#knowledgedrop — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #knowledgedrop, aggregated by home.social.
-
Awesome blogpost on how to dump
shmon Linux:https://isc.sans.edu/diary/How+to+collect+memoryonly+filesystems+on+Linux+systems/32432/
-
Interesting observation:
Hard-coded RAM relocations (i.e. not ASLR) are actually way less common in modern day (64 bit) programs than you think. Most jumps etc. are relative and not hard-coded e.g. in the
.reloctable.I ran some velo tests and only one program on my standard Windows 10 installation with browsers had hard coded relocations: velociraptor itself.
#RAM #memory #relocation #velociraptor
PS: before someone complains: yes, 32 bit programs have
Base of Datarelocations, but that's for backwards compatibility when I'm correctly informed. -
Recently having some #Sharepoint #cve202553770 cases.
Hint for analysts: also check for Visual Basic and C# not just PowerShell.
-
Apparently, Microsoft broke the API a bit when retiring some of its parts
The Microsoft Extractor Suite broke.
➡️ Workaround:
You can get up to 50.000 events via the Azure Web Portal. So filter for a username or a small timeframe.
⚠️ Note: you cannot download everything via the Web Portal, after 50.000 events, it'll just stop.
-
Interesting defense against attacks:
Move your SSH
authorized_keysto a different location and set the rights to0444. Then an attacker needs root rights to place an SSH backdoor. -
#DFIR #threatintel #Knowledgedrop
Attackers are still actively exploiting firewall "../" vulnerabilities. Be aware and patch your firewalls!
-
Most organizations do not have multi-factor authentication (MFA) enabled for their Azure service principals.
Why?
You need a special license for every single application you want to enable MFA for.
-
Watch out with your Azure Automation Account / Runbooks.
- they often include hard-coded credentials
- their output is not protected. So attackers can see your results
- they can use Shared Resources (i.e. credentials or certificates)
- Hybrid Worker and Azure Arc allow access to your on-premise infrastructure
Dangerous stuff if not managed correctly!
#cloud #azure #knowledgedrop #dfir #pentesting #privilegeescalation
-
How to reconstruct OneDrive?
OneDriveExplorer (by @Beercow) can reconstruct OneDrive from
<UserCid>.dator SQLite databases etc.Check it out:
https://github.com/Beercow/OneDriveExplorer -
Today a pentester asked me if attackers really use brute force.
Yes, they do, especially in cloud environments. That's why multi factor authentication (MFA) is so important there.
-
I hear very often that the cloud is secure because Multi Factor Authentication (MFA) is enabled, so all accounts are secure.
What about the service accounts and the (break glass) global administrator account?
Or in Azure: do you have a conditional access policy that excludes accounts from MFA?
What about MFA phishing with evilginx?
=> Apply a defense-in-depth strategy also in cloud environments.
-
How to filter zeek logs:
cat conn.log | zeek-cut <columns> | column -t | less -S(column and less display the columns aligned and readable)
-
How to filter zeek logs:
cat conn.log | zeek-cut <columns> | column -t | less -S(column and less display the columns aligned and readable)
-
How to filter zeek logs:
cat conn.log | zeek-cut <columns> | column -t | less -S(column and less display the columns aligned and readable)
-
How to filter zeek logs:
cat conn.log | zeek-cut <columns> | column -t | less -S(column and less display the columns aligned and readable)
-
How to filter zeek logs:
cat conn.log | zeek-cut <columns> | column -t | less -S(column and less display the columns aligned and readable)
-
I encountered some third party firewall logs recently. Timestamps were in Linux format and requests in hexdump. We knew the IP range of the attackers and that they uploaded a webshell.
grepis an awesome tool for that. Looking for successful (code 200) uploads (POST requests) from IP:grep -e "666.666.666.... POST 200" firewall.log > attack.txtTo find the script I searched for the longest request since most legitimate requests were rather short. Word count can give us that with
-L:cat attack.txt | wc -L
1337And let's extract that longest line with grep:
grep -e "^.{1337}$" attack.txtHex requests could then be parsed easily with Cyerchef's
From Hex.Hope that helps someone! Adjust to your needs. :blobsmile:
-
I noticed today that a lot of people are struggling with antivirus alerts, specifically Microsoft Defender:
1) try to understand the alarm itself and at which point in the attack this would happen: phishing email = early, credential access (especially admin credentials) or suspicious C2 IPs = middle, ransomware/data upload = late.
2) what should be the attackers previous and next step then? (just look at 1 again: early/middle/late)
3) can you see this previous/next step in the logs? Look especially for evidence of execution. Attackers want to "do" something. Executables, scripts, PowerShell, command line, services, scheduled tasks?
If you cannot see any previous or any next steps, ask yourself if you're blind (are your logs empty? Timeframe not available?) or if there really aren't any. If there aren't any, it's likely a false positive. If there are, escalate.
Happy hunting!
-
Velociraptor
tempfileis gone when yourSELECTquery terminates.That means if you start with a
LET tmp = SELECT ...and continue in your main query, thetempfileis already gone at your main query!Took me a while today to figure this out...
-
If using Kubernetes on Azure (AKS), the following logs exist:
- activity logs (enabled by default)
- resource logs (disabled by default)
- AKS logs (disabled by default)
- container insights (disabled by default)
Remember to turn on your logs :blobwink:
-
#dfir #knowledgedrop #networkforensics
Came across this gem again: a nice network analysis framework
https://github.com/arkime/arkime -
#DFIR #knowledgedrop #azure #m365
I noticed recently that M365/Azure Personal licenses ("Px") in contrast to Enterprise ("Ex") licenses do not seem to include all logs. E.g. Azure SignIn Logs only exist for 7 days not 90/180 days.
So when combining a M365 Business with a small Azure license, there are hardly any logs.
-
The most important logfiles in #azure are:
ENABLED by default:
1) Tenant Logs: Sign-In Logs & Audit Logs
2) Subscription Logs: Activity Logs
3) Security Logs (Risky Users)DISABLED by default:
4) Resource Logs
5) Diagnostic Logs: Operating System Logs
6) Diagnostic Logs: Application Logs#m365 also has:
7) Unified Audit Log (UAL) - enabled by default
8) (specialized logs for applications like Exchange, SharePoint, etc. - an extract is also in UAL) -
If you need to acquire #azure / #m365 logs, be aware that the webUI only allows extracting a small amount.
If you want to extract all the logs, have a look at https://github.com/invictus-ir/Microsoft-Extractor-Suite
You need "global reader" permissions and watch out with conditional access policies - they can block your access and result in really weird error messages (e.g. that the module does not exist).
Most important logs are (usually) SignIn logs and UAL.
-
#psexec can be detected by .key files:
"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]
-
#psexec can be detected by .key files:
"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]
-
#psexec can be detected by .key files:
"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]
-
#psexec can be detected by .key files:
"Starting with PsExec v2.30 [...], anytime a PsExec command is executed, a .key file gets written to the file system and will be recorded in the USN Journal on the target system. It will follow this naming convention: PSEXEC-[Source Hostname]-[8 Unique Characters].key and will be located at the C:\Windows directory." [1]
-
#Windows #activedirectory #dfir #knowledgedrop
I learned today that depending how you access your network shares, it triggers different protocols:
\\IP => NTLM
\\servername => NTLM
\\FQDN => Kerberos
PS: for everyone who doesn't know Windows protocols: NTLM is less secure and an easier target for attackers.
-
There's a new'ish #linux tool similar to #sysmon by @0xrawsec from @circl
https://why.kunai.rocks/
(see also @kunai_project )PS: it is written in #rust :blobwink:
-
Problems detecting #impacket ?
Very nice guide to detect all the different modules of it:
-
Problems detecting #impacket ?
Very nice guide to detect all the different modules of it:
-
Problems detecting #impacket ?
Very nice guide to detect all the different modules of it:
-
Problems detecting #impacket ?
Very nice guide to detect all the different modules of it:
-
How to spot active #cobaltstrike activity?
1) 7-letter binaries often in Temp-folder (find with e.g. MFT, journal)
2) rundll.exe starting weird programs (find with e.g. #velociraptor pslist, #volatility pslist/pstee)
3) named pipes activity (find with e.g. velociraptor handles())
4) Powershell commands with base64 code (find in ps history, e.g. velociraptor psreadline)
Good luck!
-
-
Nourish to Flourish: Unlocking the Secrets of Optimal Nutrition!
#FunFacts #DidYouKnow #TriviaTime
#FactFriday #KnowledgeDrop #MindExplosion #FactCheck
#LearnSomethingNew #FactoidFriday
#LivingMyBestLife #OnSetDiaries #BehindTheScenes #FanLove #GlamSquad #FitnessJourney #TravelGoals #SelfCareSunday -
Crypto Unveiled: Navigating the Digital Gold Rush for Beginners!
#FunFacts #DidYouKnow #TriviaTime
#FactFriday #KnowledgeDrop #MindExplosion #FactCheck
#LearnSomethingNew #FactoidFriday
#LivingMyBestLife #OnSetDiaries #BehindTheScenes #FanLove #GlamSquad #FitnessJourney #TravelGoals #SelfCareSunday -
Cosmic Chronicles: Jaw-Dropping Galaxy Facts!
#FunFacts #DidYouKnow #TriviaTime
#FactFriday #KnowledgeDrop #MindExplosion #FactCheck
#LearnSomethingNew #FactoidFriday
#LivingMyBestLife #OnSetDiaries #BehindTheScenes #FanLove #GlamSquad #FitnessJourney #TravelGoals #SelfCareSunday -
Mind-Blowing Facts Extravaganza: Brain Bias - Unveiling the Unbelievable!
#FunFacts #DidYouKnow #TriviaTime
#FactFriday #KnowledgeDrop #MindExplosion #FactCheck
#LivingMyBestLife #OnSetDiaries #BehindTheScenes #FanLove #GlamSquad #FitnessJourney #TravelGoals #SelfCareSunday -
Mind-Blowing Facts Extravaganza: Chess Combinations - Unveiling the Unbelievable!
#FunFacts #DidYouKnow #TriviaTime
#FactFriday #KnowledgeDrop
#MindExplosion #FactCheck
#LearnSomethingNew #FactoidFriday
#InfoNuggets -
How to analyze an #email with #forensics
1) Extract email safely: extract-msg --save-header
2) Check from/received (gateway)
3) Check IP-repuration
4) Check SPF/DMARC/DKIM with https://github.com/sthierolf/network-automation-scripts/blob/master/dds-quick-test.py
5) Check IP/domain actually belongs to the sender!