The average system administrator uses remote administration tools to enable them to tend to systems across their network. There are a variety of these tools available and one of them is Teamviewer. During an incident, there are several logs and artifacts of interest that are vital. Each log provides some
Parsing Bitvise Logs for Analysis
The use of Secure Shell Protocol (SSH) in a network is can provide significant capabilities. It specifically enables a person to connect to a system via an encrypted shell, authenticate, and interact with a system. For this to happen, however, systems acting as clients need to have an SSH client,
Retrieving Files You’ve Uploaded to Microsoft Teams
The use of Cloud infrastructure has substantially grown over the years. As people become more comfortable with the technology, it will certainly continue to grow. With comfortability, comes an overabundance and reliance on the use of the platforms in the Cloud. While this could be great for users and organizations,
SRUM DB… Enhancing Forensics!
A common task within Incident Response and Digital Forensics (DFIR) is to identify any evidence of execution of something. That evidence helps to paint a story as to what took place on the machine and possibly highlight other pertinent things that may be unknown. Most commonly, this evidence can be
Reducing SMBv3 Vulnerability Attack Surface
This week has been very interesting with Microsoft unintentionally disclosing a remote code execution vulnerability in SMB v3. This particularly affects the data compression feature within the 1903 and 1909 versions of Windows 10 and Server 2019. This left defenders everywhere in a frantic state while malicious actors worked overtime
Validating the Presence of an Item across multiple computers
All too often an interesting item is discovered on a system and everyone wants to know if the item exists on any other system. This could be a daunting task but this can be accomplished using PowerShell. With the location and name of the file in hand, the following can
Parsing IIS Logs
Windows variant of a webserver is called Internet Information Services (IIS). The feature comes as part of Windows server builds but isn’t enabled but default. If you manage an IIS server, logs write to c:\inetpub\logs by default and without a tool or capability, aren’t necessarily the easiest to read. With
Reducing the Attack Surface for BlueKeep
It’s been a few months since the BlueKeep vulnerability was brought to light. This discovery shouldn’t be taken lightly as it allows a malicious user to gain unauthenticated access and the ability to perform remote code execution on Windows systems. The documentation on the vulnerability depicts that the following operating
Invoke-Fail2Ban
Anyone who has a system that is accessible on the Internet has likely had their fair share of brute force attempts. Utilizing something like Fail2ban is great because it blocks those type of attacks, providing some level of security. The downfall about Fail2ban is that it was developed for *nix
Finding Services Tied to Processes
When looking at a process list, you will undoubtedly see a number of svchost processes. The overall number of them really depends on the system and what services are running. Each svchost has at least one service running within it. If you are seeking a better understanding of which service
Fileless Malware Storage: Group Policy Objects- 4 of 4
Up to this point, we’ve discussed using the Registry, Active Directory, and Event Logs for storing stagers in Windows. In our last installment of this series, we will discuss the use of Group Policy Objects to achieve the same goal. Group Policy is designed to be a hierarchal infrastructure to
Fileless Malware Storage: Event Logs– 3 of 4
Up to this point, we’ve touched on using Active Directory and the Registry to store code for later use. To add on to the topic, we can also use Event Logs. The effectiveness of this technique is based on the environment in which one looks to use it. I say
Fileless Malware Storage: Active Directory– 2 of 4
In my last post, I spoke on the use of the Registry to store malicious code to call upon at a later time. In this post, I’ll discuss using Active Directory to store code. Essentially, Active Directory is a hierarchical structure that stores information about objects on the network, particularly
Fileless Malware Storage: Registry – 1 of 4
Malware delivery methods have changed over the years and in some cases, repeated themselves. Within the last couple of years, fileless malware has become prevalent and more widely seen. How this malware is stored on disk varies. Frankly speaking, anywhere that can store data, be it hex or ascii, serves
Don’t Forget about Domain Trusts
I recently was talking to an organization about their security posture and mostly everything I recommended to them, they had already implemented and plus some. The audits I conducted for them seconded what they were saying. I must say, I was thoroughly impressed. There was, however, one gray area that
Hidden Gems in McAfee ePO Audit Logs
There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include
Finding Reflective DLL Injections
DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed
Hunting Self-signed Certificates
Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking
Hashes of All Running Processes
A great starting point for anyone analyzing a system is the running processes. Taking the time to not only retrieve the command line execution of the process but also the parent process will enable you to find outliers. Taking it a step further, retrieving the hashes of the binary of
PowerShell Cheat Sheet
I recall when I started out in PowerShell coming from Python. Some aspects of the language I was able to pick up on rather quickly while other aspects took some take. I found myself writing down notes until I was able to remember them on my own. Reminiscing on that
Find Malicious Versions of CCleaner
In light of the recent discovery about the malicious versions of CCleaner and the millions affected, it felt like a great time to write some PowerShell scripts that enable a person to identify if the malicious versions of CCleaner are on a system and if so, provides a method to
Determining WinRM connections to a Machine
PSRemoting is an awesome feature in Microsoft Windows that serves as a ssh-like function. In Server 2012 and newer, it is enabled by default. You will, however, need to enable the feature on any client system you’d want to use it on. Some organizations feel having the service enabled throughout
Base64 with PowerShell
All too often I find myself on a Windows system and need to either encode or decode base64. Rather than using an online service, installing a program, or going to a *nix based system, I took to PowerShell. In PowerShell, we can use .NET to accomplish this. Encoding: $Text2Encode =
Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)
Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft
Get Registry Hives and Keys Remotely
Talking with a buddy of mine, the conversation about retrieving Registry Hives and Keys remotely came up. He initially was looking for something he could use and eventually sided with an open-source program on the web. I, myself, tested said program as well and it for the most part did
Finding Passwords in Text Files with PowerShell
Using PowerShell, we can look in text files for strings that fit the criteria for passwords and return the potential password, file path, and line number. The criteria that is being search uses regex expressions and looks for at least four characters but no more than 15 with at least
Mass Import of McAfee Firewall Domains to block
As of late, I’ve been experimenting more and more with the McAfee HIPS Firewall with the McAfee ePO. So far, I think it is decent. It is at least stateful, so that’s a plus. The firewall has a feature to block domains and using the GUI, you can only add
Sinkhole Domains Using DNS with the help of PowerShell
Thanks to Jason Fossen, there was no need to create a PowerShell script to input domains to sink. He had already created one called Sinkhole-DNS.ps1 (located here). One of the options in the script is to read in a file with domains listed. I like to frequent www.malwaredomains.com for my
Blocking DNS Tunneling at the Host
There was a time where there was an alarming rate at which malware would use some unique port that wasn’t used by other services. The port was usually some ephemeral port. These days though, it is being seen more and more of malware using ports commonly open outbound on a
BlueSpectrum, an IOC framework written in PowerShell
The code can be found on my github at https://github.com/wiredpulse/BlueSpectrum. It was written to work with version 2 and newer. The idea behind this is to use what is available rather than always relying on a plethora of tools.
Under The Wire!
Under The Wire, the PowerShell gaming server is now web based and can be access at www.underthewire.tech. On there, you will find directions to access our servers using you own instance of PowerShell. To date, we have two games that are live with another in production.
Parsing Registry files with RegRipper
The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper (rip.pl) will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents
No Need to Unzip, Just Use Zcat or Zgrep
There will be times when you may encountered a zipped file and want to quickly parse it without having to unzip it. When the time comes, zcat and zgrep will be your savior. The usages of both are very straightforward but there are man pages for both for further reading.
Analyzing Various Memory Capture Formats
In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference. FTK Imager – Outputs to .mem – Can be analyzed in Volatility Vol.py –f –profile= VMWare (.vmem) – .vmem and .vmsm
Application Whitelisting with Applocker
If you are a part of defending an infrastructure, then you know defense-in-depth is the name of the game. The more detection systems that can be employed to detect anomalies or malicious actions, the better chance you stand to have a safe network. One of many ways to aid in
Network Grep for the Folks Who Love to Grep!
Network grep (ngrep) is a great program that allows you to search and filter network packets rather quickly. There is some resemblance to the well-known Linux grep program. Ngrep can analyze live traffic or saved pcaps. The man pages for ngrep are rather straightforward. Ngrep currently recognizes IPv4/ 6, TCP,
Extracting Data with Bulk Extractor
When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to
Analyzing Memory in the Wonderful World of Redline
Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include
Installing/Managing Linux Packages in an Offline Environment
A few good cheat sheets for installing/managing packages in an offline environment.
Another Layer of Defense… Microsoft Baseline Security Analyzer (MBSA)
Once installed, you can use the program via the GUI or command line. If utilizing the GUI, it is very straightforward as there are only three options available (scan a computer, scan multiple computers, and view existing security reports). At the conclusion of a scan, a report will be produced
Linux Secure Copy (SCP)
SCP is a must for quick transfer of files in native environments. In order to interact with a Windows machine, an SSH server is needed on the system but you may be able to get around that be specifying a different port. Below are a few examples of how it
Search Exchange 2010 Mailboxes
NOTE: The user you run the script with must have the “Discovery Management” RBAC Role. This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called
Under the Wire v2
I just posted v2 of Under to Wire which contains an additional 5 levels to Century. V2 can be found at the link on the right-hand side of the screen or here. This release will be the last one containing Century and the next variation that the team and I
Traffic Generators
These tools will generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it. • Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write
Unzip a file that is zipped many times
This script is used for unzipping zipped files inside of a zipped file. The zipped files are password protected. I developed this because it seems like every capture the flag I do, there is a scenario where this could be used. This Bash script can be found in my script
PowerShell Web Server for Raw Text Transmission
This script will create a temporary web server on the local system and will listen on the host IP and specified port. You will then be able to post some raw data that will be accessible on the network. When running the script you will be asked what port to
PowerShell Web Server for File Transmission
This script will deploy a temporary web server on the local system and will listen on the port of your choice. Once it is listening, you will be able to transfer .txt and .html files from the directory in which the script is ran from (not located). The web server
PowerShell Network Connection Monitor Script
This script displays the current TCP/IP connections for a local or remote system to include the PID, process name, port, and its current running state (listening, established, etc..). If the port is not yet established, the port number is shown as an asterisk (*). It will also take the initial
PowerShell Remote Process Termination
Ever remotely executed a program on another system but the process failed to exit which lead it to being an active process on the users system? No matter the cause or what your purpose on the system is, that is never a good thing. We can quickly fix the issue
Disconnect… Making the Internet Safer and More Private One Connection at a Time
Have you ever been browsing the web for a good or service and notice that a totally unrelated site suggests the very same or similar items you were previously searching for? What about browsing the web and it taking forever to load a page? Did you know that some websites
Detecting Alternate Data Streams with PowerShell and DOS
Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is
WMI on Linux
WMI is a great way to query Windows systems without being so intrusive. As of late, I have been dealing with it more and more. Typically, I use a Windows system to query another Windows system but the lack of speed inherit to the Windows OS always has me searching
Under the Wire… Windows Shell War Gaming
My boss and I had a conversation a few months ago regarding Over the Wire, a Linux war gaming server. The conversation revolved around how it was a great tool for those trying to build strength in Linux. From that conversation, we had a thought of why there wasn’t a
Pushpin… Taking Reconnaissance to Another Level
If you are on the offensive side, part of your strategy encompasses reconnaissance at some point. If you are on the defensive side, there is still reconnaissance to be done in order to see what is available about you. Well, a great tool to add to your tool bag is
Shipping Windows logs to Logstash via Nxlog
In order to correlate the logs of your system, you are either going to have to manually upload them to your correlation system or setup an automated way. Nxlog is one of a few agents that will enable automated shipping of logs. I particularly like it because it is light
ELK, the free alternative to Splunk
Installation of ELK is not too bad. There are a few guides online that walk through the processes but you will be hard pressed to find one to covers it all the way through. Some great links to help with this endeavor are: https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-ubuntu-14-04 https://www.ddreier.com/setting-up-elasticsearch-kibana-and-logstash/ Installing ELK (CentOS) This is
ELK stack, what is that?
In a previous post I did a comparison of ELK and Splunk. I will take a few minutes here to kind of explain what ELK is. ELK stack (Elasticsearch, Logstash, Kibana) is simply amazing. Each program making up ELK brings their own uniqueness and are vital parts to making the
Bare Monkey (Volatility)
I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates
Splunk vs. ELK Stack
When conversing about log collection and correlation on an Enterprise level, Splunk usually always comes up in the conversation. While I am an avid Splunk fan, outside of the free version, it can be a little expensive. ELK (Elasticsearch, Logstash, and Kibana) is very comparable to Splunk, in my opinion.
Converting a DD image into a VM – pt. 2
This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on. 1. Copy the target_image from your linux
Converting a DD image into a VM – pt. 1
A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is. One may be wondering why what is the need for
Skittle Grinder (Linux Log Collection)
Skittle Grinder is the de facto way of getting “kitchen sink” from a Linux system. It development stemmed from a gap we faced in the forensics realm but could be used for a base lining, auditing, or whatever you see fit. Skittle Grinder checks for rootkits, creates a tarball of
Collaboration with Elog
Elog is a great program used for collaboration in a LAN or WAN environment. Its very simple to use and easily customizable. This program is ideal for sharing notes or analyzing data and ensuring everyone else knows what is going on. There is an email function as well and the
Splitting up a Large VM for Easier Transmission
Here is the scenario: you have a VM that you want to transfer to another system over the Internet. The VM, in its entirety, is too big to transfer as is. So what do we do? Well, we could convert the .vmx into an .ova and then split it into
Renaming a Linux NIC interface
You may be wondering why this is even a topic of discussion. Well, certain Linux distros such as CentOS come with the main interface as eth0. For me, it’s not as big of a deal. The concern comes in when I am developing baselines and distributing them back into the
Memory Capture with FTK Imager
I previously wrote about using DumpIt for Windows memory captures. If all you need from a system is to capture memory, it fits the bill rather well. There have been some times where it’s given me some issue grabbing memory over 8GB. Nonetheless, what if you need to do more?
The One Page Linux Manual
For those trying to learn Linux, it can be a daunting task. The are a number plethora of resources online and built into the OS. For those just looking for something “light” and tangible, I recommend the one page Linux manual. It fits the bill for the most part (although
Wait, did something change? Don’t know, use Regshot
1. Download the program from http://sourceforge.net/projects/regshot/. 2. Right-click the program and run it as administrator. 3. The below screen should appear. From there we have the option of comparing logs in plain TXT or HTML. We can also choose folders to scan as well.
Creating a share on Linux and accessing via Windows
There are many times when there is data on a Linux system that needs to be moved to another system like Windows. Well, the question is how do you do that? The method that I have found to be the easiest is to use Samba. Below are the steps to
To broadcast a SSID or not to broadcast a SSID, that is the question
For some, wireless security and securing ones home network can mean a number of things. Some people feel that disabling the broadcast of their SSID gives them that extra layer of security. Depending on the context of the conversation at that time, I can somewhat see their perspective. From my
Jump Bag Stuff
Wifi-Pineapple – https://hakshop.myshopify.com/products/wifi-pineapple?variant=81044992 PWN Plug – https://www.pwnieexpress.com/product/pwn-plug-elite/ Read-Only Flash Drive – http://www.kanguru.com/storage-accessories/flash-blu2.shtml SmartSniff – http://www.nirsoft.net/utils/smsniff.html
Parse and Extract PST and OST Mailboxes
Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation
Parsing Metadata with ExifTool
Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/) is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool (https://hvdwolf.github.io/pyExifToolGUI/). The tool
Windows Memory Capture using DumpIt
One of the simplest tools for capturing memory from a Windows system is DumpIt. The program is very portable and saves the capture to wherever the program is ran from. Most people will run it from a flash drive but depending on your company’s security policy that may not be
Memory Capture via Hibernation File
If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem
Display Credentials For All Previous Wireless Networks Connected To
I was at a friend’s house and needed to connect my laptop to his network. My friend was reluctant to give me password to his network and decided to type it in himself. In his mind, he was just doing his part to provide some security to his home network,
Great Sites for Cyber related Videos
http://securitytube.net/ http://irongeek.com
Determining what profile to use when analyzing Windows memory in Volatility
No need to guess or experiment with different profiles, let Volatility figure that out for you. In testing, this worked with all formats that Volatility supports. If you were the one to do the memory dump or if the file was labeled OS information, this wouldn’t be a concern or
Forensics Posters
Anybody getting into forensics knows its like putting on a pair of glasses and seeing things in a whole new light. Part of being able to identify bad or evil is being able to identify normal. In my opinion, SANS did a pretty good job depicting some common things to
Building a profile for Volatility
After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done
Linux Memory Capture with LiME
When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled