home.social
Sign in Create account

#invpath — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #invpath, aggregated by home.social.

  1. Chris Sanders 🔎 🧠 @[email protected] ·

    Absent specific leads, broad scenarios like this can overwhelm many analysts. Having dozens of paths you could take is often as daunting as having no apparent paths to take.

    In a scenario like this, it’s helpful to understand common attacker goals. While attackers accomplish goals differently, we can predict some common actions and devise an investigation plan from that.

    When attackers access a system, they are likely to do at least one of these:

    1. Execute malware that creates a persistence mechanism
    2. Pillage the system for useful user information
    3. Steal additional credentials
    4. Scan the network for other lateral movement targets

    Each of those actions ties to useful evidence, and even though the attacker's actions might take different forms, they often manifest across a predictable and common set of evidence sources.

    Usually, you let the evidence you’ve found lead you to the evidence you’ve yet to find… but sometimes you have to make educated guesses based on what is most likely, hoping that a more specific lead reveals itself.

    If you have these broad categories of common attacker activity, you can have evidence sources you rely on to help prove those things. Ideally, start with a combo of the most likely + easiest to prove/disprove.

    Analysts tend to fall back on things they are most comfortable with. What are you most comfortable with of the four things I listed above? Now, what are you least comfortable with? That’s your opportunity for growth.

    A lot of this scenario is about human behavior. What evidence sources on your hosts are most useful for characterizing that behavior and finding things outside the norm? How do you access and manipulate them? That’s something to think about… 🚀 #InvPath #DFIR #SOCAnalyst

    #invpath #dfir #socanalyst
  2. Chris Sanders 🔎 🧠 @[email protected] ·

    I think more folks struggled with this scenario than others, perhaps because it’s less common, and folks don’t quite understand how drivers might be used maliciously.

    Because HW.sys is generally a benign driver, a good place to start is by checking out the LOLDrivers project... There’s a great entry for this file here: lnkd.in/eRuGSw3S. You’ll see that this file has been associated with vulnerabilities, and some malicious samples are provided.

    Ultimately, malicious drivers are all about the execution of the attacker's code. That’s particularly impactful because of how those drivers are loaded and the level of system access they might have.

    From an investigation perspective, it’s likely quicker to prove that the file is benign by comparing it to known good hashes or samples across the environment or other environments. It’s also useful to treat the investigation as one where you’re looking for potential execution of unwanted code, keeping in mind that there might be some track covering or anti-forensics going on. That means verifying findings with multiple data sources where possible.

    What would your workflow look like to verify whether a driver is legitimate, should you encounter a similar finding as the one in this scenario? That’s something to think about… 🚀 #InvPath #DFIR #SOCAnalyst

    #invpath #dfir #socanalyst