FOR508

173 bookmarks
Newest
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use the...
·github.com·
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - GitHub - hasherezade/hollows_hunter: ...
·github.com·
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Some thoughts about Windows Userland Rootkits
Some thoughts about Windows Userland Rootkits
Rootkits are tools and techniques used to hide malicious modules from being noticed by system monitoring. Usually this kind of techniques involves kernel modifications, but (especially on windows systems) appear also in user-mode context, but still enabled to hiding their processes, injected modules, registry keys, files, window, handles etc. User-mode rootkits are not as stealthy as kernel-mode, but due to their simplicity of implementation they are much more spread: that’s why it is good to know how they works. The Protection Rings Protection rings, are mechanisms to protect data and functionality from faultsand malicious behaviour.A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged to least privileged: on most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Attribution: Hertzsprung at English Wikipedia Userland rootkits runs on Ring 3, where user apps run, and since this is where every untrustworthy program runs, operating systems give this layer the least privilege that makes detection much easier using techniques based on heuristic, signatures and anomaly detection. However, this does not mean that it is simple to detect the userland rootkits: the main goal of a rootkit is hideing itself and sustaining the administrator privileges for it's functioning. Indeed rootkits need elevated privileges, but they are not the tools that provide the attackers with administrator privileges: this means that before a userland rootkit is entering the system, the attacker have already breached into the system and have performed privilege escalation and finally installed the rootkit, which retains the elevated privilege. IAT Hooking and Inline Hooking Userland rootkits uses hooking techniques in order to hide itself, usually IAT Hooking and Inline Hooking. The Import Address Table (IAT) is comprised of function pointers, and is used to get the addresses of functions when the DLLs are loaded. Applicationa are usually designed so that all API calls will not use direct hardcoded addresses but rather work through a function pointer. https://www.youtube.com/watch?v=-R0EKFzoEeg IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, Inline Hooking modifies the API function itself: the general idea is to redirect a legitimate function to another, so that the malware can perform processing before and/or after the function does its. https://www.youtube.com/watch?v=9efJ8_ukxlY The hooks are placed by directly modifying code within the target function, usually by overwriting the first few bytes with a jump: this allows execution to be redirected before the function does any processing. Hooking Detection The most used technique in order to hunting userland rootkits is (obviously) the hooking detection: hooking is the main vehicle used by userland rootkits for hiding their presence on a system, so it seems only natural that looking for system hooks could itself be used to identify the presence of a rootkit on a system. https://www.youtube.com/watch?v=CWZ-dShnBFA A lot of standard antimalware solutions already support this kind of protection, however sometime could be useful a specific tool that allows the analyst to deep-dive into a process' hooks, like GMER or HookExplorer. References and further readings Protection Ring GMER Homepage HookExplorer repository on GitHub IAT-Hooking-Revisited What are the methods to find hooked functions and APIs? - Information Security Stack Exchange
·andreafortuna.org·
Some thoughts about Windows Userland Rootkits
Ten process injection techniques: A technical survey of common and trending process injection techniques
Ten process injection techniques: A technical survey of common and trending process injection techniques
Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process.
·elastic.co·
Ten process injection techniques: A technical survey of common and trending process injection techniques
Windows DLL Injection Basics
Windows DLL Injection Basics
By Brad Antoniewicz. DLL Injection is one of those things I've always sort of knew about but never actually implemented. Probably be...
·blog.opensecurityresearch.com·
Windows DLL Injection Basics
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory [Hale Ligh, Michael, Case, Andrew, Levy, Jamie, Walters, AAron] on Amazon.com. FREE shipping on qualifying offers. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
·amazon.com·
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Analyzing and detecting web shells
Analyzing and detecting web shells
Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i’ve been…
·tstillz.medium.com·
Analyzing and detecting web shells
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images - GitHub - csababarta/memory-baseliner: M...
·github.com·
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
Mission Guides and Documentation
Mission Guides and Documentation
F-Response is an easy to use, vendor neutral, patented software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F-Response is not another analysis tool.
·f-response.com·
Mission Guides and Documentation
Introducing KAPE!
Introducing KAPE!
(From the manual, which is included, and you should read...) What is KAPE? Kroll Artifact Parser and Extractor (KAPE) is primarily a tri...
·binaryforay.blogspot.com·
Introducing KAPE!
wevtutil
wevtutil
Reference article for wevtutil, which lets you retrieve information about event logs and publishers.
·docs.microsoft.com·
wevtutil
Jessica Payne on Twitter
Jessica Payne on Twitter
When reading reports about fantastically clever and innovative malware, it’s easy to lose sight of the fact a lot of it got installed by attackers with Domain Admin. Don’t forget that the last stage wizardry often is preceded by 90% of the attack you can detect and mitigate.— Jessica Payne (@jepayneMSFT) May 9, 2019
·twitter.com·
Jessica Payne on Twitter
GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. - GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports f...
·github.com·
GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.