Forensic analysis of MITRE ATT&CK Techniques 4 - Credential Access

In the previous blog Forensic analysis of MITRE ATT&CK Techniques - PART 3 the third phase of the adversary was explained. In that phase an adversary managed to ensure persistence on the system, creating the local account and placed a malicious shortcut in the Startup Folder. Looking at the MITRE ATT&CK framework, the next goal of an adversary is to use techniques to steal credentials like account names and passwords

October 08, 2024 | Read More

Abusing MS Windows printing for C2 communication

Printing systems are an often overlooked target for attackers looking to establish command and control (C2) channels on a victim’s network. An attacker can abuse the operating system’s printing system to add and remove printers and create and manipulate printing jobs to achieve full C2 communication. We have developed a complete proof of concept of such a solution that we have successfully tested in real-world red teaming exercises. By understanding the approach taken in this specific abuse of printing systems, we can take steps to secure them and prevent them from being exploited by malicious actors.

May 03, 2024 | Read More

ClearFake utilizes fake Chrome updates to deliver Amadey and RedLine stealers

Diverto SOC team recently received ClearFake malware that was delivered through a drive-by download attack on Mreza Bug, which is one of Croatia’s biggest IT websites. ClearFake is a new malware similar to SocGholish and uses JavaScript injection to present users with fake MSIX Google Chrome updates. After a successful download, the user who starts the update procedure will eventually be infected by Amadey and RedLine stealers. RedLine is directly downloaded and executed, but Amadey infostealer is actually loaded by IDAT loader, which resembles IDAT loader described by Rapid7, but with few differences.

September 20, 2023 | Read More

Introduction to hybrid SOC model

Let’s think of a situation where your organization have too few people who work in security or they lack skills to perform advanced analyses usually assigned to Tier 2/3. For example, you have a couple of security analysts who are more than able to perform triage and maybe handle less complicated incidents. Now that’s when hybrid SOC model comes in.

December 28, 2022 | Read More

MacOS Two-machine Kernel Debugging

If you are a macOS security researcher, chances are that at some point you’ll have to perform kernel-level code debugging. While there are many great and helpful blog posts on topic of macOS kernel debugging, the fact is that at this point they are slightly outdated and mostly focused on using virtual machines.

March 06, 2022 | Read More

Purple Fox - a comparison of old and new techniques in the Exploitation phase

Purple Fox is a malware categorized as a Trojan/Rootkit that has already been described in 2019 by Trend Micro and in 2020 by Proofpoint. Both articles bring interesting insights about attacker's techniques. This article describes techniques used by attackers in May 2020 and July 2020 with significant changes in the Exploitation phase of the Kill Chain (KC), this time using steganographic techniques on PNG files. The focus of this article is in the Exploitation phase. Other KC phases will not be described in detail, but they will be touched briefly. At the end of the article there are tips on hunting techniques and IOC’s specific to Purple Fox, which will hopefully be useful.

September 22, 2020 | Read More

Bypassing browser limits in WebAssembly debugging

Current state of WebAssembly debugging and tracing sets limits in browser on number of lines disassembled during debugging in development tools on both Firefox and Google Chrome based browsers. In case there is larger project than the limit imposed, browser only display disassembly up to the hardcoded limit. If you hit the problem you will identify it by having ;; .... text is truncated due to the size message on the end of the disassembly or just hit the limit without any message. What is the cause and is there any way to bypass it?

August 15, 2020 | Read More

Extracting credentials from IoT devices via UART

Buying IoT devices which communicates wirelessly means it have to store credentials to network it is connecting to. It could be Zigbee network key, wireless WPA key or any other wireless protocol .As an example, we have extracted wireless credentials stored in Broadlink RM Mini which can be easily bought from many gadget web shops on the Internet. Such credentials were extracted simply via standard and simple UART access to the device.

June 30, 2020 | Read More

Cracking LUKS/dm-crypt passphrases

Linux uses dm-crypt in order to provide transparent disk or partition encryption. What are the options in case you need to recover passphrase from such encryption? There are already ready-made tools, but we have also produced and published our own in order to support newer LUKS format/ciphers/hashing.

November 18, 2019 | Read More

Extracting passwords from hiberfil.sys and memory dumps

When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the strength of the storage format of the password and the strength of the password itself. Something often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text. When you have those, there’s no need for cracking at all and it doesn’t depend on password strength/size.

November 05, 2019 | Read More