With this post we are getting nearly to the end of these series of memory analyis with Vshot and Remnux. In this post we are covering some of the plugins to detect the most targeted and stealthy attacks you can find today out there. More often than in previous years, I am coming across more…
Category: APT
Network Threat Hunting Books
Here I leave you what are the best books I have ever read for network threat hunting – security monitoring. These books at the time I read them help me to get back on my feet after some long time without firing wireshark and seeing and nice packet capture. I recommend them as they…
Memory Forensics with Vshot and Remnux (rogue process identification,2)
We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux. The current script version 4.01 is running 44 plugins against the memory dump. Let’s have a quick look at the plugins…
Memory Forensics with Vshot and Remnux (1)
This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which…
Paper: Wave your false flags! Deception tactics muddying attribution in targeted attacks
This is an 11 page white paper that goes through the current challenges faced by researchers to attribute cyber attacks. It goes through the current techniques such as, Timestamps Strings, debug and metadata Malware families, code reuse Threat infrastructure used It also present some of the most advance APT’s and their potential origin and techniques believed…
Hunting down Threat Infrastructure (2, with PassiveTotal)
It’s been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here. The first post explained how attackers…
Lateral Movement Artefacts
This is a very good and extensive list of lateral movement artefacts by Patrick Olsen. His blog in general is also very good to find DFIR resources. http://sysforensics.org/2014/01/lateral-movement/
The top 10 windows logs event’s used to catch hackers
Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id’s for their detection. Another must read. The top 10 windows logs event id's used v1.0 from Michael Gough
Detecting Lateral Movement in APT’S by Japan CERT
I am not going to add much to this article, I know is not very original but you should go straight into the presentation. It is worth your time if you are looking to understand lateral movement, examples with windows event id’s and Kerberos KDC vulnerability. https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf
Intrusion Detection with Windows Event ID’s
This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document! http://tinyurl.com/zpggnfq
The Project Sauron APT
Key takeaways, DNS keeps being an important protocol for exfiltration Process Injection, Memory Persistence, no file trace in disk Living of the land techniques to move laterally They thwarted the attribution process not using twice the same threat infrastructure Click to access The-ProjectSauron-APT_research_KL.pdf
Hunting down Threat Infrastructure (1)
In this two article series, I am going to explain how to spot anomalous activity in proxies and DNS queries coming out of your network. Additionally, I am also explaining how to recognize suspicious threat infrastructure, what elements you need to pay attention to, how this infrastructure behaves, what are the challenges for the defender and…