Just Another Blue Teamer

A threat hunter that has a passion for logs, especially endpoint logs, and for teaching the next generation of Threat Hunters to come!

I have recently been awarded the honor to be a trainer at #BlackHat 2023, which is an amazing opportunity and a goal I had set for myself. I am truly flattered!

  • 9 Posts
  • 7 Comments
Joined 2 years ago
cake
Cake day: November 18th, 2022

help-circle




  • For your Threat Hunting Tip of the Day:

    Masquerading is a common technique used by attackers and by using legitimate names for their malicious programs it makes the victims more likely to click the application. But, as a hunter, what can you do? Easy: Look at the process chain!

    Part of Threat Hunting is learning your environment and by identifying process chains that are legitimate in your environment, you can start to look for process chains that may not make sense. So when you are looking at “legit” sounding apps that are executing, make sure you look at the parent process!

    Good luck and Happy Hunting!

    Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting!



  • For your threat hunting tip of the day:

    Once the malware was downloaded it started reaching out to some non-standard ports. Not only did the ports stick out as odd but the executables or programs doing it seemed strange as well. One example is the MSBuild.exe (an executable masquerading as a legitimate process) connected to an IP over port 6000.

    Using speedguide.net as a reference to see what legitimate programs use port 6000, I see Medal of Honor Rising Sun, Madden NFL 2005, Army of Two for the PlayStation 3, and other games. BUT, if we look at the first part of the table we see that it has been used by different trojans. So the question you should ask yourself is this: Is someone playing PlayStation in my corporate environment, and an old one at that, or is this strange port something I should look into?

    So, look for non-standard ports that aren’t tied to business or legitimate processes and do some research to see what they possibly could be! I hope this helps! Enjoy and Happy Hunting!

    @cyborg@ioc.exchange Security @Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting



  • Here is your Threat Hunting Tip of the Day:

    In the The DFIR Report the attackers abused #PowerShell to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the “-encodedcommand” parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?

    You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!

    I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!

    Powershell Encoded Command Execution
    https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db

    Cyborg Security #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting



  • Threat Hunting Tip of the Day:

    I know I normally steer you to a Cyborg Security and Intel 471 Hunt package but something about this report stuck out that could be an issue in many organizations and that can be summed up to one word: visibility!

    Under the "Data Access and Impact (TA0010 and TA0040) section, it states that “CloudTrail S3 data logging and S3 server access logging was not enabled…no logs existed that showed exfiltration activity from the S3 buckets.” [1]

    Lesson learned: IF you are migrating to the cloud or bringing new hardware/software, assets, etc into your environment, please take time to assess what level of logging exists, and determine what is valuable to ingest. Taking that time will be worth it in the long run and allow your analysts to dig through logs, create detections, and threat hunt in your environment! Enjoy and Happy Hunting!

    [1] https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

    #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting



  • @benfulton@fosstodon.org Looking at the report, I have to make an assumption: Since the malware is able to monitor the clipboard, maybe the user copied and pasted some admin creds OR since it is able to extract passwords and information from browsers if the victim has privileged creds stored in extensions or their browser password manager they could get them from there.


  • For your Threat Hunting Tip of the Day:

    I have covered this one many times, but I will continue to beat this horse as long as it exists. Adversaries WILL abuse the Run Registry Key for persistence, old malware will and new malware will and even future malware will. Why? Because of the function: Execute on logon.

    So, if you are hunting for this, first make sure you have visibility into that registry key, emulate the traffic if you need to. Then make sure your tools have the visibility, that means you can hunt for it. Then, you can take this Intel 471 Free Community Hunt Package and drop it in your tool to begin the hunt! Enjoy and Happy Hunting!

    Autorun or ASEP Registry Key Modification
    https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c

    Cyborg Security #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting