Detection and Threat Hunting
Tales of Windows detection opportunities for an implant framework
Slides from a fifteen minute lightening talk on detection opportunities for implant framework behaviour on Windows.
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Max Groot Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to…
Top of the Pops: Three common ransomware entry techniques
by Michael Mathews Ransomware has been a concern for everyone over the past several years because of its impact to organisations with the added pressure of extortion and regulatory involvement. However, the question always arises as to how we prevent it. Prevention is better than cure and hindsight is a…
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
“Customer Interaction Tracker” is one of the telemetry systems that exist within Windows, responsible for tracking interaction with the system and applications. We provide an overview and means to parse as a data source to aid forensic investigations.
Mining data from Cobalt Strike beacons
Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of dissect.cobaltstrike, our Python library for…
Microsoft announces the WMIC command is being retired, Long Live PowerShell
Category: Detection and Threat Hunting What is WMIC? The Windows Management Instrumentation (WMI) Command-Line Utility (WMIC) is a command-line utility that allows users to perform WMI operations from a command prompt. WMI is an interface providing a variety of Windows management functions. Applications and WMI scripts can be deployed to…
Machine Learning for Static Analysis of Malware – Expansion of Research Scope
Introduction The work presented in this blog post is that of Ewan Alexander Miles (former UCL MSci student) and explores the expansion of scope for using machine learning models on PE (portable executable) header files to identify and classify malware. It is built on work previously presented by NCC Group,…
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Overview During the week of July 19th, 2021, information security researchers published a proof of concept tool named “PetitPotam” that exploits a flaw in Microsoft Windows Active Directory Certificate Servers with an NTLM relay attack. The flaw allows an attacker to gain administrative privileges of an Active Directory Certificate Server…
Detecting and Hunting for the Malicious NetFilter Driver
Category: Detection and Threat Hunting Overview During the week of June 21st, 2021, information security researchers from G Data discovered that a driver for Microsoft Windows named “netfilter.sys” had a backdoor added by a 3rd party that Microsoft then signed as a part of the Microsoft OEM program. The malicious…