We start this post where we left the first one, we are moving now into the analysis phase once we have parsed the memory dump with Volatility and the Vshot script included in Remnux. The current script version 4.01 is running 44 plugins against the memory dump. Let’s have a quick look at the plugins…
Category: APT
Memory Forensics with Vshot and Remnux (1)
This is a series of posts in which I am going to quickly explain some basic theory around memory forensics and how to hunt your attacker once he has been identified inside your network. I am also going to alleviate the burden of extracting information from your endpoint memory dump with the Vshot script which…
Paper: Wave your false flags! Deception tactics muddying attribution in targeted attacks
This is an 11 page white paper that goes through the current challenges faced by researchers to attribute cyber attacks. It goes through the current techniques such as, Timestamps Strings, debug and metadata Malware families, code reuse Threat infrastructure used It also present some of the most advance APT’s and their potential origin and techniques believed…
Hunting down Threat Infrastructure (2, with PassiveTotal)
It’s been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here. The first post explained how attackers…
Lateral Movement Artefacts
This is a very good and extensive list of lateral movement artefacts by Patrick Olsen. His blog in general is also very good to find DFIR resources. http://sysforensics.org/2014/01/lateral-movement/
The top 10 windows logs event’s used to catch hackers
Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id’s for their detection. Another must read. The top 10 windows logs event id's used v1.0 from Michael Gough
Detecting Lateral Movement in APT’S by Japan CERT
I am not going to add much to this article, I know is not very original but you should go straight into the presentation. It is worth your time if you are looking to understand lateral movement, examples with windows event id’s and Kerberos KDC vulnerability. https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf
Intrusion Detection with Windows Event ID’s
This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document! http://tinyurl.com/zpggnfq
The Project Sauron APT
Key takeaways, DNS keeps being an important protocol for exfiltration Process Injection, Memory Persistence, no file trace in disk Living of the land techniques to move laterally They thwarted the attribution process not using twice the same threat infrastructure https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf
Hunting down Threat Infrastructure (1)
In this two article series, I am going to explain how to spot anomalous activity in proxies and DNS queries coming out of your network. Additionally, I am also explaining how to recognize suspicious threat infrastructure, what elements you need to pay attention to, how this infrastructure behaves, what are the challenges for the defender and…
Security Monitoring and attack detection planning guide
Today, I had some time to read the “The security Monitoring and Attack Detection Planning Guide” by Microsoft. I have read different documents in the last couple of months aimed at security monitoring in the Microsoft endpoint however this document it is completely up to date and can help organizations to understand the requirements they…
Cyber Threat Hunting (2): Getting Ready
In my previous post I went through the basics of hunting and its benefits for the organization and for analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. We are covering preparations and locations to hunt. As you need some…
