In the previous blog Forensic analysis of MITRE ATT&CK Techniques - PART 1 the first phase of the adversary was explained. In that phase the adversary achieved his goal by obtaining and abusing the credentials of existing local account to gain initial access to the system. Looking at the MITRE ATT&CK framework, the next goal of the adversary is to run malicious code on the system.
Let’s think of a situation where your organization have too few people who work in security or they lack skills to perform advanced analyses usually assigned to Tier 2/3. For example, you have a couple of security analysts who are more than able to perform triage and maybe handle less complicated incidents. Now that’s when hybrid SOC model comes in.
Cyber-attacks have become every day and forensic analysis plays an important role in the investigation of cyber incidents. When a security incident occurs, it is important to perform a forensic analysis to obtain details about the incident.
If you are a macOS security researcher, chances are that at some point you’ll have to perform kernel-level code debugging. While there are many great and helpful blog posts on topic of macOS kernel debugging, the fact is that at this point they are slightly outdated and mostly focused on using virtual machines.
Purple Fox is a malware categorized as a Trojan/Rootkit that has already been described in 2019 by Trend Micro and in 2020 by Proofpoint. Both articles bring interesting insights about attacker's techniques. This article describes techniques used by attackers in May 2020 and July 2020 with significant changes in the Exploitation phase of the Kill Chain (KC), this time using steganographic techniques on PNG files. The focus of this article is in the Exploitation phase. Other KC phases will not be described in detail, but they will be touched briefly. At the end of the article there are tips on hunting techniques and IOC’s specific to Purple Fox, which will hopefully be useful.
Current state of WebAssembly debugging and tracing sets limits in browser on number of lines disassembled during debugging in development tools on both Firefox and Google Chrome based browsers. In case there is larger project than the limit imposed, browser only display disassembly up to the hardcoded limit. If you hit the problem you will identify it by having ;; .... text is truncated due to the size message on the end of the disassembly or just hit the limit without any message. What is the cause and is there any way to bypass it?
Buying IoT devices which communicates wirelessly means it have to store credentials to network it is connecting to. It could be Zigbee network key, wireless WPA key or any other wireless protocol .As an example, we have extracted wireless credentials stored in Broadlink RM Mini which can be easily bought from many gadget web shops on the Internet. Such credentials were extracted simply via standard and simple UART access to the device.
Linux uses dm-crypt in order to provide transparent disk or partition encryption. What are the options in case you need to recover passphrase from such encryption? There are already ready-made tools, but we have also produced and published our own in order to support newer LUKS format/ciphers/hashing.
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials. While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the strength of the storage format of the password and the strength of the password itself. Something often overlooked is hiberfil.sys and/or virtual machine snapshots or memory dumps, as they usually contain passwords in plain text. When you have those, there’s no need for cracking at all and it doesn’t depend on password strength/size.