There is still life for Offensive PowerShell

It is a fact that security controls and detection capabilities against Powershell attacks have been improved during the last years. However, are Powershell attacks still evolving?

Recently, we have read quite a few articles regarding Offensive Powershell:

  1. Invoke-PSImage .  Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed). 
  2. The Invoke-Obfuscation Usage Guide :: Part 1 . Daniel Bohannon provides insights on the lesser-known features of Invoke-Obfuscation. 
  3. The Invoke-Obfuscation Usage Guide :: Part 2 . Daniel Bohannon  elaborates on what to focus  when using Invoke-Obfuscation for both commands and script.
  4. InsecurePowerShell . PowerShell without System.Management.Automation.dll . Ryan Cobb explains how to use the PowerShell without powershell.exe native windows binary as well as with a modified version of System.Management.Automation.dll ! Really interesting stuff.  

    PS> Enjoy! 

Advertisements

WMI Persistence Goes Mainstream

This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.

Continue reading “WMI Persistence Goes Mainstream”

Post Exploitation 101

I read the following tweet by Florian Roth a couple of days ago:

I could not agree more with the reply from Florian. See below a list of resources that help tuning detection mechanisms for post exploitation activities.

  1. Windows enumeration commands 
  2. Windows post exploitation resources
  3. Living off the land
  4. Windows commands abused by the attackers
  5. Post Exploitation using WMIC
  6. Post Exploitation in Windows using dir Command
  7. Post Exploitation on Windows PC
  8. Linux post exploitation
  9. Patterns of behaviour

Enjoy and happy hunting ;)

My favorite DFIR presentations for 2016

 

2016 was a year full of interesting presentations and conferences! I took a moment to think about the presentations that helped me better understand the threat landscape, introduced me to new tools and processes, provided inspiration for my team and help me with my daily operations.

The selection of the presentations below is subjective but  indicative of the trends regarding the DFIR community during 2016. Moreover, the below sequence is completely random.

I would appreciate any feedback and I would be more than happy to be sent your ones! Enjoy!

Continue reading “My favorite DFIR presentations for 2016”

Threat Intel Annual Reads 2016

Some of you may or may not know my weekly newsletter called “Threat Intel Weekend Reads” that started being published in December 2014. What I tried to do today was to go back to all the newsletter editions of 2016 and select my favorite headline articles. During the upcoming days I will try to deep dive once again and provide more insights on DFIR, Threat Intel and Threat Hunting!  Any feedback would be more than welcome! Enjoy!

Continue reading “Threat Intel Annual Reads 2016”