CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.
See below some interesting points related to the analysis done by CrySyS Lab:
Continue reading “CrySyS Lab Analysis on NSA’s Territorial Dispute”
It is a fact that security controls and detection capabilities against Powershell attacks have been improved during the last years. However, are Powershell attacks still evolving?
Recently, we have read quite a few articles regarding Offensive Powershell:
Continue reading “There is still life for Offensive PowerShell”
This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.
Continue reading “WMI Persistence Goes Mainstream”
Vincent Yiu has tweeted some really useful red teaming tips.
- Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.
- Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It won’t log cookies or POST body content as can be sensitive.
- Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.
- Red tip #4: consider using Office Template macros and replacing normal.dot for persistence in VDI environments.
- Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.
Continue reading “Red Teaming Tips by Vincent Yiu”
2016 was a year full of interesting presentations and conferences! I took a moment to think about the presentations that helped me better understand the threat landscape, introduced me to new tools and processes, provided inspiration for my team and help me with my daily operations.
The selection of the presentations below is subjective but indicative of the trends regarding the DFIR community during 2016. Moreover, the below sequence is completely random.
I would appreciate any feedback and I would be more than happy to be sent your ones! Enjoy!
Continue reading “My favorite DFIR presentations for 2016”
Some of you may or may not know my weekly newsletter called “Threat Intel Weekend Reads” that started being published in December 2014. What I tried to do today was to go back to all the newsletter editions of 2016 and select my favorite headline articles. During the upcoming days I will try to deep dive once again and provide more insights on DFIR, Threat Intel and Threat Hunting! Any feedback would be more than welcome! Enjoy!
Continue reading “Threat Intel Annual Reads 2016”