Latest
FOR508
GitHub - SigmaHQ/sigma: Generic Signature Format for SIEM Systems
Generic Signature Format for SIEM Systems. Contribute to SigmaHQ/sigma development by creating an account on GitHub.
GitHub - orlikoski/Skadi: Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux
Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux - GitHub - orlikoski/Skadi: Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux
GitHub - ctxis/CAPE: Malware Configuration And Payload Extraction
Malware Configuration And Payload Extraction. Contribute to ctxis/CAPE development by creating an account on GitHub.
GitHub - AndrewRathbun/VanillaWindowsReference: A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use the...
GitHub - hasherezade/hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - GitHub - hasherezade/hollows_hunter: ...
Revealed: Stuxnet “beta’s” devious alternate attack on Iran nuke program
Version 0.5 shows cyberweapon development began two years earlier than thought.
Unit42 pulling back the curtains on encodedcommand powershell attacks
Operation Ghost: The Dukes aren’t back – they never left | WeLiveSecurity
ESET research shows how The Dukes, the APT group suspected of breaching the DNC, has been busy compromising government targets while staying under the radar for years.
Some thoughts about Windows Userland Rootkits
Rootkits are tools and techniques used to hide malicious modules from being noticed by system monitoring. Usually this kind of techniques involves kernel modifications, but (especially on windows systems) appear also in user-mode context, but still enabled to hiding their processes, injected modules, registry keys, files, window, handles etc. User-mode rootkits are not as stealthy as kernel-mode, but due to their simplicity of implementation they are much more spread: that’s why it is good to know how they works. The Protection Rings Protection rings, are mechanisms to protect data and functionality from faultsand malicious behaviour.A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged to least privileged: on most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Attribution: Hertzsprung at English Wikipedia Userland rootkits runs on Ring 3, where user apps run, and since this is where every untrustworthy program runs, operating systems give this layer the least privilege that makes detection much easier using techniques based on heuristic, signatures and anomaly detection. However, this does not mean that it is simple to detect the userland rootkits: the main goal of a rootkit is hideing itself and sustaining the administrator privileges for it's functioning. Indeed rootkits need elevated privileges, but they are not the tools that provide the attackers with administrator privileges: this means that before a userland rootkit is entering the system, the attacker have already breached into the system and have performed privilege escalation and finally installed the rootkit, which retains the elevated privilege. IAT Hooking and Inline Hooking Userland rootkits uses hooking techniques in order to hide itself, usually IAT Hooking and Inline Hooking. The Import Address Table (IAT) is comprised of function pointers, and is used to get the addresses of functions when the DLLs are loaded. Applicationa are usually designed so that all API calls will not use direct hardcoded addresses but rather work through a function pointer. https://www.youtube.com/watch?v=-R0EKFzoEeg IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, Inline Hooking modifies the API function itself: the general idea is to redirect a legitimate function to another, so that the malware can perform processing before and/or after the function does its. https://www.youtube.com/watch?v=9efJ8_ukxlY The hooks are placed by directly modifying code within the target function, usually by overwriting the first few bytes with a jump: this allows execution to be redirected before the function does any processing. Hooking Detection The most used technique in order to hunting userland rootkits is (obviously) the hooking detection: hooking is the main vehicle used by userland rootkits for hiding their presence on a system, so it seems only natural that looking for system hooks could itself be used to identify the presence of a rootkit on a system. https://www.youtube.com/watch?v=CWZ-dShnBFA A lot of standard antimalware solutions already support this kind of protection, however sometime could be useful a specific tool that allows the analyst to deep-dive into a process' hooks, like GMER or HookExplorer. References and further readings Protection Ring GMER Homepage HookExplorer repository on GitHub IAT-Hooking-Revisited What are the methods to find hooked functions and APIs? - Information Security Stack Exchange
Ten process injection techniques: A technical survey of common and trending process injection techniques
Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process.
GitHub - d30sa1/RootKits-List-Download: This is the list of all rootkits found so far on github and other sites.
This is the list of all rootkits found so far on github and other sites. - GitHub - d30sa1/RootKits-List-Download: This is the list of all rootkits found so far on github and other sites.
Windows DLL Injection Basics
By Brad Antoniewicz. DLL Injection is one of those things I've always sort of knew about but never actually implemented. Probably be...
Introducing SuperMem: A Free Incident Response Tool | CrowdStrike
Learn why we created SuperMem, an open-source Windows memory processing script that helps investigators quickly process memory samples in their investigations.
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software [Sikorski, Michael, Honig, Andrew] on Amazon.com. FREE shipping on qualifying offers. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory [Hale Ligh, Michael, Case, Andrew, Levy, Jamie, Walters, AAron] on Amazon.com. FREE shipping on qualifying offers. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Analyzing and detecting web shells
Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i’ve been…
GitHub - csababarta/memory-baseliner: Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images
Memory Baseliner is a script that can compare two windows memory images or perform frequency of occurrence / data stacking analysis on multiple such images - GitHub - csababarta/memory-baseliner: M...
Mission Guides and Documentation
F-Response is an easy to use, vendor neutral, patented software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tool(s) of choice. F-Response is not another analysis tool.
Introducing KAPE!
(From the manual, which is included, and you should read...) What is KAPE? Kroll Artifact Parser and Extractor (KAPE) is primarily a tri...
GitHub - EricZimmerman/KapeFiles: This repository serves as a place for community created Targets and Modules for use with KAPE.
This repository serves as a place for community created Targets and Modules for use with KAPE. - GitHub - EricZimmerman/KapeFiles: This repository serves as a place for community created Targets a...
Welcome :: Velociraptor - Digging deeper!
Velociraptor Training :: Velociraptor - Digging deeper!
GitHub - TheBinitGhimire/Web-Shells: Some of the best web shells that you might need!
Some of the best web shells that you might need! Contribute to TheBinitGhimire/Web-Shells development by creating an account on GitHub.
Tech Tuesday Workshop Cobalt Strike Detection via Log Analysis | SANS Institute
Tech Tuesday Workshop Cobalt Strike Detection via Log Analysis
wevtutil
Reference article for wevtutil, which lets you retrieve information about event logs and publishers.
Windows Security Log Encyclopedia
Jessica Payne on Twitter
When reading reports about fantastically clever and innovative malware, it’s easy to lose sight of the fact a lot of it got installed by attackers with Domain Admin. Don’t forget that the last stage wizardry often is preceded by 90% of the attack you can detect and mitigate.— Jessica Payne (@jepayneMSFT) May 9, 2019
GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
Sysmon configuration file template with default high-quality event tracing - GitHub - SwiftOnSecurity/sysmon-config: Sysmon configuration file template with default high-quality event tracing
GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. - GitHub - BSI-Bund/RdpCacheStitcher: RdpCacheStitcher is a tool that supports f...