST body content as can be sensitive.
  • Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.
  • Red tip #4: consider using Office Template macros and replacing normal.dot  for persistence in VDI environments.
  • Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.

Continue reading “Red Teaming Tips by Vincent Yiu”