Hacking
Mobile Device Malware Analysis
Mobile devices present interesting challenges when it comes to:
- Incident Response
- Malware Analysis
- Digital Forensics
Hacking
Hacking
Uncategorized
Malicious Scheduled Tasks
A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)
Read more “Malicious Scheduled Tasks”
Education
Learn to SOC: Cryptominer Analysis
I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:
This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)
Read more “Learn to SOC: Cryptominer Analysis”
Defence
Office Microsoft Support Diagnostic Tool (MSDT) Vulnerability “Follina”
This is a fast publish!
Confirmed all Office (ISO Install/PRO and 365) when using the Rich Text Format (RTF) method.
Office 365 has some sort of patch against the .DOCX format.
WGET Execution
Read more “Office Microsoft Support Diagnostic Tool (MSDT) Vulnerability “Follina””
Defense
My MSBlaster Story
We looked after about 3-3500 endpoint devices. We were running Windows servers/clients and we leveraged technologies such as:
- Dameware Tools
- Remote Desktop Protocol
- GFI LanGuard
- RCP/SMB/WMI
- McAfee Antivirus
Defense
Business Email Compromise in Office 365
BEC
Business email compromise can be a prelude to a range of attacks but commonly it’s either Ransomware of Scammers. In this post we are focsing on scammer activity which uses a ‘man in the mailbox’ attack to get in between two parties in an email converstation with the aim of attempting theft by fradulently altering a wire transfer so that the third party sends funds to the scammers not to the victim. There are cleary other avenues that can be leveraged (the compromised mailbox may be used to phish or email malware to another victim).
Initial Access
To gain access to the mailbox a range of techniques can be employed which includes:
- Credential stuffing
- Phishing and credential harvesting
- Malware
Once they have your logon credentials, they now will attempt to access your mailbox.
Avoiding Geo Location Alerts
A scammer may use a public VPN service (such as services from AVAST etc.) to move their internet connection the target mailbox region. They can usually locate a person through some OSINT.
By moving to the normal area of the user they are less likely to trip geo location alerts. Read more “Business Email Compromise in Office 365”