Posts | dfir.ch
Technical blog by Stephan Berger (@malmoeb)| dfir.ch
Introduction A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp. Source: Sysctl ...| Posts on dfir.ch
Introduction Extended attributes (EAs) are a powerful and sometimes overlooked feature of macOS’s file system, storing additional metadata about files beyond what standard attributes like file name, size, and permissions allow. While these attributes are invisible in typical file interactions, they play a critical role in various macOS features and workflows. Inspecting Extended Attributes macOS provides several tools for working with extended attributes. These include: The ls command (the ...| Posts on dfir.ch
This is the second part of a two-part series about Active Directory security. Read the first part here. To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments. We indicate how many of the 250 domains checked were affected by the finding (Affected Domains: N/250). PingCastle is a popular tool for auditing the security of Active Directory environments, pinpointing vulnerabilities, ...| Posts on dfir.ch
Introduction A customer contacted us due to a high-severity ransomware alert in Windows Defender for Endpoint (Figure 1). Figure 1: Suspicious network traffic detected including Ransomware Clicking on one of the alerts does not reveal additional details besides the IP address (Figure 2). Figure 2: Process Tree After further clicks, we end up at the explanation in Figure 3, which doesn’t inspire confidence. What exactly is happening here, and which process on the host is responsible for thes...| Posts on dfir.ch
Introduction In the realm of IT infrastructure, Active Directory (AD) serves as a crucial backbone, enabling organizations to manage users, devices, and resources efficiently. However, given its central role, it also presents a significant security target, and maintaining its integrity is paramount. Misconfigurations and overlooked security gaps in AD can expose an organization to critical vulnerabilities, leading to potential breaches, data theft, and system downtime. To gain insight into co...| Posts on dfir.ch
Introduction The purpose of the update.py script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth. The backdoor, written in Python, starts by an import and its main content is stored as a base64 encoded blob. The .pth extension is used to append additional paths to a Python module. Starting with the release of Python 3.5, lines in .pth files beginning with the text “import” followed by a space or a tab, are executed as described in the official do...| Posts on dfir.ch
Introduction setfacl is a command-line utility in Linux/Unix systems used to set Access Control Lists (ACLs) on files and directories. ACLs provide a more flexible permission mechanism than the traditional owner-group-other model. They allow for the assignment of specific permissions to individual users or groups beyond what the basic file system permissions support. setfacl [options] [permissions] file/directory Options: -m: Modify or add an ACL entry. -x: Remove an ACL entry. -b: Remove all...| Posts on dfir.ch
Introduction After installing the payload, the shell script inst.sh runs a backdoor binary that matches the target device’s architecture. The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems." Source: IoT devices and Linux-based systems targeted by OpenSSH trojan campaign, Microsoft Threat Intelligence In this blog post,...| Posts on dfir.ch
Introduction “In REPTILE version 2.0, the original developer of REPTILE altered how the Kernel-level component is loaded, switching from using insmod to a custom launcher. The launcher Mandiant observed UNC3886 use throughout their operations, based on the custom launcher, was updated with a new function to daemonize a process.” — Mandiant, Cloaked and Covert: Uncovering UNC3886 Espionage Operations, 2024. This analysis will examine how the Reptile rootkit loader bypasses the standard L...| Posts on dfir.ch
Introduction bedevil (bdvl), according to the GitHub page, is an LD_PRELOAD rootkit. Therefore, this rootkit runs in userland. The group Muddled Libra used bedevil to target VMware vCenter servers, according to Palo Alto’s Unit42 Blog, 2024. The rootkit comes with a nifty feature called Dynamic Linker Patching: Upon installation, the rootkit will patch the dynamic linker libraries. Before anything, the rootkit will search for a valid ld.so on the system to patch.| Posts on dfir.ch
Introduction This week wasn’t the first time we’ve investigated a case where a customer reported suspicious accounts that couldn’t be linked to any employees. In this case, two domain admin users were found on the affected network, but neither is employed by the company. Both accounts had logged into nearly every device within the organization, which understandably caused concern among those responsible, prompting them to ask us to investigate further.| Posts on dfir.ch
Introduction Over the last three years, various cyber security companies wrote about TeamTNT TTPs, notably about the use of tmate as their tool of choice for backdooring Linux servers after a compromise: TeamTNT: Cryptomining Explosion (Intezer, 2021) Attackers Abusing Various Remote Control Tools (ASEC, 2022) TeamTNT Reemerged with New Aggressive Cloud Campaign (Aqua, 2023) In this short blog post, we examine the traces left behind from a tmate installation and some hints on where to find tr...| Posts on dfir.ch
This course aims to provide a comprehensive understanding of the architecture of modern EDRs and their underlying Antivirus (AV) systems. It delves deeply into the complexity of modern EDRs, their structure, including the components responsible for real-time monitoring, data collection, and threat analysis. [..] 50% of the course will be dedicated to hands-on labs showing how to translate the theory principles into practice. Labs are designed to provide flexibility in terms of complexity and ...| Posts on dfir.ch
Introduction Azure flow logs are a feature in Azure that allows you to capture and analyze network traffic to and from virtual network interfaces (NICs) in Azure. Specifically, flow logs provide granular data about IP traffic flowing through a Network Security Group (NSG). Azure automatically creates a network security group (NSG) when you create a virtual machine: $vmname-nsg. This data includes information on the source and destination IP addresses, ports, and protocols, as well as traffic ...| Posts on dfir.ch
Introduction PowerShell’s Script Block Logging is a security feature that records and logs the contents of all scripts and commands executed within PowerShell. This includes both legitimate administrative scripts and potentially malicious commands. When enabled, Script Block Logging generates detailed logs stored in the Windows Event Log under Microsoft-Windows-PowerShell/Operational. I have previously tweeted several times about PowerShell and why monitoring the executed PowerShell scripts...| Posts on dfir.ch
Introduction To improve my rusty reverse-engineering skills, I’m going to analyze various malware samples that have come up in our incident response cases in loose succession. The first sample belongs to the Fenix botnet (sample here). In this post, we analyze a sophisticated malware infection chain that begins with a user downloading a ZIP file from a Dropbox link and culminates in the execution of a malicious shellcode. First Stage The infection chain begins when the user downloads a ZIP ...| Posts on dfir.ch
Introduction User @karol_paciorek recently tweeted about an open directory containing malware, depicted in Figure 1. You can find the original post here: Figure 1: opendir: 216.9.224[.]58:5555 Along with the MS_calendar.lnk file mentioned in the tweet from @karol_paciorek, there are additional files publicly available on that server: LNK Analysis We will examine the LNK file schedule.lnk (MD5: 62d5389d43931237e9d3d1aa77c87483), located in the same directory as the MS_calendar.lnk file. To ana...| Posts on dfir.ch
Introduction Last month, I stumbled upon a blog post from Trustwave titled Search & Spoof: Abuse of Windows Search to Redirect to Malware. Figure 1: Search & Spoof: Abuse of Windows Search to Redirect to Malware (Source: Trustwave) Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a sophisticated understanding of system vulnerabilities and user behaviors.| Posts on dfir.ch
Introduction A tainted kernel in Linux refers to a kernel that has been marked with one or more flags indicating that it is in a state that might affect its stability or functionality. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. Source: elastic Here are the main reasons a kernel might become tainted (list might not be exhaus...| Posts on dfir.ch
Introduction The kernel.modules_disabled parameter is a security feature in the Linux kernel that prevents the loading and unloading of kernel modules. This setting is particularly useful for hardening a system against certain types of attacks, such as attempts to load malicious kernel modules (think rootkits) or manipulate the system at a low level. Mandiant recently published a blog post where they found, among other toolings used by the attackers, REPTILE. REPTILE is an open-source Linux r...| Posts on dfir.ch
This blog post outlines a method for monitoring changes to files and directories in Linux using path units. Administrators and defenders can be notified of modifications by creating a new path unit, which watches for changes to files and directories and links it to a service unit that executes a script when changes are detected. This setup might be particularly useful for detecting unauthorized access in environments where installing EDR solutions is not feasible.| Posts on dfir.ch
This blog post discusses how to enhance PHP security using the disable_functions directive, which prevents specific PHP functions from being executed. We further explore webshell detection techniques, highlighting the challenges of identifying webshells using Yara rules, proposing alternatives like manual analysis, frequency analysis of web server logs, and utilizing tools like Velociraptor and UAC along the way. Introduction The disable_functions directive in PHP is a security feature that a...| Posts on dfir.ch
Introduction A customer contacted us because they intend to use SimpleLAPS-GUI in their company. However, multiple AV vendors flag the precompiled binary (SimpleLapsGui.exe) as malicious (see here). According to the FAQ on the GitHub repository from SimpleLAPS-GUI: Does the exe version contains viruses? It is reported on “virustotal.com”. No it doesn’t. This happens because of the AutoIT v3 executable used as wrapper. You can download the PowerShell version instead. (Please note that th...| Posts on dfir.ch
Zsh Sessions In a previous blog post (Today I Learned - Zsh History Timestamps), we discussed how Zsh records commands entered in the shell along with a timestamp, provided that the session remains open. This is useful for live response scenarios if we still have access to the session and can run commands like fc -lf or fc -li 100. However, Zsh also utilizes the .zsh_sessions directory, located at the root level of the user’s home directory.| Posts on dfir.ch
Introduction While working my way through the excellent “Linux Attack, Detection and Live Forensics” course from Defensive Security, I read the following line: If you are looking for a simple way how to hide your process from the process list, then the bind mount operation is the answer. In order not to violate any copyright, I googled around and found the following gist from Timb-machine, where the same commands of the course are reflected:| Posts on dfir.ch
Introduction Fox_threatintel tweeted recently about an open directory on 91.215.85.18:9380/. I downloaded all the files from this directory and stumbled upon a ‘cleaner’ script, which we will examine in this short blog post. The original script is available on VirusTotal. Figure 1: Tweet from Fox_threatintel Find installed software First, the script defines an array ($uninstallKeys), holding two registry keys: $uninstallKeys = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"...| Posts on dfir.ch
Zsh Timestamps In Zsh, which serves as the default shell for Kali, Gentoo, and macOS (replacing Bash in macOS Catalina), among others, the shell session retains the command history with timestamps in memory. Throughout the session, each executed command is logged in the history along with a timestamp denoting its execution time. To view the command history on a live system, we can execute one of the following commands, which not only display the history but also include the timestamps adjacen...| Posts on dfir.ch
Insider Threat? We were contacted by a company that regularly sends emails to customers promoting new services and discounts. An Excel is uploaded to a web server, where a job processes the file to create an email per customer, taking the email addresses from the uploaded Excel file. For a significant period of time, the company has been struggling with a serious issue - its competitors are reaching out to the same customers they intend to contact in the upcoming mailing, often a day or two e...| Posts on dfir.ch
Introduction A client contacted us following an alert triggered by their Network Detection and Response sensor (NDR), which flagged suspicious network behavior originating from a server within their internal network. The detected activity resembled a port scan, suggesting that the server might have been compromised and was possibly being exploited by an attacker for initial reconnaissance. What added to the concern was the specific choice of ports scanned during the activity.| Posts on dfir.ch
Introduction On a recent incident response case, a customer contacted us regarding their EDR detecting a crypto miner on a Linux endpoint. The identified malicious file, named 41hs1z, is accessible on VirusTotal. The folders and paths associated with each execution of the crypto miner may differ; however, here are some paths we encountered: /backup/files/excel/41hs1z /backup/files/xml/dotnet115/BeID/41hs1z /backup/files/xml/dotnet115/layouts/defaults/41hs1z Upon analysis, we discovered that t...| Posts on dfir.ch
Introduction In a recent investigation conducted by my colleague, Giuseppe Paternicola, it was discovered that the initial entry point that ultimately led to the deployment of the Abyss ransomware was a compromised SonicWall Secure Mobile Access (SonicWall SMA) device. The threat actor exploited CVE-2021-20039 to gain access (Authenticated Command Injection). Subsequent analysis of the SonicWall revealed that the attacker had placed two files on the device, as illustrated in Figure 1.| Posts on dfir.ch
Introduction A huge thanks to the Invictus-IR team for proofreading this blog post 🙏 Recently, I posted a tweet regarding an unpatched TeamCity server that an attacker exploited to deploy a CoinMiner. In response to my tweet, the X (former Twitter) user, the cybersecurity doge, shared another story they investigated: An attacker obtained access to an administrator Azure environment user. Once logged on the tenant he created a resource group, and built 3 different batch accounts insides.| Posts on dfir.ch
How it started Figure 1: An unhandled exception occurred in w3wp.exe The customer contacted us regarding sporadic crashes of the IIS worker process (w3wp.exe). Before engaging an Incident Response company, the customer attempted to resolve the issue by repeatedly restoring the websites from backup. Moreover, they set up an entirely new server and migrated the affected sites to it, only to encounter the same outcomes (crashing the w3wp process). Additionally, the client passed on the following...| Posts on dfir.ch
Background A customer contacted us reporting that an attacker had deleted several AWS S3 buckets (before allegedly downloading the data). Subsequently, the attacker left a ransom note (depicted below, sensitive information has been redacted). In this blog, we examine a recovery binary left behind by the attackers after deleting the buckets and show that the binary is nothing more than a red herring to increase the pressure on the victim.| Posts on dfir.ch
Introduction Craig Rowland, Founder and CEO of Sandfly Security, delivered a presentation titled Evasive Linux Malware at the Oslo Cold Incident Response Conference last year (Slides here, Presentation here), dissecting the notorious BPFDoor malware. In this post, we will analyze the BPFDoor backdoor only with the Linux utility strace, trying to get as much information as possible about the malware by tracing the executed syscalls from the binary. Swift assessments of malware samples like the...| Posts on dfir.ch
Introduction Recorded Future writes in their Adversary Infrastructure Report 2023: The top 5 malware families we detected this year are AsyncRAT, Quasar RAT, PlugX, ShadowPad, and DarkComet. Interestingly, the top 2 detections are open-source, and the last 3 are well-established tools, showing that our statement from last year’s report remains true: [The] high level of commodity tool use indicates that threat actors are more concerned with blending in and being non-attributable rather than ...| Posts on dfir.ch
