Just released 🎉: Wasabi Wallet users are being targeted by a fake Wasabi Wallet MSI installer. Upon installing and running the trojanised client, it drops a Java Archive that acts as a malware downloader.
Let's reverse engineer this.
Enjoy!
Red Team Tip:
'explorer.exe /root' can be run from the command line - similar to 'cmd.exe /c', only it breaks the process tree and makes its parent a new instance of explorer
For blue team: keep an eye on multiple instances of explorer.
explorer.exe /root,"D:\CyberRaiju.exe"
When it comes to DFIR, Reverse Engineering, and performing security analysis in general, there's a number of useful, hidden gems out there. Here's some sites which you may, or may not know about, including some of the best in the industry👇
Regarding CVE-2021-44228 AKA Log4Shell.
A quick and dirty way to find jar files that have a JndiLookup.class in PowerShell (change drive).
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
1/3
I've been compiling a Windows
#cheatsheet
of common commands and areas of interest for
#DFIR
including common tool-sets (more information to come). This can be found below, any comments or feedback is always welcome.
No SIEM? Sick of manually sifting through Windows event logs? Just want to know who has logged in remotely? Let's use some PowerShell to assist with that.
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='10'} | FL TimeCreated,Message
You're welcome. 🛡️
Forensics Tip: If you have live access to a system and want to know what's been plugged into it, or what it has been connected to throughout it's life, run the following:
pnputil /enum-devices
pnputil /enum-interfaces
You'll get a wealth of knowledge
It took me almost 3 years, but I finally restructured the Practical Malware Analysis section of my site. This is now broken up into more digestible sections, and I've also revamped the MITRE ATT&CK tests to come with appropriate categories and tagging.
My Powershell 1-liner to show the unique hash of every executable running.
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A
Looking for that Emotet dropper? Not sure what file triggered it? Take a look at this reg key to find documents the user has 'trusted' and whether they ran macros.
\Software\Microsoft\Office\[version]\Word\Security\Trusted Documents\TrustRecords
FF FF FF 7F = Macro Enabled
Quick 1-liner to get the location and file hash of Service DLLs. These should only be known Microsoft DLLs as svchost is OS Reserved
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
MITRE ATT&CK Mind Maps!
I've mapped the latest MITRE ATT&CK techniques, sub-techniques and IDs to a mind map and made it available.
Freemind (no colour) and XMind formats + PNG download.
Colours mapped to
@olafhartong
's "The ATT&CK Rainbow of Tactics"
Forensics Tip: NTFS by default doesn't track the last time a file was accessed. If you want to keep a record of this, you'll need a reg key as 0. The below will help.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f
Reminder: Kerberos tickets aren't invalidated when you reset a users password or disable their account. If there's active sessions these can persist beyond the reset unless they're purged from the system or expire.
Extra Reading:
Some RDP keys to keep an eye on:
Enable RDP/Multiple User Sessions:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
- fDenyTSConnections
- fSingleSessionPerUser
Change of Port Number:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
- PortNumber
Remote Procedure Calls (RPC) are extremely common for lateral movement. If you're looking into hardening and have no need for it, this can be disabled. Stops psexec, etc
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1
Some easy ways of finding running processes which import network functions. May find an injected process this way.
Windows Socket API: e.g. TCP/IP
》tasklist /m WSock32.dll
》tasklist /m Ws2_32.dll
Windows Internet API: e.g. HTTP, FTP, NTP.
》tasklist /m Wininet.dll
7-Zip is by far one of the most ubiquitous free Windows archivers. It also has some nice registry artifacts which may assist in locating evidence of exfil. Such keys include.
CopyHistory
FolderHistory
PathHistory
ArcHistory
reg query HKU\{SID}\Software\7-Zip\ /s /f History
Want to know whether a user opened a word document?
Try querying the "pick up where you let off" registry keys.
Just load in the hives and use some PowerShell, or check your own with HKCU not HKU\*
gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"
A PowerShell 1-liner using Windows Jump Lists to find files opened. Very rough so mileage will vary.
$Files=$(cat C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations\*.*Destinations-ms);$Files.Split("``")|Select-String "Storage" | findstr -v "1SPSU"|findstr -v "?"
Let's use MITRE ATT&CK™ as a learning tool.
I threw together MITRE ATT&CK Wheel of Fortune. This is a spreadsheet which uses NO macros and helps select an ATT&CK method to learn, and track your progress.
#MentoringMonday
This can be downloaded below:
For all your non-tech savvy friends, please just block PowerShell outbound via the Firewall, it'll prevent a lot of issues...
netsh advfirewall firewall add rule name="PSPrevent" dir=out action=block program="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe"
My Powershell 1-liner to show the hash of some DLLs loaded by processes (1/2).
$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea ig|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A
For those using Sysmon or MITRE in their analysis, I'm going to point you in the direction of
@nader_shalabi
and the excellent tools he's created for working with these.
This includes Sysmon View and ATT&CK™ View as shown below.
Over a couple of months I spent time learning about game hacking concepts and putting these into practice to complete the challenges of Pwn Adventure 3: Pwnie Island ().
The write-up is now available, enjoy:
Knowing what is normal will help you to find abnormal.
Example; All of the below processes require assembly or a specified DLL (take note of extensions) when invoking:
regsvcs
regasm
rundll32
regsvr32
Yet this doesn't happen if they're just being used to inject or hollow into
10th Chapter (Kernel Debugging) of Practical Malware Analysis (No Starch Press) complete. Just about hit the half way mark of this write-up.
Write-ups take significantly longer than just reading content, but if it helps someone learn, then it's worth it.
My analysis on a recent Remcos RAT sample is now available. This is wrapped in 4 layers of reflectively loaded code. I step through unraveling this to get the final Remcos RAT payload and showcase how it all establishes persistence on the system.
Enjoy!
Practical GPO Mitigations:
I've created persistence under a users context using a startup link, logon script, and run key, yet after a restart none of these work.
This is because as a defender I've also got a policy setup to automatically remove these on startup if they exist
China Chopper:
Let's take a look at a .NET variant of the webshell, the associated client, how it (and other webshells) can be defeated through .NET Trust Levels hardening, and how it looks from both ends in my lab environment. Not new, but someone may find it interesting.
1/9
Let's look at the default behavior of Cobalt Strike.
The scripted web delivery is at URI '/a'.
It spawns to rundll32 (which should have a cmd line associated).
We can often get the C2 and UA using only CyberChef.
Samples:
-
-
A few years dated, but I know how you all love lists so here's 411 Windows Security Event IDs complete with their summary and security messages, direct from Microsoft.
If you want to create a shadow copy in Windows 7 via cmd (There's no vssadmin create function) you can by using the below with System privileges. This is what happens when a System Restore Point is created.
%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation
When using the prtsc key on Windows, taskhost/taskhostw will attempt to get read access to a non-existent file:
➡️%windir%\System32\SnapShot
By creating a null byte file and auditing access, we can log any time a user has taken a screenshot via this key. Only works for this key
Just a reminder, Event ID 24 from:
Microsoft-Windows-TerminalServices-LocalSessionManager\Operational
For an RDP disconnect will still give you the source IP which made the initial connection. So even covering tracks you may be able to nab them on the way out.
🔥 Free MITRE ATT&CK mind maps!🧠
These are based off of the latest Enterprise v14 matrix which was released a couple of weeks ago.
All are freely available on my Github, with lower quality versions available on my site.
Enjoy!
Chapter 18 (Packers and Unpacking) of PMA complete. This covers off on automated / manual methods of unpacking, the Unpacking Stub, repairing the Import Table, the Tail Jump, and how you can find the Original Entry Point (OEP) of malware which use packers
Malware such as Ursnif/Gozi may run invisible Internet Explorer COM Objects to try and make C2 traffic look like web browsing. We should all be using a different browser now, so go and disable it.
Samples:
Found a service running as SYSTEM from the public folder. This by default grants permissions to everyone. Makes it trivial to use for privesc and persistence. May want to check, will show MS FW rules also.
reg query HKLM\SYSTEM\CurrentControlSet\services /s /f "C:\Users\Public"
USB Rubber Ducky's and HID emulators allow pentesters or other determined actors to emulate keystrokes and run malicious commands. This can be prevented by blocking their associated Vendor and Product IDs from being installed. The default ducky firmware uses the Atmel corp ID.
Created a copy of the MsMpEng.exe (Windows Defender Antimalware Service), renamed it to 'Invoke-Mimikatz', and Windows Defender is now a "Trojan". Defender doesn't like seeing Invoke-Mimikatz in a command line. Even the signed Defender executable isn't safe. Beware the
#mimikatz
.
A small video to help analysts extract relevant information from a PowerShell based Cobalt Strike stager using CyberChef, and then go more in-depth using a Python script.
Just released 🎉: A look at Scheduled Tasks, and how malware such as Tarrask hides these from being seen, even through tooling such as Autoruns. Included is a link to some PowerShell scripts designed to find hidden tasks using this technique. Enjoy!
This may seem rudimentary, but you may want to stop service accounts from being able to logon locally or via RDP, just like you may want to stop users being able to run scheduled tasks under their account, or logging on as a service.
Setup those GPOs.
Keep an eye on the below. When it is set wdigest keeps credentials in memory. This is often modified by malware to allow credential harvesting.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
Let's talk about static, network-based IOCs and analysis.
Network-based IOCs such as Domains and IPs are both temporal and contextual. If a network sec device has alerted on a static IOC and you cannot ascertain when that IOC was added, or context on why, then it's a waste. 1/15
MITRE ATT&CK™ T1171 - LLMNR/NBT-NS Poisoning and Relay
- Can steal Net-NTLM hashes and relay them to dump NTLM hashes
- Look for service installations
This example uses responder and smbrelayx to dump hashes from a remote machine using a Net-NTLM hash
dismhost
dccw
credwiz
consent
computerdefaults
CompMgmtLauncher
clipup
cliconfg
BitlockerWizardElev
May want to keep an eye on children processes of these binaries.
More details on common known methods and current patching status can be found:
Brief update, given the popularity, the Windows
#DFIR
and
#IncidentResponse
#Cheatsheet
has been updated including additional header highlighting for readability and will no doubt continue to grow. This is now on a custom domain with a redirect setup.
MITRE ATT&CK™ T1028 - Windows Remote Management
- Post exploitation tactic useful for Lateral Movement
- Look out for child processes of wsmprovhost and evidence of service enabling.
Below I use PowerShell to run commands on a remote machine through WinRM
More evidence of binaries running can sometimes be found in Windows 10 based on taskbar metrics.
HKU\*\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\
Using these you can see the number of times opened apps have been clicked, right clicked. More info below:
When looking at running processes, a number of useful items to examine:
- Name(s)
- Path
- Description
- Signing
- Version
- Company
- Comments
- Language
- Hash
We can get info on all exe/dll running using PowerShell.
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name
MITRE ATT&CK™ T1191 - CMSTP
- Another Windows Utility which can be abused to evade detection.
- Look for suspicious CMSTP processes
This example uses a fake picture (inf) file to execute our malicious DLL and spawn calc as a way of avoiding detection.
Just released 🎉: Malware analysis of IDAT (Hijack) Loader, its injection from IDAT (PNG file) streams, and how it uses Process Doppelganging
This covers both dynamic and static analysis techniques which can be used to unravel the final payload
Enjoy!
For a different artifact gathering tool, take a look at 'Meta-Blue' by newhandle.
It implements concurrent PowerShell remoting sessions to pull artifacts in csv format from remote hosts. Also incorporates a number of elements from the DFIR Cheat Sheet.
More for Lateral Movement -> Evidence remove.
mstsc
net
runas
netsh
wmiprvse (children)
wsmprovhost (children)
psexesvc (children)
winrm
winrs
win
shadow
esentutl
vssadmin
del
wevtutil
taskkill
klist
ftp
Hopefully that list helps as a start.
For more:
MITRE ATT&CK™ T1179 - Hooking
- Capture API calls
- Used by rootkits, malware, and AV software
In this example we create a keyboard hook to log keystrokes, and use a custom DLL to log any calls to the Windows Socket 2 API.
H/T
Chapter 19 of PMA Write-up complete: Shellcode Analysis
This covers off on debugging and disassembling shellcode, some nuances on Position-Independent Code (PIC), Identifying Execution Locations, Manual Symbol Resolution/Imports, encoding and NOP Sleds.
MITRE ATT&CK V7.0 (July 2020) Mind Map now available with minor changes including new sub-techniques added since the V7.0 beta.
The update can be found (So long as Github isn't down):
Changelog:
MITRE ATT&CK Mind Maps!
I've mapped the latest MITRE ATT&CK techniques, sub-techniques and IDs to a mind map and made it available.
Freemind (no colour) and XMind formats + PNG download.
Colours mapped to
@olafhartong
's "The ATT&CK Rainbow of Tactics"
Defender tip: Many pieces of malware will try and create a rule for the Windows FW. Keep an eye on the below event log
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
2004 - Added
2005 - Modified
2006 - Deleted
Can parse it like so to view unique processes
I've just made my
@KringleCon
#Holidayhack
Challenge Write-up public.
Or for those who want the direct PDF:
This is 150 picture-filled pages detailing every challenge and how they can be solved.
Enjoy, hope you learn something.
I've been doing a poor job with updates, but Chapters 14 and 15 of Practical Malware Analysis (No Starch Press) write-up now complete. No new page layout yet, sorry😅.
14: Malware-Focussed Network Signatures
15: Anti-Disassembly
Hi all, long time no tweet.
My latest blog post is now released ✍️
- Takes a look at a persistent browser hijacker ☠️
- Malware leverages kernel drivers which act as a rootkit 🪝
- Manual steps for remediation 🩹
- Yara rules provided👊
Happy Holidays.
Just released 🎉: What starts as an ISO file, ends in a RAT. Join me in diving into some ISO file forensics via the Windows Event Log, and how the configuration of a RAT that gets loaded into memory can be decrypted using CyberChef.
Enjoy!
If you enable AMSI Debug logs, a quick and dirty way to output all of the event log 'content' including scanned strings is below.
((Get-WinEvent -Log 'AMSI/Debug' -Oldest).Properties | select -exp value | ForEach-Object ToString X2 -ea 0) -join ''
Analysis of MITRE ATT&CK™ T1197 - BITS Jobs .
- Bypasses Autoruns Detection
- Event ID 64 is useful
- Revealed on hosts using: bitsadmin /list /allusers /verbose
In my example below whenever the bitsadmin job copies a file I pop calc, even after a reboot.
Some extra process execution/command lines to monitor for hands on adversary situational awareness/recon.
tasklist
ver
ipconfig
systeminfo
netstat
whoami
nbtstat
set
qprocess
nslookup
net
type
dir
echo
dsquery
quser
Just released 🎉: I discuss the basics of DLL Side-Loading and DLL Search Order Hijacking, and then compare a legitimate and malicious DLL which is loaded by a legitimate piece of AV software. This is the first part to more in-depth analysis of IDAT Loader
MITRE ATT&CK™ T1183 - Image File Execution Options
- Can launch payload whenever a process is run or closed
- Look for suspicious WerFault child processes and IFEO reg keys.
This example uses 3 registry keys to spawn our payload whenever mspaint closes.
Windows Pentesting/DFIR Tip: It's all too common to see the 'find' command used on Windows and linux, but what is less known and far more useful is 'where.exe' to recursively search. Use this and find what you're looking for with wildcards natively on Windows.
Running the following in PowerShell as Admin on Windows should mitigate the issue for any instances >=2.10
[Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS","true","Machine")
2/3
Let's look back at injecting into rundll32. Another telltale sign may be the version (32 or 64 bit) of rundll32 being injected into.
If your normal processes use 64-bit version (\System32), but then the 32-bit version runs (\SysWoW64) e.g. spawnto_x86, this may be worth flagging
Let's look at the default behavior of Cobalt Strike.
The scripted web delivery is at URI '/a'.
It spawns to rundll32 (which should have a cmd line associated).
We can often get the C2 and UA using only CyberChef.
Samples:
-
-
Mountable image files (e.g. .iso/.vhd) present challenges because phishing and fake software installers both use these to host malware inside of them as a form of defense evasion. These are normally mounted on double click. To protect against this or detect it afterwards🧵👇
Happy to be proven wrong, or get some examples of false positives, but when you migrate a standard Meterpreter Reverse TCP Shell into a new process (tested x86), it loads the Winsocket DLL with a lowercase name and uppercase extension, different to normal applications which vary.
In addition to event logs, a number of other artifacts can provide valuable information, such as registry keys. In this blog, we discuss a new registry artifact called “FeatureUsage,” found in builds of Windows 10 version 1903 and later. via
@CyberRaiju
Part 2 of my STRRAT Malware write-up is now available:
Learn how to decrypt the STRRAT configuration file, gather context on how it is being used, persistence involved, extract Host and Network IOCs, and I've now made a decrypter for the config available.
To help combat imposter syndrome, this year for
@KringleCon
I've created videos showing my failures and success in an edutaining way. I also recreated KringleCon as a JRPG playable game for my write-up. Enjoy!
Game🎮:
YouTube📺:
MITRE ATT&CK™ T1113 - Screen Capture
- See what your victim sees
- Monitor Admin tools or API usage if possible
Below I show 3 methods of taking a screen capture remotely on Windows. PowerShell, 3rd party binaries, and inbuilt in Meterpreter.
Final result: Approx 80% of the Lab environment and 90% of the exam environment compromised.👨💻
Today I received my confirmation.
Officially OSCP certified!🎉
Now I can return to Twitter after a bit of a hiatus for some more research and tech related tweets.
✌️
So as it currently stands:
➡️25 root/system shells.
➡️All networks unlocked.
🥳
It's nice to be able to look at how these were popped including the different techniques used, and know that each of them have ways to detect, prevent, or respond.
Onward and upward.
As admin get the hash of scheduled tasks from System32 dir:
$a=((gci tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
MalAPI:
Created by
@mrd0x
, this website aims to map Windows APIs to common techniques used by malware. Useful for reverse engineers as this helps to map functions which are used within a binary to possible malicious capability.
Chapter 20 of PMA Write-up complete: C++ Analysis
Covers off on OOP, some nuances on how it appears disassembled, the 'this' pointer, inheritance, overloading/mangling, virtual/non-virtual functions (Polymorphism), vtables, and exception handler objects.
Using DHCP logs you can get the name, SSID and MAC address your Windows device used to connect to a particular Wifi network. In this instance Invoke-Mimikatz was the SSID 😅
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DHCP*'; Id='50067';}|FL TimeCreated,Message
Chapter 21 of PMA Write-up complete: 64-bit malware
This is the final installment currently planned in my PMA Write-up series, with some extra content on Yara already being included. A big thanks to
@mikesiko
, Andrew Honig and
@nostarch
1/7
Although there's a known workaround, you may want to keep an eye on the below registry key to help detect privesc by misuse of Kerberos Ticket Granting Tickets. Modification should be a rarity.
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v allowtgtsessionkey
Delete something by accident? Never looked into Shadow Copies? In addition to VSCMount, you can also interact with these using a command prompt. Just find the Shadow Copy Volume and symlink.
vssadmin list shadows
mklink /d shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
For tunneling, view cons listening on localhost who also have a con to a remote address. In this example I have tunneled RDP cons. Our process is connected to a C2, and we can see via '::1' we have an active RDP con. Event logs give us the remote host from network address '::'.
What's the difference between running a link to a file, and running the file directly?
Explorer.exe has 5 more calls on the stack during process creation through a link (.lnk) file due to a temporary property being set.
May be useful to hunt for those malicious .lnk files.
If you're not across MSIX installers you need to be! The
@Huntress
SOC hunting operations is seeing this malicious sample which has been active for 2 weeks and has near 0 on VT.
Masquerading as Calendly, Bitwarden, Vmware, TradingView, Notion, and Asana.
MITRE ATT&CK™ T1088 - Bypass UAC
- Lots of methods documented
- Look for suspicious parent processes
This example uses a reg key to make EventViewer spawn a payload with elevated privileges. We can see this activity in Spunk.
I quite like process trees (as opposed to lists) which show parent child relationships. As such I forked a PowerShell module from
@raboof
and made some minor adjustments to add support for file hashes, signing certs, command line execution. May be useful.
Today I learned -
Based on the Outlook .msg file specs: you can rip an email apart using 7-Zip to get the attachment and email content in streams without using any other tools.
Demonstrated with one of many spam emails I find myself facepalming at 🤦♂️
For those looking at different
#Security
#Certifications
, this is a nice way of presenting a lot of information by SinecureLife. Just don't forget the benefit of a home lab and hands on experience...
User:
()
Reddit: