❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayAxelarator Blog

QakbotMSI

21 June 2022 at 22:11
Executive Summary # In mid-April 2022, Mandiant observed UNC2500 campaigns using MSI packages to distribute Qakbot payloads. This change comes shortly after Microsoft’s announcement that macros from Office documents downloaded from the internet (ZoneIdentifier ADS) will be blocked by default. This new payload uses a botnet ID AA, which is unique from previous campaigns that have used tr, cullinan, and cullinan01. Distribution came from phishing emails containing a malicious link from either OneDrive or files hosted on compromised websites that downloads a ZIP archive.

About

22 June 2022 at 00:08
Welcome to my brain dump. I currently work as a CTI Tactial analyst and am using this blog as a way to publicize personal research I do whether it’s work related or just for fun. Since starting my career the security industry in 2021, my Notion notebook has been filling up with anything I find interesting and serves as a reference for guides on getting started in niche areas. Rather than keeping it all private, I wanted a place to share my findings.

Honeypot

23 June 2022 at 23:50
Honeypot # https://sysdig.com/blog/triaging-malicious-docker-container/ https://www.intezer.com/blog/malware-analysis/how-to-make-malware-honeypot/ https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124 https://hub.docker.com/_/alpine EC2 Instance running Ubuntu Server 18.04 w/ Docker running an Alpine Linux container. Port 22 is locked to my IP only Port 2375 is exposed which is the Docker API. Useful for tools like Portainer. Got an alert for a masscan command searching for port 2375. Another alert was triggered for 2376 as some APIs expose this instead of 2375. Activity between 10pm 2/9 and 04:32 2/10

Projects

24 June 2022 at 00:01
Gollector # Gollector was my first real coding project and a way for me to learn Golang. It’s definitely not perfect but helped automate an intelligence workflow for finding C2 beacon configs. The goal was to practice interacting with APIs and get specific information I was looking for. I haven’t worked on it in a while, but I still use the tool often for interesting IPs.

Hide Artifacts: NTFS File Attributes (T1564.004)

24 June 2022 at 00:11
Hide Artifacts: NTFS File Attributes # T1564.004 Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

Command and Scripting Interpreter: Unix Shell (T1059.004)

24 June 2022 at 00:17
Command and Scripting Interpreter: Unix Shell # T1059.004 Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. Invocation # Interactive Shell # An interactive shell is one started without non-option arguments and without the -c option whose standard input and error are both connected to terminals (as determined by isatty), or one started with the -i option.

Event Triggered Execution: Unix Shell Configuration Modification (T1546.004)

24 June 2022 at 00:27
Event Triggered Execution: Unix Shell Configuration Modification # T1546.004 Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment.

Malware Analysis Homelab

17 July 2022 at 20:24
This guide will serve as a lab for both static and dynamic malware analysis. The dynamic analysis portion will be in its own network that cannot reach out to the host network and vice versa. I have to give credit to c3rb3ru5 because her guide is what taught me about being able to create networks within virtual machines and setting up mitmproxy to capture traffic. It was inspired by her KVM Malware Lab Guide but I had to make some changes due to issues on my end.

Malicious Word Doc

17 July 2022 at 20:25
https://analyze.intezer.com/analyses/1832abdc-0212-4f2b-97af-ec69af2e5a92/genetic-analysis https://www.virustotal.com/gui/file/81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab SHA256:81c7eef54c852dd68050147f77f937933cbff1c22722617180ca386ef55918ab Malicious Word document referencing Minsk Protocol. # Uses macros to download a second-stage payload from a server. Process Tree # Uses WINWORD to open the file. "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\<USER>\AppData\Local\Temp\<ANALYZED-FILE-NAME>.doc" /q Runs PowerShell base64 encoded command (listed below in a VBA macro) Child process from WINWORD launches splwow64 C:\Windows\splwow64.exe 12288 Details from the file # Using oleid, VBA macros are found. Next is to use olevba to get more information about the VBA and view the macro code

Cloud Recon

3 August 2022 at 20:18
Identify the cloud perimeter of a target. Thanks to colleagues who are smarter than me. Identify Service # Use OSINT to determine the provider and region your target is located in. Shodan for example has a cloud.region filter that lists what region the IP is located in. Some examples: GCP: us-central1 Azure: northeurope AWS: us-east-1 Download corresponding IP ranges based on your target’s provider.

Bumblebee

25 August 2022 at 20:35
Bumblebee Sample # Bumblebee (Shindig) has been used by TA579 / BazaISO / Exotic Lily / Stolen Images to collect system information and exfil to a C2. Additional second-stage payloads include Cobalt Strike beacons. https://bazaar.abuse.ch/sample/70eb84a6bce741ff988116434e4f531a724257185ab92df8fcfa90b3def6568f/ Download zip > .iso file (password protected)> dll/lnk inside Once the ISO is mounted, the .dll and .lnk are visible. LNK Analysis # Using LECmd.exe to analyze the LNK file. If on Linux, Lnkinfo gives a similar output.

Abusing Code Signing Certificates

15 February 2023 at 16:09
Authenticode Signature # The point of code signing certificates is to verify the file came from a trusted source, the file was not tampered with prior to receiving it, and the file’s origin can be validated. Code signing creates a hash of the code and encrypts it with a private key adding its signature. During execution, this signature is validated and if the hash matches, it gives assurance that the code has not been modified.

BLE / NFC Threats

17 March 2023 at 17:22
Bluetooth Low Energy # Bluetooth Low Energy (BLE) is a wireless communication technology specially designed to prolong battery life of devices with different power consumption and usage capabilities. BLE started in Bluetooth version 4.2 with the latest being 5.x. It’s known as β€œBluetooth Smart” whereas previous versions are referred to as β€œBluetooth Classic”. Bluetooth operates at 2.4GHz with a max distance of 100 meters. Version 5 is backwards compatible and provides double the speed, four times the distance, lower power requirement, better security, and higher reliability.

Mozi

12 April 2023 at 00:50
Discovered in 2019, Mozi is a P2P botnet using the DHT protocol that spreads via Telnet with weak passwords and known exploits. Evolved from the source code of several known malware families; Gafgyt, Mirai and IoT Reaper, Mozi is capable of DDoS attacks, data exfiltration and command or payload execution. The malware targets IoT devices, predominantly routers and DVRs that are either unpatched or have weak telnet passwords. In a report from IBM, Mozi accounted for 90% of IoT network traffic between October 2019 and June 2020.

Hunting C2s with Nuclei

4 September 2023 at 20:55
Overview # For a long time now, I’ve been using Censys/Shodan and DomainTools to look up hosts, attempt to correlate infrastructure to find overlaps and potentially attribute to C2s and other malicious hosts. There are so many data points to look at like JARM signatures, certificate data including historical analysis to watch hosting changes, service commonalities including the same web server hosted across multiple IPs, subdomains, etc. My point is this process almost always requires manual intervention at least first to visualize a pattern, then you can automate the infrastructure hunting for real-time monitoring.

A CTI Analyst Homelab

11 March 2024 at 19:13
Intro # As career plans, personal interests and the overall curiosity of exploring new technologies change, so does a homelab. It has been a few years since my last homelab writeup and at the time, the focus was geared towards malware analysis without much else. Career goals have shifted to more of a defensive side towards threat hunting and detection engineering so I wanted to build something to support those two fields.
❌
❌