UVWATAUAVAWH – Meet The Pushy String | Hexacorn
Book 3
Cracking Assembly — Function Prolog and Epilog in x64
Microsoft Public Symbol Server - Windows drivers
Default windows processes quick reference
Memory analysis with volatlity analyst reference
I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware | Mandiant
GitHub - orlikoski/CyLR: CyLR - Live Response Collection Tool
CyLR - Live Response Collection Tool. Contribute to orlikoski/CyLR development by creating an account on GitHub.
Dissect
1768 K
According to Wikipedia, 1768 Kelvin is the melting point of the metal cobalt. This tool decodes and dumps the configuration of Cobalt Strike beacons. You can find a sample beacon here. 1768_v0_0_3.…
Use KAPE to collect data remotely and globally
If you have been following along with the amazing utility that KAPE is then you are aware that it is a game changer to the forensics c...
FS_FindEvil · ufrisk/MemProcFS Wiki
The Memory Process File System. Contribute to ufrisk/MemProcFS development by creating an account on GitHub.
How to Detect and Prevent impacket's Wmiexec | CrowdStrike
This blog deep dives into wmiexec usage seen from multiple incident response investigations, and describes indicators to help defenders detect wmiexec.
Memory forensics: a fun hands-on introduction
A walkthrough for a practical workshop whose aim is to introduce enthausiasts to the world of memory forensics.
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use the...
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - GitHub - hasherezade/hollows_hunter: ...
Revealed: Stuxnet “beta’s” devious alternate attack on Iran nuke program
Version 0.5 shows cyberweapon development began two years earlier than thought.
Unit42 pulling back the curtains on encodedcommand powershell attacks
Operation Ghost: The Dukes aren’t back – they never left | WeLiveSecurity
ESET research shows how The Dukes, the APT group suspected of breaching the DNC, has been busy compromising government targets while staying under the radar for years.
Some thoughts about Windows Userland Rootkits
Rootkits are tools and techniques used to hide malicious modules from being noticed by system monitoring. Usually this kind of techniques involves kernel modifications, but (especially on windows systems) appear also in user-mode context, but still enabled to hiding their processes, injected modules, registry keys, files, window, handles etc. User-mode rootkits are not as stealthy as kernel-mode, but due to their simplicity of implementation they are much more spread: that’s why it is good to know how they works. The Protection Rings Protection rings, are mechanisms to protect data and functionality from faultsand malicious behaviour.A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged to least privileged: on most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Attribution: Hertzsprung at English Wikipedia Userland rootkits runs on Ring 3, where user apps run, and since this is where every untrustworthy program runs, operating systems give this layer the least privilege that makes detection much easier using techniques based on heuristic, signatures and anomaly detection. However, this does not mean that it is simple to detect the userland rootkits: the main goal of a rootkit is hideing itself and sustaining the administrator privileges for it's functioning. Indeed rootkits need elevated privileges, but they are not the tools that provide the attackers with administrator privileges: this means that before a userland rootkit is entering the system, the attacker have already breached into the system and have performed privilege escalation and finally installed the rootkit, which retains the elevated privilege. IAT Hooking and Inline Hooking Userland rootkits uses hooking techniques in order to hide itself, usually IAT Hooking and Inline Hooking. The Import Address Table (IAT) is comprised of function pointers, and is used to get the addresses of functions when the DLLs are loaded. Applicationa are usually designed so that all API calls will not use direct hardcoded addresses but rather work through a function pointer. https://www.youtube.com/watch?v=-R0EKFzoEeg IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, Inline Hooking modifies the API function itself: the general idea is to redirect a legitimate function to another, so that the malware can perform processing before and/or after the function does its. https://www.youtube.com/watch?v=9efJ8_ukxlY The hooks are placed by directly modifying code within the target function, usually by overwriting the first few bytes with a jump: this allows execution to be redirected before the function does any processing. Hooking Detection The most used technique in order to hunting userland rootkits is (obviously) the hooking detection: hooking is the main vehicle used by userland rootkits for hiding their presence on a system, so it seems only natural that looking for system hooks could itself be used to identify the presence of a rootkit on a system. https://www.youtube.com/watch?v=CWZ-dShnBFA A lot of standard antimalware solutions already support this kind of protection, however sometime could be useful a specific tool that allows the analyst to deep-dive into a process' hooks, like GMER or HookExplorer. References and further readings Protection Ring GMER Homepage HookExplorer repository on GitHub IAT-Hooking-Revisited What are the methods to find hooked functions and APIs? - Information Security Stack Exchange
Ten process injection techniques: A technical survey of common and trending process injection techniques
Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process.
GitHub - d30sa1/RootKits-List-Download: This is the list of all rootkits found so far on github and other sites.
This is the list of all rootkits found so far on github and other sites. - GitHub - d30sa1/RootKits-List-Download: This is the list of all rootkits found so far on github and other sites.
Windows DLL Injection Basics
By Brad Antoniewicz. DLL Injection is one of those things I've always sort of knew about but never actually implemented. Probably be...
Introducing SuperMem: A Free Incident Response Tool | CrowdStrike
Learn why we created SuperMem, an open-source Windows memory processing script that helps investigators quickly process memory samples in their investigations.
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software [Sikorski, Michael, Honig, Andrew] on Amazon.com. FREE shipping on qualifying offers. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory [Hale Ligh, Michael, Case, Andrew, Levy, Jamie, Walters, AAron] on Amazon.com. FREE shipping on qualifying offers. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Analyzing and detecting web shells
Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i’ve been…
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images - GitHub - csababarta/memory-baseliner: M...
Mission Guides and Documentation
F-Response is an easy to use, vendor neutral, patented software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F-Response is not another analysis tool.
Introducing KAPE!
(From the manual, which is included, and you should read...) What is KAPE? Kroll Artifact Parser and Extractor (KAPE) is primarily a tri...
GitHub - EricZimmerman/KapeFiles: This repository serves as a place for community created Targets and Modules for use with KAPE.
This repository serves as a place for community created Targets and Modules for use with KAPE. - GitHub - EricZimmerman/KapeFiles: This repository serves as a place for community created Targets a...