In the previous blog Forensic analysis of MITRE ATT&CK Techniques - PART 3 the third phase of the adversary was explained. In that phase an adversary managed to ensure persistence on the system, creating the local account and placed a malicious shortcut in the Startup Folder. Looking at the MITRE ATT&CK framework, the next goal of an adversary is to use techniques to steal credentials like account names and passwords
Social engineering attacks, especially phishing attacks, have come a long way from simple Nigerian prince mails although, this tried and widespread tactic still rakes a lot of money using the most basic of all human drives, greed.
Printing systems are an often overlooked target for attackers looking to establish command and control (C2) channels on a victim’s network. An attacker can abuse the operating system’s printing system to add and remove printers and create and manipulate printing jobs to achieve full C2 communication. We have developed a complete proof of concept of such a solution that we have successfully tested in real-world red teaming exercises. By understanding the approach taken in this specific abuse of printing systems, we can take steps to secure them and prevent them from being exploited by malicious actors.
In the previous blog Forensic analysis of MITRE ATT&CK Techniques - PART 2 the second phase of the adversary was explained. In that phase the adversary managed to run a malicious file on the system using PowerShell and Windows Task Scheduler to execute malicious code. Looking at the MITRE ATT&CK framework, the next goal of the adversary is to ensure persistence on the system.
Diverto SOC team recently received ClearFake malware that was delivered through a drive-by download attack on Mreza Bug, which is one of Croatia’s biggest IT websites. ClearFake is a new malware similar to SocGholish and uses JavaScript injection to present users with fake MSIX Google Chrome updates. After a successful download, the user who starts the update procedure will eventually be infected by Amadey and RedLine stealers. RedLine is directly downloaded and executed, but Amadey infostealer is actually loaded by IDAT loader, which resembles IDAT loader described by Rapid7, but with few differences.
In the previous blog Forensic analysis of MITRE ATT&CK Techniques - PART 1 the first phase of the adversary was explained. In that phase the adversary achieved his goal by obtaining and abusing the credentials of existing local account to gain initial access to the system. Looking at the MITRE ATT&CK framework, the next goal of the adversary is to run malicious code on the system.
Let’s think of a situation where your organization have too few people who work in security or they lack skills to perform advanced analyses usually assigned to Tier 2/3. For example, you have a couple of security analysts who are more than able to perform triage and maybe handle less complicated incidents. Now that’s when hybrid SOC model comes in.
Cyber-attacks have become every day and forensic analysis plays an important role in the investigation of cyber incidents. When a security incident occurs, it is important to perform a forensic analysis to obtain details about the incident.
If you are a macOS security researcher, chances are that at some point you’ll have to perform kernel-level code debugging. While there are many great and helpful blog posts on topic of macOS kernel debugging, the fact is that at this point they are slightly outdated and mostly focused on using virtual machines.
Purple Fox is a malware categorized as a Trojan/Rootkit that has already been described in 2019 by Trend Micro and in 2020 by Proofpoint. Both articles bring interesting insights about attacker's techniques. This article describes techniques used by attackers in May 2020 and July 2020 with significant changes in the Exploitation phase of the Kill Chain (KC), this time using steganographic techniques on PNG files. The focus of this article is in the Exploitation phase. Other KC phases will not be described in detail, but they will be touched briefly. At the end of the article there are tips on hunting techniques and IOC’s specific to Purple Fox, which will hopefully be useful.
Current state of WebAssembly debugging and tracing sets limits in browser on number of lines disassembled during debugging in development tools on both Firefox and Google Chrome based browsers. In case there is larger project than the limit imposed, browser only display disassembly up to the hardcoded limit. If you hit the problem you will identify it by having ;; .... text is truncated due to the size message on the end of the disassembly or just hit the limit without any message. What is the cause and is there any way to bypass it?
Buying IoT devices which communicates wirelessly means it have to store credentials to network it is connecting to. It could be Zigbee network key, wireless WPA key or any other wireless protocol .As an example, we have extracted wireless credentials stored in Broadlink RM Mini which can be easily bought from many gadget web shops on the Internet. Such credentials were extracted simply via standard and simple UART access to the device.
Linux uses dm-crypt in order to provide transparent disk or partition encryption. What are the options in case you need to recover passphrase from such encryption? There are already ready-made tools, but we have also produced and published our own in order to support newer LUKS format/ciphers/hashing.
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the strength of the storage format of the password and the strength of the password itself. Something often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text. When you have those, there’s no need for cracking at all and it doesn’t depend on password strength/size.