Managed Detection & Response

Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study 

Max Groot Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to…

Detecting anomalous Vectored Exception Handlers on Windows

We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous

Detecting Karakurt – an extortion focused threat actor

NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt.  During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.

Log4Shell: Reconnaissance and post exploitation network detection

Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 15th at 17:30 UTC tl;dr In the wake of the CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832 (a.k.a. Log4Shell) vulnerability publication, NCC Group’s RIFT immediately…

Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm

tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted.  The prevalence of encrypted traffic As a…

Cracking RDP NLA Supplied Credentials for Threat Intelligence

In this post, we discuss our work in cracking the hashed passwords being sent over NLA connections to ascertain those supplied by threat actors.

Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments

NCC Group is offering a new fully Managed Detection and Response (MDR) service for our customers in Azure. This blog post gives a behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our…

Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes

tl:dr Incremental Learning is an extremely useful machine learning paradigm for deriving insight into cyber security datasets. This post provides a simple example involving JA3 hashes showing how some of the foundational algorithms that enable incremental learning techniques can be applied to novelty detection (the first time something has happened)…

Detecting Rclone – An Effective Tool for Exfiltration

NCC Group CIRT has responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. We provide some techniques for detection.

Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads

We prototyped a Windows Installer Package Canary to help detect certain first stage trade craft. The ultimate goal being to alert for those threat actors targeting security products through uninstallation.

Deception Engineering: exploring the use of Windows Service Canaries against ransomware

We prototyped a Windows Service Canary to help detect and respond to certain pre-ransomware trade craft. The ultimate goal being to alert and minimize the impact of ransomware deployments.

RIFT: Analysing a Lazarus Shellcode Execution Method

NCC Group's Research and Intelligence Fusion Team analyze a recent shellcode execution method used by Lazarus Group

Abusing cloud services to fly under the radar

tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.…

Building an RDP Credential Catcher for Threat Intelligence

We wanted to build a mechanism to capture all the passwords used (successful or not) against RDP to ascertain potential sources of credential theft and if they are organisation specific. This post provides the background on an approach and the steps to build such a system.

Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs

Liam Stevenson, Associate Director of Technical Services within NCC Group's Managed Detection & Response division, shows how to derive significant cost efficiencies in SIEM platform consumption with smart log ingestion utilizing pre-processing data pipelines and modern cloud services. Doing so significantly reduces data volumes to the SIEM without loosing the…

TA505: A Brief History Of Their Time

Threat Intel Analyst: Antonis Terefos (@Tera0017)Data Scientist: Anne Postma (@A_Postma) 1. Introduction TA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in targeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a lesser partner to a mature, self-subsisting…

Tool – Windows Executable Memory Page Delta Reporter

One true constant (until someone schools me) is that threat actors need executable memory of some kind to operate from for their endpoint implant even if fleeting. Given this we've released an open source Microsoft Windows Service that aims to facilitate detection of anomalous executable memory

Extending a Thinkst Canary to become an interactive honeypot

In this post we explore how to use the extensible nature of Thinkst Canary to build a high interaction honeypot.

Machine learning from idea to reality: a PowerShell case study

Detecting both ‘offensive’ and obfuscated PowerShell scripts in Splunk using Windows Event Log 4104 This blog provides a ‘look behind the scenes’ at the RIFT Data Science team and describes the process of moving from the need or an idea for research towards models that can be used in practice.…

Experiments in Extending Thinkst Canary – Part 1

The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the…

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow’s threat…

In-depth analysis of the new Team9 malware family

Publicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar’) appears to be a new malware being developed by the group behind Trickbot. Even though the development of the malware appears to be recent, the developers have already developed two components with rich functionality. The purpose…

Practical Machine Learning for Random (Filename) Detection

There is much hyperbole around machine learning and artificial intelligence in Managed Detection & Response. We detail when to apply and what reasonable results can be achieved on a specific real-world problem.