January was an interesting moth for CTI practitioners! I took some time and collected the major articles and presentations that I read and watched during January 2019.
I hope you enjoy it. Continue reading “Threat Intel Reads – January 2019”
Category: dfir
My Top 20 CTI/DFIR Talks for 2018
Another year has passed and lots of good CTI/DFIR stuff have been presented! I took some time to watch again some of my favourite talks within 2018 and list my favourite 20 ones. The list provided below has a CTI focus, however some of the most representative talks related to blue team/red team as well as ICS have been selected. I hope you enjoy it! Continue reading “My Top 20 CTI/DFIR Talks for 2018”
CrowdStrike’s 2018 Mid-Year Review
During the past week CrowdStrike published its 2018 Mid-Year Review call “Observation from the front lines of threat hunting“. This report provides insights, trends and details on today’s most sophisticated cyber attacks observed by CrowdStrike Falcon OverWatch team.
Some interesting points of the report include:
Anti-Virus Log Analysis Cheat Sheet (v1.5)
Florian Roth published the new version of Anti-Virus Log Analysis Cheat Sheet (version 1.5). I highly recommend to implement monitoring of the events included in this cheat sheet. To my mind, this is the easiest and quickest win and AV logs are one of the first things I hunt whenever I go to a new environment.
The new version has information on :
Continue reading “Anti-Virus Log Analysis Cheat Sheet (v1.5)”
GhostPack: C# Offensive Framework
This is a game changer for red teaming and offensive security. The guys from SpecterOps have just published GhostPack. This represents the transition from Offensive PowerShell frameworks to C# frameworks. This was much expected as blue teams are catching up on PowerShell detection/prevention controls. Moreover, red teams need “offense in depth” having different variations of their toolset based on the engagement needs.
GhostPack is a collection various C# implementations of previous PowerShell functionality, and includes six separate toolsets being released:
CrySyS Lab Analysis on NSA’s Territorial Dispute
CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.
See below some interesting points related to the analysis done by CrySyS Lab:
Continue reading “CrySyS Lab Analysis on NSA’s Territorial Dispute”
There is still life for Offensive PowerShell
It is a fact that security controls and detection capabilities against Powershell attacks have been improved during the last years. However, are Powershell attacks still evolving?
Recently, we have read quite a few articles regarding Offensive Powershell:
Continue reading “There is still life for Offensive PowerShell”
WMI Persistence Goes Mainstream
This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.
Post Exploitation 101
I read the following tweet by Florian Roth a couple of days ago:
People frequently ask me about process hollowing/doppelgänging, spectre/meltdown, skeleton keys & attack vectors involving liquid nitrogen.
Recently I replied:
Would you notice someone running “whoami” on one of your servers? https://t.co/Y4e8YaFdtt— Florian Roth (@cyb3rops) January 27, 2018
I could not agree more with the reply from Florian. See below a list of resources that help tuning detection mechanisms for post exploitation activities.
- Windows enumeration commands
- Windows post exploitation resources
- Living off the land
- Windows commands abused by the attackers
- Post Exploitation using WMIC
- Post Exploitation in Windows using dir Command
- Post Exploitation on Windows PC
- Linux post exploitation
- Patterns of behaviour
Enjoy and happy hunting ;)
Red Teaming Tips by Vincent Yiu
Vincent Yiu has tweeted some really useful red teaming tips.
- Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.
- Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It won’t log cookies or POST body content as can be sensitive.
- Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.
- Red tip #4: consider using Office Template macros and replacing normal.dot for persistence in VDI environments.
- Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.
Tilting at windmills 