Incident Response & Forensics – Page 2

Red vs. Blue: Kerberos Ticket Times, Checksums, and You!

Posted on March 14, 2023 by Roza Maille

This blog post was co-authored with Charlie Clark of Semperis. 1 Introduction At SANS Pen Test HackFest 2022, Charlie Clark (@exploitph) and I presented our talk ‘I’ve Got a Golden Twinkle in My Eye‘ whereby we built and demonstrated two tools that assist with more accurate detection of forged tickets being used. Although we demonstrated…

The post Red vs. Blue: Kerberos Ticket Times, Checksums, and You! appeared first on TrustedSec.

Continue reading Red vs. Blue: Kerberos Ticket Times, Checksums, and You!→

Getting Analysis Practice from Windows Event Log Sample Attacks

Posted on March 7, 2023 by Roza Maille

Throughout my career as an Incident Responder, one of the most invaluable skillsets I have had to draw on has been analysis of Windows event logs. These event logs are an invaluable source of information to forensic practitioners, as they are crucial in determining the cause of events during computer security incidents. Windows event logs…

The post Getting Analysis Practice from Windows Event Log Sample Attacks appeared first on TrustedSec.

Continue reading Getting Analysis Practice from Windows Event Log Sample Attacks→

BOFs for Script Kiddies

Posted on February 16, 2023 by Roza Maille

Introduction I hope I don’t sound like a complete n00b, but what or who or where is a BOF? All the cool kids are talking about it, and I just smile and nod. Is he the newest Crypto billionaire, or is a meetup for like-minded hackers, or is it some other 1337 slang? I understand…

The post BOFs for Script Kiddies appeared first on TrustedSec.

Continue reading BOFs for Script Kiddies→

ESXiArgs: The code behind the ransomware

Posted on February 8, 2023 by Roza Maille

1 Deep Dive into an ESXi Ransomware TrustedSec’s Nick Gilberti wrote a great blog covering the ESXi ransomware’s shell script here. However, in this blog, we are going to dive a little deeper into the code behind this ransomware. The sample ransomware discussed was acquired from VirusTotal and Bleeping Computers forum. The following is a…

The post ESXiArgs: The code behind the ransomware appeared first on TrustedSec.

Continue reading ESXiArgs: The code behind the ransomware→

ESXiArgs: What you need to know and how to protect your data

Posted on February 7, 2023 by Roza Maille

Threat Overview Around February 03, 2023, a ransomware campaign called “ESXiArgs” emerged that targeted Internet-facing VMware ESXi servers running versions older than 7.0. Though not confirmed, it has been reported by the French CERT (CERT-FR), BleepingComputer, and other sources that the campaign leverages CVE-2021-21974, which is a three-year-old vulnerability in the OpenSLP component of the…

The post ESXiArgs: What you need to know and how to protect your data appeared first on TrustedSec.

Continue reading ESXiArgs: What you need to know and how to protect your data→

How Threat Actors Use OneNote to Deploy ASyncRAT

Posted on February 1, 2023 by Roza Maille

See how Research Team Lead Carlos Perez dissects a sample of a OneNote document that was used to deploy ASyncRAT, an open-source remote admin tool, to enable phishing attacks. You’ll find out how these OneNote files are now being used by threat actors and where to find the location that ASyncRAT is being downloaded and…

The post How Threat Actors Use OneNote to Deploy ASyncRAT appeared first on TrustedSec.

Continue reading How Threat Actors Use OneNote to Deploy ASyncRAT→

New Attacks, Old Tricks: How OneNote Malware is Evolving

Posted on January 31, 2023 by Roza Maille

1 Analysis of OneNote Malware A lot of information has been circulating regarding the distribution of malware through OneNote, so I thought it would be fun to look at a sample. It turns out there are a lot of similarities between embedding malicious code into a OneNote document and the old macro/VBA techniques for Office…

The post New Attacks, Old Tricks: How OneNote Malware is Evolving appeared first on TrustedSec.

Continue reading New Attacks, Old Tricks: How OneNote Malware is Evolving→

Operator’s Guide to the Meterpreter BOFLoader

Posted on January 24, 2023 by Roza Maille

1.1 Introduction Recently, myself and a few friends decided to port my coworker Kevin Haubris‘ COFFLoader project to Metasploit. This new BOFLoader extension allows Beacon Object Files (BOFs) to be used from a Meterpreter session. This addition unlocks many new possibilities for Meterpreter and, in my opinion, elevates Meterpreter back up to the status of…

The post Operator’s Guide to the Meterpreter BOFLoader appeared first on TrustedSec.

Continue reading Operator’s Guide to the Meterpreter BOFLoader→

A LAPS(e) in Judgement

Posted on January 10, 2023 by Roza Maille

As security practitioners, we live in a time where there is an abundance of tools and solutions to help us secure our homes, organizations, and critical data. We know the dangers of unpatched applications and devices as well as the virtues of things like password managers and encrypted databases to protect our passwords and other…

The post A LAPS(e) in Judgement appeared first on TrustedSec.

Continue reading A LAPS(e) in Judgement→

To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response

Posted on December 29, 2022 by Roza Maille

tl;dr Communications are critical during an incident. If you cannot coordinate, collaborate, and inform actions and information about an incident, the incident response will eventually fail. Normally, this isn’t an issue, as organizations have resources like Microsoft 365 email, SharePoint, Slack, and Teams to use to communicate with each other. However, what happens when those…

The post To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response appeared first on TrustedSec.

Continue reading To OOB, or Not to OOB?: Why Out-of-Band Communications are Essential for Incident Response→