Tales of Windows detection opportunities for an implant framework

Slides from a fifteen minute lightening talk on detection opportunities for implant framework behaviour on Windows.

Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study

Max Groot & Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no … Continue reading Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study →

Top of the Pops: Three common ransomware entry techniques

by Michael Mathews Ransomware has been a concern for everyone over the past several years because of its impact to organisations with the added pressure of extortion and regulatory involvement. However, the question always arises as to how we prevent it. Prevention is better than cure and hindsight is a virtue. This blog post aims … Continue reading Top of the Pops: Three common ransomware entry techniques →

A brief look at Windows telemetry: CIT aka Customer Interaction Tracker

“Customer Interaction Tracker” is one of the telemetry systems that exist within Windows, responsible for tracking interaction with the system and applications. We provide an overview and means to parse as a data source to aid forensic investigations.

Mining data from Cobalt Strike beacons

Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. Today, RIFT is making this extensive beacon dataset publicly available in combination with the open-source release of dissect.cobaltstrike, our Python library for studying and parsing Cobalt Strike … Continue reading Mining data from Cobalt Strike beacons →

Microsoft announces the WMIC command is being retired, Long Live PowerShell

Category: Detection and Threat Hunting What is WMIC? The Windows Management Instrumentation (WMI) Command-Line Utility (WMIC) is a command-line utility that allows users to perform WMI operations from a command prompt. WMI is an interface providing a variety of Windows management functions. Applications and WMI scripts can be deployed to automate administrative tasks on remote … Continue reading Microsoft announces the WMIC command is being retired, Long Live PowerShell →

Machine Learning for Static Analysis of Malware – Expansion of Research Scope

Introduction The work presented in this blog post is that of Ewan Alexander Miles (former UCL MSci student) and explores the expansion of scope for using machine learning models on PE (portable executable) header files to identify and classify malware. It is built on work previously presented by NCC Group, in conjunction with UCL’S Centre … Continue reading Machine Learning for Static Analysis of Malware – Expansion of Research Scope →

Detecting and Hunting for the PetitPotam NTLM Relay Attack

Overview During the week of July 19th, 2021, information security researchers published a proof of concept tool named “PetitPotam” that exploits a flaw in Microsoft Windows Active Directory Certificate Servers with an NTLM relay attack. The flaw allows an attacker to gain administrative privileges of an Active Directory Certificate Server once on the network with … Continue reading Detecting and Hunting for the PetitPotam NTLM Relay Attack →

Detecting and Hunting for the Malicious NetFilter Driver

Category: Detection and Threat Hunting Overview During the week of June 21st, 2021, information security researchers from G Data discovered that a driver for Microsoft Windows named “netfilter.sys” had a backdoor added by a 3rd party that Microsoft then signed as a part of the Microsoft OEM program. The malicious file is installed on a … Continue reading Detecting and Hunting for the Malicious NetFilter Driver →