I’ve been on multiple IR cases so far and it always shows me. People and process above security products. Organization has 2 EDR installed on their machines, but still breached. Why? No one is responding to these Christmas three alerts 🥴 - Hire people, not products.
The reason I struggle with the term “Cybersecurity expert” is because the profession we’re in is so broad. For example, I don’t hear lawyers calling themselves law experts or something.
Great blog from CrowdStrike on leveraging Windows Defender AV’s MpLog file during DFIR. Before someone is claiming that they have bypassed Windows Defender. I always suggest them to check the MpLog file. It contains lots of useful telemetry.
I've added new chapters to my GitHub repository, which includes Pushlocks, Spinlocks, Callbacks, and also added a new chapter at 'Debugging 101'. All hands-on examples, including the crash dump to show Winternals concepts through the lens of a debugger.
I've wrote an article a few months ago about Kerberoasting with OpSec and I came across someone's work who wrote a tool in C# to enumerate accounts with SPNs, while remaining OpSec. Based on my blog post.
I’ve came across a blog that covers awesome knowledge in Windows Internals and CrashDumps. For those that are interested. Highly recommend to check out
@MOV_EDX
blog
Had a colleague that never heard of 'Reliability Monitor' before, so decided to tweet this just in case someone hasn't heard of it either. It collects and displays information about various system events, errors, warnings, and application failures. Open CMD -> perfmon /rel
Created a GitHub repo to share some debugging concepts that I believe is important to know for those that are interested in debugging and want to get started. Lots of practical examples such as Interpreting call stacks, deadlocks, Windows APIs, etc.
It's amazing to see that we have things such as Time Travel Debugger (TTD) that allows you to record the execution of a process. Highly recommend Security Researchers to take a look at this...
I was a bit bored, so decided to work on a blog post this weekend. It covers how to Kerberoast accounts, while trying to stay under the radar. I'll explain different OpSec failures as well.
When doing
#DFIR
and you have found that the threat actor was using AnyDesk. Good thing is to also look for files such as 'ad.trace' and 'ad_svc.trace'. All these trace files are associated with AnyDesk and provide relevant data such as connection events, which can be useful.
I don’t want to go into specifics, but man. Windows Defender AV telemetry is so useful, but not leveraged to the fullest. Threat Hunters and SOC Analysts often believe it’s just the Microsoft-Windows-Defender/Operational, but it’s not.
What really helped in my career was working as a System Administrator. I wish that I worked as a Software Engineer as well before making the transition to InfoSec but having the System Admin knowledge has been super useful. I still leverage the knowledge to help customers!
Did a write-up about analyzing 'SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955' through a memory dump of the w3wp.exe process. I cover different debugging techniques that can be applied to other w3wp.exe dumps as well.
I've worked over the weekend on a write-up on how to analyze ProxyShell in a memory dump. Write-up contains different .NET debugging techniques that is applicable to other Exchange CVEs as well, including two mem dumps of w3wp.exe - All WinDbg ofc ;-)
AD is not going away anytime soon. It’s surprises me sometimes that people don’t see it like this. Dude, you are syncing On-Premises identities to the Cloud, so make sure to secure AD. Just like you do with AAD.
I've been working for two months now at Microsoft and one of the thing I can recommend to everyone is: Please try to specialize in multiple fields. Do not only focus on one little thing. See things from a wider perspective. This will make you much more valuable.
If you haven't use the AzureADIR PowerShell module (yet). I highly recommend to check it out. It's not just for DFIR folks, but also for people that want to check how their Azure AD tenant is configured.
Ok, wow! - "This first post in the series was designed to inform you that SSO is possible, to domain resources, from an Azure AD joined device WITHOUT requiring Hybrid Azure AD Join."
I did two write-ups about ETW. The first one will cover how to capture an ETW trace and covers a case-study using the WinInet provider to analyze Cobalt Strike. The second one covers how EDR are using the DotNetRuntime ETW.
1.
2.
At one of my previous IR engagement. I saw that the threat actors were using a service account with DA to spread it's ransomware via PsExec. The action got blocked on a few systems first, because of Exploit Guard. Few hours the later, they got ransomwared. 1/2
People really need to let this experience shit go. I've met 18-year old's who can get the job done on a much higher level than someone with 10 years of experience. Just sharing my opinion that we should not treat the number of years as experience.
Unsolicited advice: Don't limit yourself to only one skillset. I see so many people focusing only on one skillset. Try to expand your scope and learn multiple skillsets. Whether it's Cloud, Red/Blue Teaming, RE, Development, System/Network Admin, etc.
I know it's nearly 2022, but even the large organizations are still getting targeted via PTH. If you haven't applied mitigation measures to defend against PTH. It's time to do it now, since you're pretty late!
In this blog, we’ll show you how the Microsoft Detection and Response Team (DART) uses the Kusto Query Language (KQL) to quickly analyze data during incident response investigations.
Nothing to take away for people who study hard, but those SANS courses and certifications are overrated and overpriced imo. If you want to take it, make sure that your company pays for it.
The threat actors weren't even bothered to bypass any AV at all. They just went guns blazing and did their job. What I'm trying to say is. You need to have PEOPLE that can take actions on this. Tools don't matter, when there are no people. Yes, they had magic boxes in place (:
Correct, but more importantly. How would you figure this out by yourself? Well, let's start using TTD :)... Open CMD as an admin and type in: tttracer.exe whoami.exe
Caring about whoami? Despite common belief, it doesn't use GetUserNameEx() unless you specify /UPN or /FQDN param!
Whoami calls OpenProcessToken() to get process token, then GetTokenInformation() to get SID, and finally LookupAccountSid() to get username.
You have been warned ;)
Few colleagues of mine are on an IR engagement and we can see Sysmon installed on servers…. Even if you don’t forward those logs to a centralize SIEM. It would still be great to have Sysmon installed. It helps a lot during IR engagements.
For those that have dealt with Exchange On-Premises compromises where the TA dropped a Webshell, but there's no logging or whatsoever to find out what commands were ran, and the Webshell was also gone from disk but what if it's in memory of the w3wp.exe process? :)
During engagements, I frequently use the SysInternals tools to do initial triage for Malware samples. This video is a classic and old one, but still very useful.
Lol, I was doing an AD Security Assessments with a colleague and we discovered Domain Users having granted SeLoadDriverPrivilege via the Default Domain Policy... 😦
If you're an AD Admin and you have On-Premises Exchange servers in your environment. Can you run the following command in PowerShell and see if you got any results?
Get-ADOrganizationalUnit -Filter 'Name -like "Microsoft Exchange Protected Groups"'
AD Admins: Can someone run this LDAP query and see if he/she got any results?
([adsisearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))').FindAll()
Quick preview of my ETW write-up that I did on the 'Microsoft-Windows-DotNETRuntime' Provider. Here I'm showing how certain EDR vendors are using this telemetry to build detections when .NET assemblies are reflective loaded from byte arrays.
What I would love to see more is blog posts about how someone implemented a hardening setting that reduced the attack surface of something. I wouldn't even be upset if someone blogs how to setup LAPS properly. I just feel like these kinds of things are taken for granted.
I got multiple DMs of folks asking me if the DART track at Ignite was recorded. Yes, it was. This talk covers about the tools we use and a story timeline of an attack, etc.
For those that decided to go with a third-party AV, instead of sticking with Windows Defender. I'm very curious why. Someone mind sharing his or her experience?
Folks that are using ADCS. Please update all servers that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication. For more information:
Great thing that I recommend folks in InfoSec doing is to learn from different roles. Whether it's IR, Red Teaming, SOC, Threat Hunting, etc. Being able to learn from different roles will help you gather different perspectives and come up with new ideas.
I don't like to promote my own site perse, but last week I was working on some Exchange stuff. If you're interested in stuff like Exchange Split Permissions Model, Exchange Webshell, and some useful artifacts in On-Prem Exchange. Check out:
Ransomware incidents often follow a standard playbook that contains similar stuff to: AD Recon with PS - Cobalt Strike - SystemBC - Common tools such as AdFind, Mimikatz, PsExec, etc. 1/2
Been on a few IR engagements that involves Qakbot. I've been using the 'Microsoft-Windows-VHDMP' ETW Provider to hunt for Qakbot activities on a large scale of systems. %LOCALAPPDATA%\Temp that contains a ZIP starting with Temp1_* or some random .ISO file is a good indicator.
When I was a sysadmin. I used to create a fake 'Domain Admin' group with the same description as the real Domain Admins group and added members too it. Some of the admins wanted to feel privileges, so I helped them out a bit. Fun times lol
My goal of 2022 is to deliver one free Windows Internals session. I just want to challenge myself to see if I can share meaningful content to people, and if I have the right skills to be a instructor.
Useful forensic artifacts for those that are into DFIR: 'C:\ProgramData\Microsoft\Windows Defender\Support' - And then files starting with MpLog and MpDetection.
Do companies still give their entire NTDS.DIT away to security firms to allow them perform password cracking? I have a strong opinion on this, but curious if companies still do this. I have seen this recently…
We're hiring folks! We are looking for a Forensic Analyst with a strong, experienced security background to join our team delivering Incident Response investigations and point-in-time cybersecurity assessments