Nuggets of Knowledge
Intro
This section serves to capture various pieces of shared knowledge which proved popular on social media
Tweets
October 2022
DFIR Tip: pnputil
Jai Minton @CyberRaiju
Forensics Tip: If you have live access to a system and want to know what's been plugged into it, or what it has been connected to throughout it's life, run the following:
pnputil /enum-devices
pnputil /enum-interfaces
You'll get a wealth of knowledge
Hardening Tip: Blocking USB Rubber Ducky
USB Rubber Ducky's and HID emulators allow pentesters or other determined actors to emulate keystrokes and run malicious commands.
This can be prevented by blocking their associated Vendor and Product IDs from being installed.
The default ducky firmware uses the Atmel corp ID.
Hardening Tip: Block or Detect ISO Mounting
Mountable image files (e.g. .iso/.vhd) present challenges because phishing and fake software installers both use these to host malware inside of them as a form of defense evasion.
These are normally mounted on double click. To protect against this or detect it afterwards🧵👇
Protect: Add 'ProgrammaticAccessOnly' associations for these extensions. This can be done via a command prompt/powershell or via group policy (HT/ @mubix) https://malicious.link/post/2022/blocking-iso-mounting/
Detect: Examine the Windows Event Log for ID '12' within 'Microsoft-Windows-VHDMP-Operational'. PowerShell e.g.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-VHDMP-Operational';ID=12} | FL TimeCreated, Message
HT/ @TheDFIRReport (https://thedfirreport.com/2022/04/25/quantum-ransomware/)
DFIR Tip: Windows Firewall Modification
Defender tip: Many pieces of malware will try and create a rule for the Windows FW. Keep an eye on the below event log
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
2004 - Added
2005 - Modified
2006 - Deleted
Can parse it like so to view unique processes
Windows Tip: Use where.exe to find files
Windows Pentesting/DFIR Tip: It's all too common to see the 'find' command used on Windows and linux, but what is less known and far more useful is 'where.exe' to recursively search.
Use this and find what you're looking for with wildcards natively on Windows.
September 2022
DFIR Tip: Runtime Broker
RuntimeBroker.exe is used to broker permission access from UWP apps.
This is also often injected into by adversarial tools such as Cobalt Strike.
From my knowledge this is always legitimately launched with the '-Embedding' command line. 1/2
Despite this it doesn't provide a lot of context on 'what' UWP application it is servicing; however, like with the above screenshot, if you enable 'Package name' in Task Manager or Process Explorer, this often reveals what UWP application it is servicing. 2/2
COM Class Fun
COM Class Objects are fun
Try this. Create a folder in Windows and name it Test.{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}
By default this is a CLSID reference for the 'Previous Versions Results Folder'. This is now no longer seen as a 'folder' and cant be renamed or deleted.
August 2022
Unique DFIR, RE, and Security Analysis Resources
When it comes to DFIR, Reverse Engineering, and performing security analysis in general, there's a number of useful, hidden gems out there.
Here's some sites which you may, or may not know about, including some of the best in the industry👇
Dotspotter: https://forensicdots.de/dotspotter
Many laser printers and copiers leave a hidden 'Machine Identification Code' on any documents printed which can be used to identify the device which was used to print a document, and potentially give clues to the originator.
MalAPI: https://malapi.io
Created by @mrd0x, this website aims to map Windows APIs to common techniques used by malware. Useful for reverse engineers as this helps to map functions which are used within a binary to possible malicious capability.
URLScan: https://urlscan.io
Created by @heipei, this website provides an easy to use 'sandbox for the web' which allows scanning of websites to determine technologies in use, domain/IP involved, scripts embedded in the page etc. Useful for examining websites and pivoting.
PublicWWW: https://publicwww.com
Originally created as a Source Code Search Engine, PublicWWW doubles as tool to identify compromised domains for when a Google Dork just won't cut it. Useful for identifying other websites which may have been compromised to host malicious JS.
OSINT Techniques: https://osinttechniques.com/osint-tools.html
The name speaks for itself, amalgamating a number of links to various useful tools, @OSINTtechniques has something for professionals of all shapes and sizes.
Malpedia: https://malpedia.caad.fkie.fraunhofer.de
Malpedia is home to an amalgamation of thousands of malware families and links to further reading on them, it also includes mapping of families to actors tracked by the @MISPProject Galaxies making it an invaluable resource for malware analysts.
Objective-See Mac Malware Collection: https://objective-see.org/malware.html
Although not as large as Malpedia, specialising in threats targeting MacOS, Objective-See is one of the best resources to show your friends and family that 'yes MacOS can get a virus, stop thinking otherwise'.
Hijack Libs: https://hijacklibs.net
Created by @Wietze, Hijack Libs provides a curated list of DLL Hijacking candidates including a mapping between DLLs and vulnerable executables. This resource can prove invaluable for attackers and defenders in their pursuit of DLL hijacking.
LOLBAS: https://lolbas-project.github.io
Living Off The Land Binaries and Scripts is a term used for common binaries and scripts which can be abused by an attacker in an intrusion. Primarily maintained by @oddvarmoe and others, LOLBAS remains a valuable community driven repository.
GTFOBins: https://gtfobins.github.io
Created by @norbemi and @cyrus_and, GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems, similar to LOLBAS for those who are aware, but for *Nix systems.
Living Off Trusted Sites (LOTS) Project: https://lots-project.com
Another from @mrd0x, there's a number of popular, legitimate domains that are commonly abused by attackers to remain undetected, this resource helps to shed light on those.
MxToolbox SuperTool: https://mxtoolbox.com/SuperTool.aspx
If you've read this far and don't know about MxToolbox then you may not have had a background troubleshooting a website, SMTP server, or online service. Included because it's always nice to have in your back pocket in a pinch.
@mal_share: https://malshare.com/about.php
Founded by @silascutler, The MalShare Project is a collaborative effort designed to create a malware repository which is community driven and works to build additional tools to benefit the security community. Useful for sourcing samples.
Abuse.ch: https://abuse.ch
Community driven threat intelligence on cyber threats. Everything from malware samples to botnet tracking, malicious JA3 fingerprinting, sites distributing malware, IOCs and a Yara scanner, it is used by public and private sector.
May 2022
DFIR Tip: USB Forensics
Thought I just found something new, turns out it was mentioned last year.
Quote-tweeting for visibility: The following logs are excellent for finding evidence of USB usage on Win10/11.
Microsoft-Windows-Storsvc/Diagnostic (1001)
Microsoft-Windows-Partition/Diagnostic (1006)
March 2022
CyberChef Recipe AES Decrypt
What's one of your favourite #CyberChef operations, or chain of operations, and why?
Mine would be "Register" and "Find / Replace".
The below is an example of using this powerful combo to fully decrypt an AES encrypted configuration file used by STRRAT and label each element.
January 2022
KringleCon 4 JRPG Game
To help combat imposter syndrome, this year for @KringleCon I've created videos showing my failures and success in an edutaining way. I also recreated KringleCon as a JRPG playable game for my write-up. Enjoy!
Game🎮:
https://jaiminton.com/santassecretworkshop/kringlecon2021writeup/
YouTube📺:
https://youtube.com/watch?v=b9Gkrk
December 2021
Finding, Detecting, and Protecting against Log4Shell Vulnerabilities
Regarding CVE-2021-44228 AKA Log4Shell.
https://logging.apache.org/log4j/2.x/security.html
A quick and dirty way to find jar files that have a JndiLookup.class in PowerShell (change drive).
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
1/3
Running the following in PowerShell as Admin on Windows should mitigate the issue for any instances >=2.10
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")
2/3
For forensic examiners, it's not known how practical exploitation is, but both Cellebrite BlackLight and Autopsy use components that leverage the vulnerable log4j class.
Elasticsearch for BlackLight (possibly inspector also), and Apache Solr for Autopsy keyword searching.
3/3
August 2021
Performing Contextual Analysis on Network IOCs
Let's talk about static, network-based IOCs and analysis.
Network-based IOCs such as Domains and IPs are both temporal and contextual. If a network sec device has alerted on a static IOC and you cannot ascertain when that IOC was added, or context on why, then it's a waste. 1/15
Let's say your network sec appliance has alerted on a domain because the vendor has categorised it as malicious. Good right? Sure, but it's not great. If it instead said "At xx/xx/xxxx the website hosted on this domain was seen serving an information stealer at Y", then👍2/15
In the above we get context, and a timeframe, both of which may make the IOC useful. Say we then examined network logs and found the URL accessed wasn't serving malware, and that the website had changed after the above date, great! We've performed contextual based analysis. 3/15
What about when there's no context besides a broad statement such as "malicious"? How do you perform analysis? Well it becomes more challenging to cover all bases. You could have access to the process which made the request, this gives context. But then there's unknowns 4/15
Was it a web browser? If so could the IOC be related to an ad network? C2 traffic from an injected process? Malicious script? Malicious browser extension? No context means you need to put in more legwork to cover your bases, it's easy to shrug it off as "ads - web browsing". 5/15
So how can you perform contextual based analysis from a 3rd party with no context? Leverage what you have available. In a previous role I leveraged http://urlscan.io and http://publicwww.com to confirm different hypothesis' and share threat intel. Let me elaborate 6/15
An alert went off from a network security device for a "malicious" domain being looked up, there was no public information on the domain (at least from my OSINT), no telemetry on process which made the request, and no pcaps. What are we looking at? How do we analyse? 7/15
What I had: DNS reqs. Well to be an analyst without information provided to you on a platter you'll need to gather and synthesize data to get context. Looking at DNS reqs from the system around the time of the "malicious" DNS request we can obtain other domains of interest 8/15
Given the DNS request has a subdomain in it we can narrow down enum of subdomains, that's a bonus👍. So we know it was related to www. - badpersondomain (creative I know), now we can scan it sure, but OSINT hasn't shown it hosting malicious payloads, so no risk right? Wrong 9/15
Given this I'm more interested in the other 'legitimate' domains contacted. Why? Website compromises happen all the time. So in this instance I scanned the websites which were of interest using urlscan. Why? This enumerates web technologies and shows embedded scripts. 10/15
Low and behold one of the legitimate websites had made a request for JavaScript hosted on www. - badpersondomain. This was using Magento (you may know where this is going) why is this important? Well Magento has been exploited in the past by 'Magecart' actors, what is this? 11/15
Well, through a number of continuously growing vulnerabilities an actor can compromise vulnerable stores leveraging Magento to plant a 'skimmer' on it, then whenever someone makes a transaction it will send their CC details to the actor, and the consumer would have no idea. 12/15
By examining the JavaScript I was able to infer that it was a CC skimmer active on this website. This is where publicwww comes into play. By searching the domain and URI I was able to find a number of other sites compromised with CC skimmers. At this point we have new intel 13/15
Safe to say the person who had made a purchase on that site was glad to know, the site owner was glad to know, and the new threat intel was useful.
From this you can see how many more steps needed to be taken to fill in the gap and understand why something is "malicious". 14/15
Moral of the story is having temporal and contextual information tied to an indicator is invaluable. It cuts down analysis time, and gives an analyst something they need (context). The more you give back, the better!
Context is key.
This has been my Ted Tweet. 👋
15/15
March 2021
China Chopper Analysis
China Chopper:
Let's take a look at a .NET variant of the webshell, the associated client, how it (and other webshells) can be defeated through .NET Trust Levels hardening, and how it looks from both ends in my lab environment. Not new, but someone may find it interesting.
Webshell:
This component is tiny, and as it isn't compiled it's trivial to create different variants.
Sometimes also referred to as an 'eval' shell this will evaluate whatever argument is sent to it with the specified 'Request.Item' parameter. H/T
https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html
Client:
The Chopper client is packed using "the Ultimate Packer for Executables" (UPX) and is < 1mb, upon unpacking it is still less than 1 mb despite more than tripling in size. The number of imported functions increases drastically upon unpacking.
File Manager:
This causes a POST request to be made to retrieve the directory contents using the Directory Info class. The output is saved to a local cache for ease of future retrieval. There's a number of unique networking elements which can be turned into Snort rules.
Virtual Terminal:
The client has a Virtual Terminal which allows running commands similar to a windows command prompt. This leaves some unique elements upon process startup and the X-Forwarded-For header changes upon the Chopper client starting up to seem inconspicuous.
Hardening:
The only reason this works is because the .NET Trust Levels are almost always set to 'Full'. By dropping this to at least 'High' you can drastically mitigate the power of this (ensure no errors). While you're at it enable 'bytes' logging to track potential exfil.
In addition the web shell will attempt to access a non-existant 'web.config' file in a folder with the same name as the shell. Track these requests! After hardening commands will start to fail as unmanaged code cannot be called.
This extends into the File Manager and trying to run commands through 'GET' requests. So long as your web server doesn't absolutely need 'Full' .NET Trust Levels, it shouldn't be running with them.
If they must, you can always create a Handler Mapping System.Web.HttpNotFoundHandler and restrict POST methods to places ASPX files don't normally reside, or to known webshell locations if they're not required as a mitigation. These handlers are per folder or across all.
Feb 2021
A Poem About Web Compromises
Your systems aren't patched,
your passwords aren't swell,
now watch this hacker,
throw down a web shell.
Potatoes are juicy,
potatoes are great,
in just a few seconds,
they begin to elevate.
Dumping creds,
before you ever knew,
they sit on your web server,
they're DA now too.
December 2020
Spicy Hot Pot
Hi all, long time no tweet.
My latest blog post is now released ✍️
- Takes a look at a persistent browser hijacker ☠️
- Malware leverages kernel drivers which act as a rootkit 🪝
- Manual steps for remediation 🩹
- Yara rules provided👊
Happy Holidays.
November 2020
DFIR Tip: Examine Module Loads
Once you've got a handle on process executions, start taking a look at their module loads (e.g. DLLs from other applications).
In the below example this Lokibot info stealer openly loads DLLs associated with the Windows Credential Vault Client, Firefox DLLs and files from Firefox
DFIR Tip: Analyse .msg Files With 7-Zip
Today I learned -
Based on the Outlook .msg file specs: https://interoperability.blob.core.windows.net/files/MS-OXMSG/%5bMS-OXMSG%5d.pdf you can rip an email apart using 7-Zip to get the attachment and email content in streams without using any other tools.
Demonstrated with one of many spam emails I find myself facepalming at 🤦♂️
DFIR Tip: Hash scheduled tasks from System32 Directory
As admin get the hash of scheduled tasks from System32 dir:
$a=((gci tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
October 2020
Hunting LNK file execution
What's the difference between running a link to a file, and running the file directly?
Explorer.exe has 5 more calls on the stack during process creation through a link (.lnk) file due to a temporary property being set.
May be useful to hunt for those malicious .lnk files.
Semptember 2020
DFIR Tip: Get hash of Service DLLs
Quick 1-liner to get the location and file hash of Service DLLs. These should only be known Microsoft DLLs as svchost is OS Reserved
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
Downloading Files From The Internet Using File > Open
I believe the reason is because paint implements a "FileDialog Class" used to select a file (File>Open).
This uses FileStreams, which is based off of stream and has TCP/IP support.
So take your pick, almost anything that has File > Open will let you download a file, e.g. Audacity
August 2020
DFIR Tip: Kerberos Ticket Invalidation
Reminder: Kerberos tickets aren't invalidated when you reset a users password or disable their account.
If there's active sessions these can persist beyond the reset unless they're purged from the system or expire.
Extra Reading:
https://cert.europa.eu/static/WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf
https://docs.microsoft.com/en-us/windows/
April 2020
MITRE ATT&CK Mind Maps
MITRE ATT&CK Mind Maps!
I've mapped the latest MITRE ATT&CK techniques, sub-techniques and IDs to a mind map and made it available.
Freemind (no colour) and XMind formats + PNG download.
Colours mapped to @olafhartong's "The ATT&CK Rainbow of Tactics"
https://github.com/JPMinty/MindMaps/tree/master/MITRE%20ATT%26CK
July 2020
AMSI Debug logging
If you enable AMSI Debug logs, a quick and dirty way to output all of the event log 'content' including scanned strings is below.
((Get-WinEvent -Log 'AMSI/Debug' -Oldest).Properties | select -exp value | ForEach-Object ToString X2 -ea 0) -join ''
Marketing Vs. Phishing URLs
When viewed in plaintext this PayPal phishing email has more 'legitimate' marketing links than phishing links.
With these trackers it's easy to see how people can get confused when performing OSINT.
Phishing emails can be made from marketing emails with 'legitimate' links.
DFIR Tip: Print Screen Shenanigans
When using the prtsc key on Windows, taskhost/taskhostw will attempt to get read access to a non-existent file:
➡️%windir%\System32\SnapShot
By creating a null byte file and auditing access, we can log any time a user has taken a screenshot via this key. Only works for this key.
DFIR Tip: Rundll32 Injection
Let's look back at injecting into rundll32. Another telltale sign may be the version (32 or 64 bit) of rundll32 being injected into.
If your normal processes use 64-bit version (\System32), but then the 32-bit version runs (\SysWoW64) e.g. spawnto_x86, this may be worth flagging
June 2020
Penetration Testing Tip: Explorer.exe LOLBAS
Red Team Tip:
'explorer.exe /root' can be run from the command line - similar to 'cmd.exe /c', only it breaks the process tree and makes its parent a new instance of explorer
For blue team: keep an eye on multiple instances of explorer.
explorer.exe /root,"D:\CyberRaiju.exe"
DFIR Tip: Attributes of Running Processes
When looking at running processes, a number of useful items to examine:
- Name(s)
- Path
- Description
- Signing
- Version
- Company
- Comments
- Language
- Hash
We can get info on all exe/dll running using PowerShell.
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name
Hardening Tip: Hardentools
For users who frequently get themselves into strife by clicking links, downloading binaries they shouldn't, or otherwise, Hardentools looks to be very promising.
The golang source files may also help with some artifacts to keep an eye on.
H/T and Source:
https://github.com/securitywithoutborders/hardentools
Vulnerability in Vendor Software
Found a service running as SYSTEM from the public folder. This by default grants permissions to everyone. Makes it trivial to use for privesc and persistence. May want to check, will show MS FW rules also.
reg query HKLM\SYSTEM\CurrentControlSet\services /s /f "C:\Users\Public"
Hardening Tip: Block Interactive Logons for Service Accounts
This may seem rudimentary, but you may want to stop service accounts from being able to logon locally or via RDP, just like you may want to stop users being able to run scheduled tasks under their account, or logging on as a service.
Setup those GPOs.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job
May 2020
DFIR Tip: 7-Zip Artifacts
7-Zip is by far one of the most ubiquitous free Windows archivers. It also has some nice registry artifacts which may assist in locating evidence of exfil. Such keys include.
CopyHistory
FolderHistory
PathHistory
ArcHistory
reg query HKU\{SID}\Software\7-Zip\ /s /f History
Number of RCE Vulnerabilities Per Day Over 2 Decades
In just over 2 decades, the number of DISCLOSED and ASSIGNED CVEs is up over 136k.
If we look at a breakdown, over 25% are for code execution.
As an industry we're averaging >4 Code Execution vulns a day.
Take that in
Sources:
https://cvedetails.com/vulnerabilities-by-types.php
https://cve.mitre.org/cve/identifiers/index.html
Security Baselining For Windows
And for those very same baselines...
Legacy Blog:
https://blogs.technet.microsoft.com/secguide/
New Blog:
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines
Compliance Toolkit:
https://microsoft.com/en-us/download/details.aspx?id=55319
Looking for tried and true hardening baselines will assist in finding blind spots, and configuration changes to hunt on.
Ursnif/Gozi IE COM Objects for C2
Malware such as Ursnif/Gozi may run invisible Internet Explorer COM Objects to try and make C2 traffic look like web browsing. We should all be using a different browser now, so go and disable it.
Samples:
https://app.any.run/tasks/89b049a8-d5a5-4691-983a-f39a19a2a350/
https://app.any.run/tasks/16db04f0-d10b-48ad-bba3-44627b4c34bb/
https://app.any.run/tasks/dac58492-30b1-4c73-8556-ec3a34c5d178/
DFIR Tip: DHCP Logs for Mac, SSID Analysis
Using DHCP logs you can get the name, SSID and MAC address your Windows device used to connect to a particular Wifi network. In this instance Invoke-Mimikatz was the SSID 😅
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DHCP*'; Id='50067';}|FL TimeCreated,Message
Hardening Tip: Nuke Persistence With GPO Hardening
Practical GPO Mitigations:
I've created persistence under a users context using a startup link, logon script, and run key, yet after a restart none of these work.
This is because as a defender I've also got a policy setup to automatically remove these on startup if they exist
April 2020
DFIR Tip: Cobalt Strike Behavior and Detection
Let's look at the default behavior of Cobalt Strike.
The scripted web delivery is at URI '/a'.
It spawns to rundll32 (which should have a cmd line associated).
We can often get the C2 and UA using only CyberChef.
Samples:
- https://app.any.run/tasks/1f172994-bb8a-4bd6-92a4-45c1a38739db/
- https://app.any.run/tasks/481f7b37-ae14-41aa-a823-eea8a1bed0c9/
March 2020
DFIR Tip: Taskbar Feature Usage
More evidence of binaries running can sometimes be found in Windows 10 based on taskbar metrics.
HKU\*\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\
Using these you can see the number of times opened apps have been clicked, right clicked. More info below:
Hardening Tip: Block Windows Scripts
If you want to stop a bunch of malicious scripts and don't need the Windows Script Host, simply disable it to prevent use of wscript and cscript.
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
Revisiting my original tweet. Say it with me...
Your files can be hidden.
They can be super-hidden.
They can have system attributes.
They can have double extensions.
Malicious links can point to them.
And user keys take precedence when locking down the scripting engine. 🤪
February 2020
Hardening Tip: Block PowerShell Connections Outbound
For all your non-tech savvy friends, please just block PowerShell outbound via the Firewall, it'll prevent a lot of issues...
netsh advfirewall firewall add rule name="PSPrevent" dir=out action=block program="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe"
October 2019
DFIR Tip: Finding evidence of Macro enabling in Registry
Looking for that Emotet dropper? Not sure what file triggered it? Take a look at this reg key to find documents the user has 'trusted' and whether they ran macros.
\Software\Microsoft\Office\[version]\Word\Security\Trusted Documents\TrustRecords
FF FF FF 7F = Macro Enabled
July 2019
DFIR Tip: Get Hash of All Running Executables
My Powershell 1-liner to show the unique hash of every executable running.
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A
