Today, me and
@ateixei
are releasing the EDR Telemetry project. This project aims to compare and evaluate the telemetry of various EDR products.
✅Introductory blog post:
✅GitHub Repo:
✅Comparison Table:
I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational 😅
If you're in
#infosec
and you feel a little down this week, this video is for you💙
.
@CrowdStrike
placed an ad in the Super Bowl.
We're not up to date with the current Threat Actor lore with them, but it appears as if one of the individuals in the commercial is the infamous Scattered Spider (the tall one with the curly blonde hair)
This is a pretty nice graphic explaining how Kerberos Auth takes place.
Useful to have as a reference when you have to explain and visualize attacks such as Pass The Ticket, Kerberoasting and AS-REP Roasting.
Credit:
@0xNarek
🙏🙏
I updated the EDR telemetry project with corrected telemetry and new additions! See below the changes and upcoming EDRs:
✅ Corrected Trend Micro Telemetry
✅ Corrected ESET Telemetry
🌟 Added Qualys EDR
🎯New Additions Coming Up:
🔜 Sophos EDR
🔜 Cortex EDR
Vendors are
I created a
#CyberChef
recipe to ease the extraction of URLs from the word document (.doc & .docm) which download
#Emotet
. It is not completely foolproof, but it worked 99% of the time for me.
Regarding the xz backdoored binary, see the one-liner below to check the version you have installed.
**I wouldn’t suggest folks running the malicious binary with -v option🫠🫣
for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" ||
A quick note about xz-utils backdoor:
1 - luckily, this was caught early.
2 - most run xz-utils 5.2/5.4. 5.6 is bad.
3 - quick check: `xz -V`
4 - Thanks to people who paid attention
Last week,
@TheDFIRReport
received a MS-themed phishing email with an HTML attachment. The email made a significant effort to appear legitimate.
When we open the file, the code renders into what appears to be an HTML page mirroring the official MS account login page.
1/🧵
🚨Threat Actors are currently using PSMapexec. You should get familiar with it!
The screenshot below is from a VERY recent intrusion that started from a WS_FTP server exploitation. They used PSMapexec A LOT during this intrusion. Full details on a future report...
This is likely my last
#CyberChef
recipe of the year. I created it to de-obfuscate the VBS that is dropped by the new
#dridex
xls initial payloads with the option to extract the URLs straight away.
🎉Happy holidays 🎉
🚀Major Update: EDR Telemetry Project🚀
I updated the EDR Telemetry Project to make the table accessible for color vision deficiencies, map all sub-categories to Mitre ATT&CK and more. (Read below👇)
Many thanks to all who contributed to this major update! Here are some…
New post in the threat hunting series, this time focusing on threat emulation for
#threat_hunting
.
✅ Setting goals
✅ Steps of the threat emulation
✅ Finding unique indicators
✅ Building queries for threat hunting
✅ Eliminate False Positives
& more...
I started a
#Threat_hunting
series. In this first post, I cover the basics, including:
✅ What is threat hunting
✅ Demystifying common misconceptions
✅ What are some of the goals & metrics
✅ What are some basic attributes that make up a threat hunter
Fortinet did it again. Do they hire 2 year olds to code their software? I don’t get it… The gift that keeps on giving.
CVE-2024-21762
Workaround : disable SSL VPN 🤦♂️
As a defender, I read reports to stay up to date with recent threats reported by others in the industry. It also helps me generate ideas for future research, threat hunting, detection, or a deeper dive into TA's infra.
This is what I am looking for when I read them🧵
1/11
New post in the threat hunting series, this time comparing
#threat_hunting
to
#detection_engineering
.
‣ Detection Engineering VS Threat Hunting
✅Differences and similarities
✅Contributions to the security program
✅Multiple examples
& more...
#BruteRatel
is difficult to detect without having access to WinAPI, NTAPI, and Syscalls as everything is done in memory. This hurts our efforts to hunt across behaviors upon executing the BRC4 payload.
Although all hope is not lost,there are some good indicators in the wires🧵👇
I observed an interesting technique from the operators behind an
#IcedID
infection the other day. They opened a file explorer window using the cmd:
➡️explorer.exe shell:mycomputerfolder
They then captured a screenshot of the infected host. It looked like this👇
1/
🚨I'm starting a new initiative where I share DFIR-related artifacts along with a short blog for context. My goal is to help ppl, especially newcomers, learn from real attacks.
More info in the resources below:
Repo:
First blog:
Want to hunt for
#QakBot
C2 and you only have network telemetry and not a tool to detect malicious traffic? No worries, look for:
Connections to high ports with urls that end in “/t5”. This indicator has been stable for a long time.
➡️Regex - (http|https).*\:[0-9]{2,5}\/t5
The never-dying
#Emotet
is back, and aside from our report on it, I feel like there needs to be a further explanation on the undergoing efforts of stopping it. Enjoy the video and our new report 🙃
The third post in the threat hunting series is out!
‣ The Threat Hunting Process
✅ The two threat hunting models
✅ Six step threat hunting process
✅ Examples that explain the process
✅ Diagrams & images for illustration
Feedback is welcome 🙂
🎯Detecting/Hunting PsMapExec Default Values (Two of the most commonly seen methods)
1️⃣SMB Method: Service Creation
- EIDs 7045(System) and 4697(Security)
- Service name regex: 'Service_[a-z]{16}'
- Service File name: PowerShell command execution
The PowerShell script that will…
🚨Threat Actors are currently using PSMapexec. You should get familiar with it!
The screenshot below is from a VERY recent intrusion that started from a WS_FTP server exploitation. They used PSMapexec A LOT during this intrusion. Full details on a future report...
Malicious Onenote files have been doing the rounds for more than a couple of weeks now, and it just occurred to me that I never shared my hunting rule.
Here is a sigma rule I created that could turn into a detection rule with very few or no FPs.
🔍Behind the Scenes: The Daily Grind of Threat Hunter
I turned a Twitter thread into a blog post on the topic of threat hunting.
This is a real-world example of how I approach threat hunting step-by-step 🕵️♂️
#ThreatHunting
👉 Blogpost here:
I created a
@TheDFIRReport
Assistant GPT that answers questions related to our reports. It will also tailor the responses based on the user’s expertise level!
Let me know if any issues or if you want to see anything specific and I’ll train it further 🙂
The recent EDR debates are silly.
EDRs have to satisfy thousands of customers with their rulesets and sometimes they might miss things from being too conservative with an event that comes close to normal sys admin activity.
EDRs are no end game. Makes sure you find one that:
🌟Incredible first week for the EDR-Telemetry project()! Blown away by the contributions & support!🙌
➡️Multiple EDR vendors in the pipeline (Cybereason,Trellix &more)
➡️Introducing Telemetry-Generation Tool(
@nasbench
🙏)-
🧵⤵️
Fresh changes! What is happening at
#Microsoft
, did the beast wake up and bump security up the priority list for this month? 😅
ASR rule will be in "configured" state by default to block credential stealing from LSASS! 😲🥳
Before we further gather the data sources and telemetry for each EDR product, would people find something like this useful? (poll on thread below 👇)
**This is an example table with some of the most useful data sources. It's for demo purposes. They can be expanded later on.
I think it's time to get to the bottom of each EDR's telemetry. This is one way to push them to improve their products based on what security teams need!
Watch this space; this is happening...👇🔜
One of the takeaways from the
#ContiLeaks
is that TAs monitor everything
#infosec
related things. They then adapt and improve their ops accordingly.
We always thought this was the case, but now we have proof. Their chats are full of related mentions…
They watch us too...👀
I’m aiming to work on EDR Telemetry project this weekend. Sorry to folks that’ve been waiting for updates on PRs etc. it’s been a busy year already.
What’s coming 🔜:
➡️ Cortex EDR
➡️ Symantec SES
➡️ Sophos EDR
➡️HarfangLab EDR
New blog: Understanding Red to Be Better at Blue: Navigating New CrackMapExec Updates
✅Keeping up with the red team
✅Breaking down CME’s new key features
✅From code to behavioural hunting & detections
✅Illustrations with examples
The countless of hours spent researching, digging through logs, analyzing malware and writing reports are all worth it when you see comments like this (screenshots👇). Thank you all!
We’re all keeping humble and planning for 2022 with more APTs and actionable reports 😊
Newly discovered
#ProxyNotShell
exploitation method that bypasses current mitigations.
POC is already leaked. Might cause some trouble this holiday season 😕
We keep developing the EDR Telemetry project to make it more accurate and add more features with the help of the community.
Project Page:
EDR Telemetry Table:
Some notable updates:
1⃣Introduced a new value (🎚️Via…
I created
#TeleTracker
, a repo to help researchers track Telegram-based C2 comms used by malware authors🚨
🔗 Check it out:
✨Features:
- Send messages to the channel 😈
- Delete all messages from the channel 🤭
- Collect info from bot channels and the…
I don’t even know where to start… Fireeye endpoint terminated using Process Explorer, Bing search looking for Mimikatz, the two month response time? Oh boy, so many things to unravel here 😂 Very nice thread and juicy info 👇
New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N
Second post in the threat hunting series.
‣ What Makes a Good Threat Hunter
✅ What does a threat hunter do
✅ Core competencies of a threat hunter
✅ Can threat hunting be automated
✅ Plenty of resources to get you started
Hope this helps people 😊
This article is a great overview of what
#ThreatHunting
is and what it is NOT. It goes through a good example of a successful threat hunt and has lots of tips on what you'll need to be successful.
It's a must-read if you're interested in threat hunting👇
I love Sigma; it's amazing for sharing detection rules. Although, I thought that it could also be used to share
#ThreatHunting
query logic.
I've created a section in my GitHub repo to start sharing TH-focused sigma rules. They may have a wider scope as opposed to DE rules...👇
Want to find the use of SharpHound/BloodHound in your environment? Look for file creation & deletion (via cmdline) that follows the below naming schema:
yyyyMMddhhmmss_<name>.zip
➡️ FileName regex - 202[0-9]{11}\_.*\.zip
➡️ File deletion regex - .*del/s+202[0-9]{11}\_.*\.zip.*
So funny how
#BumbleBee
is back and is using some fancy execution for the first stage, but then it's like, screw it, let's name the next stage payload 0.exe and have it beacon out every minute to the below sus .life domains(see at the bottom👇)...
TTPs observed:
1️⃣ Initial
Malware sometimes copies Windows binaries out of System32(See recent
#DarkGate
copying curl.exe & renaming)
🎯You can hunt or detect this by using the below regex
➡️(copy|copy-item|cp)\s+c:\\windows\\system32\\[a-zA-Z0-9_\-]{1,50}\.exe\s+(c:\\.*\\)?[a-zA-Z0-9_\-]{1,50}\.exe
This is such a nice illustration explaining what threat hunting is from the
@HuntressLabs
team!
I've written blogs about threat hunting trying to describe what that is, and how to do it, but it all comes down to these simple explanations. Well done! 👏
This is a very interesting technique! I created two sigma rules to hunt/detect this activity. The registry rule might be more future-proof.
- Process Creation Sigma 🔗
- Registry Set Rule Sigma🔗
- MS documentation here 🔗…
🚨Our DFIR labs are here! Investigate real intrusions by shifting through an abundant of logs. Follow through our public reports or challenge yourself with our private intrusion cases!
You can use these labs to improve your skills in:
✅Detection Engineering
✅Threat Hunting
🎉 Announcing DFIR Labs! 🎉
Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help.
1/2
Well, the clip was unexpectedly well received. So happy that this made people's day. I think the message is clear: people want more of this, and people should get more of this 😄
Thanks to everyone for the nice words! Y'all have a great sense of humour! Until the next one...
I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational 😅
If you're in
#infosec
and you feel a little down this week, this video is for you💙
IcedID using OneNote payloads are on🔥this week. Here is a peek at what comes after the initial access based on these campaigns…
➡️Beacon loaded using PSH
💡Screenshot 1
➡️RDP via Cobalt Strike reverse proxy
💡Found & exfiled files
➡Attempted Invoke-Nightmare
💡Screenshot 2
Many security teams scrutinize inbound connections, but they tend to overlook traffic leaving the network. Here are a couple of things I consider when
#Threat_hunting
for ExMatter or similar tools: 🧵👇
1⃣Create your baseline:
It is difficult to find anomalous activity if...
🔺 New sample of
#ExMatter
(.NET/Confuser/64-bit) exfiltration tool commonly associated with
#BlackCat
, the binary connects to IP 64.227.80.81 AS14061 DIGITALOCEAN-ASN (as usual :D) port 22.
PDB: "Z:\vm1\sync\sync\sync\bin\Debug\Confused\sync_enc.pdb"
+ They added the
🎯Some additional info on
#DarkGate
initial infection:
1️⃣ LNK Execution
- Initial entry point via LNK file
2️⃣ Download Phase
- Uses a renamed Curl to fetch AutoIT.exe & .au3 script and then executes the .au3 script.
🌐 From: 5.188.87.58:2351
🤖 User-agent: curl
I am not one to chase after certs, especially at this point of my career, especially when there are so many cheap or free resources to learn from nowadays.
Having said that, these are the TOP 3 certs I found most valuable:
🥇OSCP
🥈CCNA
🥉Comptia Sec+
What's yours?
Ever wondered how threat actors build and test their malware⁉️ What are some of their struggles with modern AV while testing⁉️
📸Here are some screenshots that peek behind the curtain and answer some of these burning questions 😂
Context - Threat actor infected themselves with…
I don't care what the haters say; I managed to create some good detections and hunts for the activity reported by
@BlackBerrySpark
. See the Sigma detection rule below. This is just one of many:
New blog post based on a recent intrusion I observed with
#Ursnif
as the initial infection!
Topics include:
✅ Detection opportunities
✅ TAs clipboard data
✅ Post-exploitation
and more!
The artifacts for this case:
The blog:
To all researchers out there, this is how NOT to disclose a vulnerability 🧵
I’m talking about
#CVE_2022_29072
. The author wanted all, fame and money (selling for a fee as per discussion with the dev).
SOAPHound is already advertised on some notorious TG channels. 🔔This technique is currently not detected by most EDR vendors!🚨
Huge thanks to
@falconforceteam
for uncovering this method and for providing us with detailed ways of detecting the technique. I created two SIGMA
SOAPHound is out for walkies!
SOAPHound is a
#BloodHound
collector to enumerate AD over SOAP instead of LDAP directly.
Proud of Nikos for all his hard work!
Blog:
Tool repo:
Detections:
1/x
For the past couple of weeks,
#IcedID
has been hitting hard, with post-exploitation activities beginning within ~1 hour from the initial infection.
Here are some TTPs and IOCs from these post-exploitation activities that will keep defenders ready.
🧵👇
Related to the 3CX supply chain compromise, here is some preliminary information:
➡️Downloading the MSI installer from the official website serves you with the malicious, weaponized version of the application
💡If you have the application installed,
I can't stress enough how important LDAP signing is, and hopefully, this tool will push many orgs to implement it.
🛡 Detection 🛡 :
I've put together a Sigma rule to detect suspicious activity attributed to the use of this tool.
With every report, we aim to provide many details to help defenders detect & hunt for the techniques that TAs use. We try to highlight the TTPs and not just the tool.
Let's take a look at our latest report and break down some of these opportunities:🧵👇
A major reason threat hunters feel pressure to perform is due to poor metrics imposed by management. From my experience, this often leads to a loss of motivation and drains one's creativity.
Focusing on the right metrics can set proper expectations. I'm working on a write-up
Threat hunting & detection engineering are wonderful & can be really rewarding. Don’t lose motivation if you’re not always finding bad!
Identifying visibility gaps, creating or tuning detection logic, & working to close these gaps are great TH goals (& can be just as fun!)
Second report on
#CobaltStrike
is out after months of research, emulation and detailed writing.
Focusing on network traffic, the aim was to help ppl understand these attacks and give them some FREE tools to battle against some of the most evasive techniques.
Hope you like it!
Cobalt Strike, a Defender's Guide - Part 2
➡️In this report we talk about domain fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/S, RITA & more.
Big shout-out to
@Kostastsale
for helping put this together!
Very interesting responses from folks. The common sentiment was that this is at least sus and needs further investigation. A lot of folks also went straight to describing it as malicious.
🎯Here is some more info and the steps I took to investigate this:
1️⃣Retrieving
Calling all whoami experts, do you think the below command is part of a malicious execution? Non-whoami experts are welcome to vote too btw 😅
"cmd.exe" /d /c "C:\Users\<user>\AppData\Roaming\cmk.exe /d /c whoami"
➡️Context:
- cmk.exe is a renamed cmd.exe binary
A ton of
#IcedID
recently. I wanted to share a few "easy" wins and investigation tips for it. 🧵
➡️Execution/Discovery
I shared this in the past, but it's worth sharing again. Looking for commands like net, nltest, systeminfo, ipconfig within seconds of each other should be a🚩
@Ledtech3
@DanielGallagher
1) Threats go undetected when you don’t know where to look
2) Threats can blend into the environment and you won’t see them if you haven’t established a baseline of what’s normal
3) You gotta turn on the lights first to stand a chance on finding the threats(logs)...
So many...😀
Here are some initial TTPs from a
#GuLoader
infection I observed:
1⃣Downloads .bin encrypted payload(2nd stage) from google drive 👀
🚨hxxps[://]drive[.]google[.]com/uc?export=download&id=165dR-jkeWwH1QAK3MesE3SkyuL9notjN
2⃣Attempts to move the malware under C:\Program Files…
I added a new sigma rule for detecting LAPS credential dumping. The detection is based on EIDs 4662 and 4624.
Thanks to
@mega_spl0it
that wrote a great article on that topic .
Here we go again... Another vulnerability that will keep us busy for quite some time.
I put together a
#sigma
rule that yields great results in detecting the execution via msdt that is spawned by office apps.
➡️ Office app
➡️➡️ msdt.exe - cmdline...
This report on Cobalt Strike should serve as a guide to help defenders protect their networks. We have gathered all techniques & relevant detections in one writeup with some additional information to help our community.
This is only a start with many more to come.
#CobaltStrike
This is just so useful! When I see this cheat sheet, I wonder how many of these attacks I can:
🦄 Emulate to test current defences
🎯 Create threat hunts from the generated telemetry
🔍 Create detections
🔂 Repeat
Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:
👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host
Cmd obfuscation is not easy to combat. Although, we can look at the parent child process relationship.
In this case, the process tree should raise some flags…
🚨Explorer.exe -> PowerShell.exe -> Mshta.exe
🎯If you don’t have detection for that, you can create a hunt for it.
1/ Zip file contain the LNK
LNK uses PowerShell to execute mshta.exe.
It execute the hta from the URL present inside LNK file
💡Using this \W*\\\2\\\msh*e instead of mentioning mshta.exe, to evade detection
The responses from this poll show how much people want a telemetry comparison like this one.
@ateixei
and I got to work and are close to releasing version 1 of this project.
The project will be available on GitHub. Below is what people should expect at this early stage of the…
Before we further gather the data sources and telemetry for each EDR product, would people find something like this useful? (poll on thread below 👇)
**This is an example table with some of the most useful data sources. It's for demo purposes. They can be expanded later on.
Looking for suspicious execution of binaries or scripts via "Alternate Data Streams"? I use the below regex against the command line to search for this activity in process execution events:
▪️REGEX
➡️\.[a-z]{2,5}:[a-z0-9\-_]{1,8}\.[a-z]{1,5}(\s+|$)
#Threat_Hunting
I have created the first
#Sigma
#ThreatHunting
focused rule. It has a different approach to DE rules with an added hypothesis field.
I explain the approach to the hunt in detail so everyone can use or modify it.
Execution of scripts inside archives:
I love Sigma; it's amazing for sharing detection rules. Although, I thought that it could also be used to share
#ThreatHunting
query logic.
I've created a section in my GitHub repo to start sharing TH-focused sigma rules. They may have a wider scope as opposed to DE rules...👇
🎯 New blog post out - "Threat Hunting Metrics: The Good, The Bad and The Ugly"
Metrics that...
✅ You should be using(& examples)
✅ You should avoid
❌ Can kill your team's spirit
Special thanks to
@onfvp
for assisting with the review of this post!🙏
🔔Yearly reminder‼️
Gartner receives part of their funding from participating vendors. Apart from that corrupted approach, Gartner is not transparent about their research methodology, they would never show their data to backup any of their claims, and they have perceived biases
Quick, everyone do this for python in Excel to be prepared:
reg add HKCU\software\policies\microsoft\office\16.0\excel\security /v PythonFunctionWarnings /t REG_DWORD /d 0 /f
😈
As a blue teamer, I just love reading red team blogs like this one. Getting detection ideas and picking up new methods.
This particular one, has proposed detections at the end 💙 🙏
This is one of the reasons I like reading and listening to
@7MinSec
🔥