Search Results

In the ever-evolving world of cybersecurity, bots have emerged as a significant threat, capable of causing widespread disruption and damage. Bots, short for robots, are software programs designed to perform specific tasks automatically, often with little or no human intervention. What Are Bots? Bots are specialized backdoors used for controlling large numbers of systems, ranging from a few dozen to more than a million. These collections of bots, controlled by a single attacker, are known as botnets. The individual controlling the botnet is sometimes referred to as a "botherder." Bots can perform various tasks, including: Maintaining backdoor control : Allowing attackers to access and control a machine remotely. Controlling IRC channels : One of the earliest uses of bots was to manage Internet Relay Chat (IRC) channels. Acting as mail relays : Bots can be used to send spam emails. Providing anonymizing HTTP proxies : Bots can anonymize an attacker's internet activity. Launching denial-of-service attacks : Bots can flood a target with traffic, causing it to become overwhelmed and unresponsive. How Are Bots Distributed? Attackers use multiple methods to distribute bots, often leveraging the same techniques used to spread worms. Here are some common distribution methods: Worms : Many worms carry bots as a payload, spreading the bot to new systems as they replicate. Email Attachments : Attackers send malicious email attachments that, when opened, install the bot. Bundling with Software : Bots can be bundled with seemingly legitimate applications or games, tricking users into installing them. Browser Exploits : Bots can be distributed through vulnerabilities in web browsers, often via "drive-by" downloads from compromised websites. Botnets: The Power Behind Bots Botnets are networks of infected computers controlled by an attacker. These networks can range in size from a few dozen to millions of compromised machines. Botnets are versatile and can be used for various malicious purposes, such as: DDoS Attacks : Distributed Denial-of-Service (DDoS) attacks involve flooding a target with traffic from multiple sources, overwhelming the system and causing it to crash or become unresponsive. Spam Campaigns : Botnets can send large volumes of spam emails, often for phishing or spreading additional malware. Data Theft : Bots can be used to steal sensitive information from infected systems, including login credentials and financial data. How Do Bots Communicate? Attackers need to communicate with their bots to issue commands and control the botnet. This communication can occur through various channels: IRC (Internet Relay Chat) : Historically, IRC channels were popular for bot communication due to their ability to facilitate one-to-many communications. HTTP/HTTPS : Bots can communicate with a command-and-control server using standard web protocols, making it harder to detect. DNS : Some bots use DNS to send and receive commands, as DNS traffic is often allowed through network firewalls. Social Media : Attackers can use social media platforms, like Twitter and YouTube, to post commands for their bots. General Bot Functionality Bots are incredibly versatile and can perform a wide range of functions, including: Morphing Code : Bots can change their code to avoid detection by antivirus software. Running Commands : Bots can execute commands with system-level privileges. Starting a Listening Shell : Attackers can open a remote shell on the infected machine. File Sharing : Bots can add or remove file shares on the network. FTP Transfers : Bots can transfer files via FTP. Autostart Entries : Bots can add entries to start themselves automatically when the system boots. Scanning for Vulnerabilities : Bots can scan the network for other vulnerable systems to infect. Advanced Bot Capabilities Modern bots come equipped with even more advanced features, such as: Launching Packet Floods : Bots can initiate various types of packet floods (e.g., SYN, HTTP, UDP) to disrupt services. Creating HTTP Proxies : Bots can create proxies to anonymize the attacker’s web traffic. Starting Redirectors : Bots can redirect traffic through compromised machines, obscuring the attacker's location. Harvesting Email Addresses : Bots can collect email addresses for spam campaigns. Modular Plugins : Bots can load additional functionality via plugins. Detecting Virtualization : Some bots can detect if they are running in a virtual environment and alter their behavior to avoid analysis. Conclusion Bots and botnets represent a significant challenge in cybersecurity due to their ability to operate autonomously and perform a wide range of malicious activities. As bots continue to evolve, they become more sophisticated and harder to detect. Akash Patel

Key Points for Effective Defense Rapid Response Capability Preauthorized Permissions : Ensure you have preapproval to act swiftly during a malware outbreak, including taking down networks or systems if necessary to contain the threat. Risk Analysis : Use documented cases and news articles to demonstrate the risks and potential costs of malware incidents to organizational leadership, supporting the need for preapproved actions. Evolving Threat Techniques Syrian Electronic Army : Employing polymorphic Android malware for surveillance. US CIA : Developing EFI malware like "Sonic Screwdriver" for Apple devices. Russian Hackers : Creating LoJax UEFI malware that persists through OS reinstalls. The job of defenders is increasingly challenging. Be prepared to make quick decisions in the face of imminent threats. Defensive Strategies As per IR Preparation Buffer Overflow Defenses : Implement and configure non-executable stacks to prevent simple stack-based buffer overflow exploits. Patch Management : Develop a process for rapidly identifying, testing, and deploying patches. Application Whitelisting : Use tools like Software Restriction Policies or Applocker to allow only approved software to run. Data Encryption : Encrypt data on hard drives to protect it in case of theft. Tabletop Exercises : Conduct exercises to ensure the organization can respond swiftly and effectively to an attack. Identification Regular Antivirus Updates : Keep antivirus solutions up to date on desktops, mail servers, and file servers. Containment Incident Response : Integrate incident response capabilities with network management to enable real-time network segment isolation if necessary. Eradication and Recovery AV Tools : Use antivirus tools to remove infestations or rebuild systems if necessary. Detailed Defensive Measures System Hardening Implementing non-executable stacks and host-based Intrusion Prevention Systems (IPS) can mitigate many buffer overflow exploits. Thoroughly test security patches before deployment to ensure they do not disrupt critical applications. Encryption Use filesystem encryption tools to secure data on hard drives, ensuring that stolen data cannot be easily read without the encryption key. Antivirus and Application Whitelisting Regularly update antivirus solutions to catch known threats. Employ application whitelisting to prevent unauthorized programs from running, reducing the risk of malware execution. Incident Response and Network Management Include network management personnel in the incident response team to enable swift action in isolating affected network segments during an outbreak. By integrating these defensive strategies and maintaining a state of preparedness, organizations can effectively mitigate the risks posed by worms and bots and respond rapidly to emerging threats.

In the world of cybersecurity, attackers are always looking for ways to compromise systems efficiently and effectively. One method that has been around for decades, but continues to evolve and cause significant damage, is the use of worms. Worms are a type of malicious software that can spread across networks, infecting multiple systems without the need for direct human intervention. What Are Worms? Worms are automated attack tools designed to spread through networks. Unlike traditional malware that requires some form of user interaction, such as opening a malicious email attachment, worms can propagate themselves. Here’s how they typically work: Initial Infection : A worm infects the first vulnerable system it encounters. Scanning : From the compromised system, the worm scans the network for other vulnerable systems. Replication : The worm then copies itself to those systems, repeating the process and spreading further. Each instance of the worm is called a "segment," and as it moves from system to system, it continues to multiply, often at an exponential rate. The History of Worms Worms have been a part of the cybersecurity landscape for decades. One of the earliest and most famous examples is the Morris Worm, created by Robert Tappan Morris, Jr., in 1988. This worm caused significant disruption to the early internet, highlighting the destructive potential of such self-replicating malware. Even before the Morris Worm, researchers at Xerox PARC were exploring the concept of worms for efficiently distributing software across networked computers, though not with malicious intent. Worm Evolution: Getting More Dangerous Worms have significantly evolved over the years, becoming more sophisticated and harder to defend against. Here are some key developments: Multi-Exploit Worms : Early worms typically exploited a single vulnerability. Modern worms, however, can use multiple exploits to infect systems. For example , the Nimda worm from 2001 used about 12 different exploits, including those targeting web servers, email systems, and file sharing. Conficker, another notorious worm, used three main methods to spread: exploiting a Windows vulnerability, copying itself to USB drives, and guessing passwords for network shares. Multiplatform Worms : Initially, worms targeted a single operating system. However, worms like Stuxnet have demonstrated the ability to affect multiple platforms. Stuxnet was primarily aimed at Windows systems but also manipulated industrial control systems, showcasing a significant leap in worm capabilities. Zero-Day Exploit Worms : Zero-day exploits are vulnerabilities that are unknown to the software vendor and the security community at the time of the attack. Worms using zero-day exploits are particularly dangerous because there are no existing patches or defenses against them when they first appear. Stuxnet, for instance, utilized four zero-day exploits, making it extremely difficult to defend against initially. The Threat of Worm Evolution As worms continue to evolve, we need to prepare for even more sophisticated variants. Future worms may: Use multiple exploits across different platforms : This makes patching systems more complex, as organizations need to address vulnerabilities across various operating systems simultaneously. Spread rapidly using zero-day exploits : With no patches available initially, these worms can cause widespread damage before security teams have a chance to respond. Conclusion Worms represent a significant threat in the cybersecurity landscape, continually evolving to become more destructive and harder to defend against. By understanding their behavior and preparing robust defense mechanisms, we can mitigate the risk they pose. Staying vigilant and proactive is key to protecting our networks from these automated and relentless attackers. Akash Patel

In the early days of UNIX and Linux systems, passwords were stored using the DES encryption algorithm, often without the use of a salt. Usernames and passwords were kept in the /etc/passwd file, which was readable by all users. This practice posed a security risk as the passwords were relatively easy to access and crack. Improvements in Password Storage Transition to MD5 and Beyond As security concerns grew, UNIX and Linux systems moved towards stronger hashing algorithms and better storage practices. Passwords began to be hashed using MD5, and later algorithms such as Blowfish, SHA-256, and SHA-512. Along with the stronger algorithms, the use of salt became standard practice. Initially, salts were 4 bytes long, but later expanded to 8 bytes. To improve security further, password hashes were moved to the /etc/shadow file, which has restrictive permissions and is only readable by the root user. Meanwhile, the /etc/passwd file remained world-readable but did not contain sensitive hash data. Password Hashing in /etc/shadow In modern UNIX and Linux systems, the /etc/shadow file contains password hashes in a format that includes the hash type, the salt, and the hashed password, separated by dollar signs ($). The structure is as follows: username:$id$salt$hashed_password $1$ indicates MD5 hashing. $2$ indicates Blowfish hashing. $5$ indicates SHA-256 hashing. $6$ indicates SHA-512 hashing. For example: sec504:$6$1ArFQuUx$qhCcp4hKJvWxf47bm30iFs3CldfvKy/z28wN24GuOwBfcgOF8j2iYgl15eFPyMQ0HzE.PyXrIqE3FpnF4vdPq. This entry shows a SHA-512 hash ($6$), with an 8-byte salt (1ArFQuUx) and the resulting hashed password. Enhancing Password Security Multiple Rounds of Hashing To thwart password-cracking attempts, modern hashing algorithms often use multiple rounds of hashing. For instance: MD5 crypt ($1$) uses 1,000 rounds. SHA-256 ($5$) and SHA-512 ($6$) use 5,000 rounds by default. Multiple rounds slow down the hashing process, making it computationally expensive for attackers to crack passwords using brute force or dictionary attacks. GPU-based Attacks Attackers have adapted by utilizing GPUs to speed up the password-cracking process. GPUs can perform many parallel computations, significantly increasing the number of hashes that can be computed per second. For example, an NVIDIA GeForce RTX 2070 can compute around 768,500 SHA-512 hashes per second. Mitigating Advanced Cracking Techniques To counter GPU-based attacks, more sophisticated hashing algorithms have been developed: PBKDF2 (Password-Based Key Derivation Function 2) : Uses a flexible number of hashing rounds, typically in the thousands or millions. Bcrypt : Incorporates a memory-intensive hashing process, which is difficult for GPUs to optimize. Scrypt : Requires even more memory, making it particularly resistant to GPU-based attacks. Argon2 : The winner of the Password Hashing Competition, designed to be memory-hard and resistant to GPU attacks. Conclusion As attackers become more sophisticated, so too must the mechanisms for securing passwords. Modern UNIX and Linux systems use advanced hashing techniques to ensure that password storage remains as secure as possible. Akash Patel

Gaining access to Windows Domain Controller password hashes is a critical step for attackers aiming to compromise a Windows network. Step 1: Obtain NTDS.dit and SYSTEM Registry Hive Data NTDS.dit  is the database that stores Active Directory (AD) data, including password hashes. To extract these hashes, attackers also need the SYSTEM  registry hive, which contains the keys necessary to decrypt the NTDS.dit file. Using ntdsutil.exe Access ntdsutil.exe : This built-in utility is used to manage AD data, including creating backups. Activate Instance : Set the active instance to "ntds". Create Backup : C:\Users\Administrator> ntdsutil ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: ifm ifm: create full c:\ntds This sequence of commands creates a full backup of the AD data in the c:\ntds directory, including the NTDS.dit file and the SYSTEM registry hive. Step 2: Extracting Password Hashes After obtaining the NTDS.dit and SYSTEM files, the next step is to decrypt the NTDS.dit data and extract the password hashes. Using secretsdump.py from Impacket Install Impacket : Ensure that Impacket is installed on the attacker’s machine. Run secretsdump.py: This s c ript reads and decrypts the NTDS.dit file using the SYSTEM registry hive. Command for secretsdump.py: python /usr/share/doc/python-impacket/examples/secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL Output will display the decrypted Hashes: [*]Target system bootKey: 0x7b1c658edfb752594c688e02d4424924 [*] Dumping Domain Credentials (domain\uid: rid: lmhash:nthash) [*] Searching for pekList, be patient. [*] Pek found and decrypted: 0x1e0d9fa12fb2367f15f22517aa31e84d [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator: 500:aad3b435b51404eeaad3b435b51404ee:9491b24e8c931559455ed4f59476cec2::: Guest: 501:aad3b435b51404eeaad3b435b51404ee:31d2f4f1a07e9fb731e455e0b9a58265::: ksmith: 1000:aad3b435b51404eeaad3b435b51404ee:0d4fa3ed8f51a0d45a7c7fbd0c92b99c::: Minimizing Detection Attackers prefer using built-in tools like ntdsutil because they are less likely to trigger security alerts compared to third-party tools. The built-in utilities are designed for system management and backups, thus their usage might not immediately raise suspicion. Alternative Methods There are other methods to obtain and extract NTDS.dit and SYSTEM data, such as using volume shadow copies or other administrative tools. Detailed methodologies and advanced techniques can be found in various penetration testing blogs and resources, such as the articles by @netbiosX on PentestLab . Conclusion Obtaining and decrypting Windows Domain Controller password hashes involves using built-in utilities to create backups of the necessary files and then employing scripts like secretsdump.py to extract the hashes. Understanding these methods highlights the importance of securing administrative access and monitoring the use of system utilities to prevent unauthorized access to sensitive data. We will continue this in next post............................................................ Akash Patel

In the ever-evolving landscape of cybersecurity, forensic investigators must be equipped with a diverse set of tools and techniques to identify, analyze, and respond to various threats. This blog delves into several advanced methods for detecting malicious activity, focusing on Sysmon Event ID 1, RDP activity hunting, phishing and maldoc detection, and data exfiltration using the $USNJRL.$J file. 1. Sysmon Event ID 1: Process Creation Sysmon (System Monitor) is a powerful tool that provides detailed information on process creation, network connections, and changes to file creation time, among other data. Sysmon logs, particularly Event ID 1, are invaluable for forensic investigators. Why Sysmon Event ID 1? Comprehensive Process Tracking : Every time a process is created, Sysmon logs the event, capturing crucial details such as the process name, command line, and parent process. Enhanced Visibility : Even if you lack Shimcache or SRUM data, Sysmon’s Event ID 1 can fill the gap by logging all process executions, giving you insight into potential malicious activity. Example Query : To identify potentially malicious processes executed via Office applications (common in phishing attacks), you can use the following query: (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe) 2. Hunting RDP Activity: Remote Logon Events Remote Desktop Protocol (RDP) is a common vector for unauthorized access. Monitoring RDP activities is crucial for identifying potential intrusions. Focus on Logon Events Event ID 4624 : This event logs successful logons , which can be filtered to focus on remote logons (Type 10) with RDP connectivity . IP Address Filtering : Investigate events where the source IP address is external (i.e., not within the local 10.0.0.0/8 range or localhost 127.0.0.1). 3. Identifying Infection Vectors: Phishing and Maldoc Hunting Phishing remains a prevalent attack vector, often delivering malicious documents (maldocs) that execute harmful payloads. Detecting Phishing and Maldocs Office Applications as Parent Processes : When malware is executed via Office applications like Word or Excel , it’s often a sign of phishing. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_path:(*winword.exe OR excel.exe OR powerpnt.exe OR mspub.exe OR visio.exe) ZIP Files Accessed in Windows : ZIP files are commonly used to deliver malicious payloads in phishing emails. Detecting ZIP files opened from temporary locations can indicate phishing activity. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:1) AND process_parent_command_line:"appdata\\local\\temp\\temp1_*" AND process_parent_command_line.keyword:*temp1_* 4. Data Exfiltration Detection: $USNJRL.$J and ZIP Files One of the key challenges in forensic investigations is detecting data exfiltration . Attackers often compress data into ZIP files before exfiltration . The $USNJRL.$J (Update Sequence Number Journal) file in NTFS can be a goldmine for detecting such activity. Using MFTECmd to Analyze $USNJRL.$J Identifying ZIP Files : By parsing the $USNJRL.$J file , you can identify ZIP files created or modified on the system. Example PowerShell Command : $usnzip = Import-Csv -Path 'C:\Users\noransom\Desktop\.csv' | ? Extension -eq '.zip' Detecting Deleted ZIP Files : Attackers might delete ZIP files after exfiltration to cover their tracks. However, traces remain in the $USNJRL.$J file. Example PowerShell Command : $deleted = $usnzip | ? UpdateReasons -like '*Delete*' $deleted | Format-Table -Property Extension,Name,ParentPath,UpdateReasons -AutoSize 5. Additional Techniques for Enhanced Threat Hunting Credential Reads : Event ID 5379 logs when stored credentials are accessed. Monitoring this event can reveal unauthorized access to sensitive information. Example Query : source_name:"Microsoft-Windows-Security-Auditing" AND event_id:5379 AND credentials_read:Microsoft_Windows_Shell_ZipFolder* Outlook Content and Downloads : Detecting file creations within the Outlook cache path can uncover attempts to download and execute malicious attachments. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:11) AND file_name:"microsoft\\windows\\inetcache\\content.outlook\\*" Reviewing the Trust Center : Microsoft Office applications maintain a Trusted Documents list, which can be used to detect when a user has marked a malicious document as trusted. Example Query : (source_name:"Microsoft-Windows-Sysmon" AND event_id:13) AND registry_key_path:("Trusted Documents" OR "TrustRecords") Conclusion By leveraging the tools and techniques outlined in this blog, forensic investigators can enhance their ability to detect and respond to sophisticated threats. Whether it's hunting for signs of RDP activity, identifying phishing attempts, or detecting data exfiltration, these methods provide a robust foundation for effective threat hunting and incident response. Akash Patel

Ransomware attacks are among the most devastating incidents an organization can face. They can cripple your operations, lead to significant financial loss, and damage your reputation. When a ransomware campaign is in progress, the clock is ticking, and how you respond in those critical moments can determine the extent of the damage. Immediate Response: The Clock Is Ticking The first thing to understand is that ransomware incidents require immediate action. The sooner you detect the ransomware actor in your network, the better your chances of minimizing damage. Here are the possible scenarios: Immediate Detection Upon Network Access: GREAT!  Work fast! This is the best-case scenario where you can potentially stop the attack before it causes significant harm. Detection After They’ve Been in Your Network for a While: Work faster!  At this point, the attacker may have already exfiltrated data or planted the encryption payload. Time is of the essence. Detection Pre- or Post-Exfiltration, But Before Encryption: If you catch them in this window, you still have a chance to prevent encryption. However, be prepared for the possibility that encryption is imminent. Detection After Encryption: Sadly, this is the most common scenario.  At this stage, the focus shifts to damage control and recovery. In all these scenarios, having a pre-incident response plan is crucial. Without it, your response will be too slow, leading to greater damage. Initial Incident Scoping: Key Considerations When you first identify a ransomware incident, you need to quickly assess the situation. Here's what to consider: How was the incident identified? Did someone notify you? Did you discover a ransom note or a service that stopped functioning? Which hosts and services are impacted? Identify all the systems that have been compromised to understand the scope of the attack. What actions have already been taken? Determine if any containment measures have been initiated and whether they were effective. What are the organization’s expectations? Communicate with leadership to understand their priorities and what they expect from the incident response. What are the “crown jewels” of the organization? Identify critical assets that need immediate protection. Do backups exist, and are they unencrypted? Confirm the availability and integrity of backups, as they will be key to recovery. Do up-to-date network diagrams exist? Accurate network diagrams are essential for understanding how the attack is spreading and for planning your response. Is there an MSSP (Managed Security Service Provider) who can assist? If available, leverage external expertise to enhance your response efforts. Collecting and Preserving Evidence Evidence preservation is critical in a ransomware investigation. Here’s how to approach it: Physical Evidence: Take a physical picture of the ransom note immediately, as it might be encrypted or deleted later. Virtual Machines: If possible, pause virtual machines rather than shutting them down. Pausing a VM typically saves its memory state, which can be valuable for investigation. Memory Capture: Capture a memory image from compromised systems to analyze for forensic evidence. Backup Protocols: Review and Invoke When ransomware hits, you may lose access to critical protocols needed for response. Here’s what to do: Active Directory (AD) Availability: Be prepared for AD to be down, which is common in ransomware cases. Have alternative methods to navigate the network and access machines. Local Accounts and Cached Domain Credentials: Ensure that machines have local accounts or cached credentials to maintain access. Deployment Methods for Data Collection: If you need to install tools for data collection, ensure you have a deployment method available. Out-of-Band Communication: Establish secure communication channels that are not dependent on the compromised network. Securing Backups: Protecting the Crown Jewels Your backup servers must be secured immediately: On-Prem Backup: Disconnect from the network to prevent ransomware from spreading to backups. Cloud-Based Backup: Consider disconnecting, depending on the situation, to protect your data. “Going Dark” – Cutting Internet Access If the threat actor is still active in your environment and you suspect imminent encryption, you may need to cut internet access: Major Decision with Far-Reaching Consequences: This decision is not to be taken lightly and should be made by top leadership. While it might prevent encryption, it will disrupt business operations. Pre-Plan Policies: Ensure you have pre-planned policies in place for such scenarios. Create pinholes for essential services like VPN, EDR, and remote IR connectivity. Disabling Shares, Sync Agents, and Accounts Admin Shares: Disabling admin shares can thwart threat actors but may disrupt services. Conduct a risk analysis beforehand. Network Shares and Distributed File Systems: Consider taking these down to protect them from encryption. Credential Remediation: Reset credentials and disable accounts to prevent the threat actor from regaining access. Recovery from Backup Recovering from backups is a critical step, but timing is everything: Hold Off Restoral Until You’re Sure: Ensure you know the exact date(s) to fall back to for recovery. Restoring from a compromised backup could reinfect your network. Edge Devices: Firewalls and VPNs may have been exploited. Consider updating and restoring them to factory state to eliminate persistence mechanisms. Post-Incident: Turning a Crisis into an Opportunity A ransomware attack, while devastating, can also be an opportunity for your security team to gain the attention and support it needs: Increased Support and Funding: Use the incident as leverage to secure more resources for your security team. Staff Augmentation: Advocate for additional staffing to prevent future incidents. Final Thoughts: Learn, Plan, and Prepare Ransomware incidents are complex and require swift, decisive action. Preparation is key. Learn from each incident, refine your response plans, and ensure that your organization is better prepared for the next attack. Akash patel

Ransomware attacks have become increasingly sophisticated, and the “Impact” phase represents the final, most destructive part of the attack campaign. During this phase, after threat actors have achieved their initial objectives, including data exfiltration, they may deploy a ransomware cryptor to encrypt your data. To maximize their leverage, these actors often tamper with your backup and recovery mechanisms, aiming to make recovery difficult and squeeze you into paying the ransom. Securing Your Backup Systems Your backups are one of the most critical assets to secure in your organization. Threat actors often target backup servers to disable or delete backups before deploying ransomware . Here are some essential steps to secure your backups: Monitor All Logins to Backup Servers : Ensure that every login attempt to your backup servers is monitored and logged. This includes successful logins as well as failed attempts. Implement the Principle of Least Privilege : Only designated accounts should have the necessary permissions to access and perform administrative actions on backup servers. Restrict access as much as possible to minimize the attack surface. Scanning for Backup Services : Ransomware affiliates frequently scan for backup services by checking for open ports on well-known systems. To prevent this: Review Documentation : Refer to your backup system’s documentation to understand which ports are used for various services. Set Up Alerts : Monitor these ports and set up alerts for any suspicious activity. Volume Shadow Copy Service (VSS) Many organizations rely on Microsoft’s Volume Shadow Copy Service (VSS) for backups. While VSS can be a convenient way to back up critical files, it can also pose a security risk. VSS keeps copies of essential system files, such as registry hives, in an unlocked state, making them vulnerable to threat actors. Commands Used to Delete Shadow Copies : Ransomware operators may use the following commands to delete VSS shadow copies, thereby eliminating one of your recovery options: vssadmin.exe delete Shadows /all /quiet wmic shadowcopy delete /nointeractive Get-WmiObject Win32_ShadowCopy | % { $_.Delete() } Get-WmiObject Win32_ShadowCopy | Remove-WmiObject Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_Delete(); } Get-CimInstance Win32_ShadowCopy | Remove-CimInstance By deleting these shadow copies, the attackers remove a significant recovery option, making it crucial to protect and monitor VSS on your systems. Tampering with Recovery Mechanisms Threat actors often disable built-in recovery components using native tools, making it difficult for organizations to recover from an attack. They may use tools like bcdedit , which manipulates Boot Configuration Data (BCD) settings , or wbadmin , which configures settings for Windows Backup. Commands Used to Disable Recovery Mechanisms : bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures wbadmin delete catalog –quiet wbadmin delete systemstatebackup -keepversions:0 Preventing IT Response In addition to tampering with backup and recovery mechanisms, threat actors may also prevent IT teams from responding to the attack by weaponizing security mechanisms. They may disable Remote Desktop Protocol (RDP) or block inbound connectivity via Windows Firewall. Common Commands Used : Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True New-NetFirewallRule -DisplayName "Block PORTS1" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Block New-NetFirewallRule -DisplayName "Block PORTS2" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Block netsh advfirewall set currentprofile state on netsh advfirewall set allprofiles state on netsh advfirewall firewall add rule name="Block PORTS6" protocol=TCP dir=in localport=80 action=block netsh advfirewall firewall add rule name="Block PORTS7" protocol=TCP dir=in localport=443 action=block These measures make it extremely difficult for IT teams to access affected hosts and respond to the threat, emphasizing the need for robust monitoring and proactive defense mechanisms. Clearing Windows Event Logs Threat actors often clear Windows Event Logs to cover their tracks. Unfortunately, this is a simple task in Windows, especially if logs are not being forwarded to a SIEM, log aggregator, or syslog server. The command Clear-EventLog is commonly used for this purpose. Commands to Clear Event Logs : Get-EventLog -LogName Security | Clear-EventLog Clear-EventLog -LogName Application, Security, System Clearing event logs can make post-incident analysis extremely difficult, highlighting the importance of having log forwarding in place. Payload Deployment Methods Ransomware payloads are often deployed via Group Policy Objects (GPOs). Unfortunately, many organizations do not audit GPO deployment, and admin accounts are often overprivileged. This lack of oversight can allow threat actors to create and deploy GPOs without constraint, leading to widespread ransomware deployment across a domain or forest. Threat actors may also use existing deployment methods such as SCCM, PDQ, or SolarWinds to deliver ransomware payloads. In addition, they commonly use native Windows tools like PSExec, WMIC, and BITS to execute processes remotely . Background Intelligent Transfer Service (BITS) : BITS is a Windows service that transfers data in the background, often used by Microsoft to download updates . It’s an intelligent service that minimizes impact on user experience by managing bandwidth effectively. However, threat actors can exploit BITS to transfer malicious payloads. Detection Methods : EDR, Event IDs 4688/4689 | Sysmon IDs 1/5 : Monitor for bitsadmin.exe and review PowerShell logs for related cmdlets. Event ID 7036 : Monitor for service state changes in the System log. Event ID 60 : BITS has stopped transferring a file. Look for temporary files named BITFxxxx.tmp created in the target transfer directory. Example Using Sysmon Event ID 11 : Monitor file creation events for BITS temporary files. file_path.keyword:/.*\\BITF[0-9]+\.tmp/ Encryption Key Usage in Ransomware Modern ransomware typically uses asymmetric key encryption, also known as public key cryptography. The public key, embedded within the ransomware payload, encrypts the victim's data. The private key, which is necessary for decryption, remains with the attacker, and victims must pay the ransom to obtain it. File Write Methods: Overwrite vs. Copy/Delete Ransomware payloads use two general file write methods: Overwrite/Rename:  Opens the original file, replaces its contents with encrypted data, and renames the file. Copy/Delete:  Creates a new file with encrypted data, then deletes the original file. From a forensic perspective, the Overwrite/Rename method might leave evidence in the $UsnJrnl or $LogFile , while the Copy/Delete method might allow recovery of "deleted" files from unallocated disk space using tools like Bulk Extractor and PhotoRec. I already have a blog recoverying evidence using Photorec do check it out: https://www.cyberengage.org/post/digital-evidence-techniques-for-data-recovery-and-analysis Detecting Encryption and Ransom Notes Monitoring for file creation events using Sysmon/EDR can help detect ransomware activity. Sysmon Event ID 2, for instance, logs file creation time changes, which can be indicative of ransomware encryption. To understand how a specific ransomware payload encrypts files, reverse engineers and malware analysts often disassemble or decompile the ransomware's code using tools like IDA Pro and Ghidra. Detailed write-ups on ransomware samples are valuable resources for incident response. The VX-Underground team maintains extensive collections of malware samples, including ransomware families, which can be instrumental for analysis. https://for528.com/vxug-samples The team also maintains an archive with various builders, including ransomware builders! https://vx-underground.org/ Importance of Backing Up Encrypted Files Backing up encrypted files is crucial because: Partially Encrypted Files:  May still contain recoverable data. Future Decryption Possibilities:  Decryption keys or tools may become available in the future. If using a decryptor, exercise caution. Some decryptors may be flawed, ineffective, or even malicious. Always perform malware analysis on any decryptor before use. Free decryptors for some ransomware variants are available at No More Ransom’s site, which also offers the “Crypto Sheriff” tool for identifying ransomware strains and checking for available decryption resources. https://www.nomoreransom.org/en/decryption-tools.html https://www.nomoreransom.org/crypto-sheriff.php?lang=en Efficiency Issues with Decryptors Decryptors, even those provided by attackers after paying the ransom, are not always efficient. They may be slow, non-multithreaded, or otherwise poorly designed . For example, the decryptor provided by DarkSide ransomware during the Colonial Pipeline attack was notoriously slow, leading responders to develop a custom tool using the provided decryption key. Remember:  Always back up encrypted data before attempting decryption to avoid potential data loss. Conclusion By understanding the methodologies and tactics employed during the "Impact" phase of a ransomware attack, organizations can better prepare their defenses, respond more effectively, and mitigate the risks associated with these increasingly sophisticated threats. Akash Patel

When it comes to detecting malicious activity and potential security threats, analyzing the right data sources is crucial. Whether you are working with SIEM tools, conducting threat hunting, or performing forensic analysis, the following queries can be invaluable. The logic behind these queries remains consistent, though the format may need to be adjusted based on the platform you are using, such as Timesketch, Kibana, or other log management systems. 1. Detecting System Configuration and Host Information CurrentControlSet This query extracts information about the CurrentControlSet, which can help in understanding the system's boot configuration. Query: parser:winreg AND key_path:"HKEY_LOCAL_MACHINE\\System\\Select*" Host Network Interfaces Identify network interfaces configured on the host to monitor network-related configurations and potential unauthorized changes. Query: parser:winreg AND key_path:"*Parameters\\Interfaces*" Hostname Retrieve the hostname of the system, which can be used for identification in multi-host environments. Query: parser:winreg AND key_path:"*Control\\ComputerName\\ComputerName*" Network Shares Monitor network shares on the host, which can reveal potentially exposed resources or unauthorized access. Query: parser:winreg AND key_path:"*Lanmanserver\\Shares*" AND NOT message:*empty* Software-SysInternals Tool Usage Indicator Detect usage of SysInternals tools, which are often used by both administrators and attackers. This query checks for evidence that the tools have been executed. Query: parser:"winreg" AND key_path:"*Software\\Sysinternals\\*" AND values:"*EulaAccepted*" 2. Monitoring Remote Desktop Protocol (RDP) Activity T1021.001 - AV Scanning Disabled for Attachments This query identifies registry modifications related to the disabling of antivirus scanning for RDP attachments. Query: parser:winreg AND (key_path:"*Microsoft\\Terminal Server Client\\Default*" OR key_path:"*Microsoft\\Terminal Server Client\\Servers*") T1021.001 - RDP Activity Ended Monitor for events that indicate the end of an RDP session, which could signify the end of a potential unauthorized access. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:24 AND NOT xml_string:"*Address>LOCAL*") OR event_identifier:39 OR event_identifier:40 OR event_identifier:23)) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4779) T1021.001 - RDP Activity Started Detect when an RDP session starts, focusing on non-local connections that may indicate remote access attempts. Query: (parser:"winevtx" AND source_name:"Microsoft-Windows-TerminalServices-LocalSessionManager" AND ((event_identifier:21 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:22 AND NOT xml_string:"*Address>LOCAL*") OR (event_identifier:25 AND NOT xml_string:"*Address>LOCAL*"))) OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4624 AND xml_string:"*LogonType\">10*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4778) 3. Identifying Potential Lateral Movement T1021.002 - Potential SMB Lateral Movement (Source) Track SMB connections that might indicate lateral movement attempts, particularly focusing on connections over port 445. Query: parser:winevtx AND source_name:"Microsoft-Windows-Security-Auditing" AND event_identifier:4648 AND xml_string:"*IpPort\">445*" 4. Monitoring Task and Script Execution T1053.005 - Scheduled Tasks Scheduled tasks can be used by attackers to persist on a system. This query helps detect such tasks, excluding common Microsoft tasks. Query: parser:winreg AND key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree*" AND NOT key_path:"*CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft*" AND NOT message:"*SD: [REG_BINARY] (220 bytes)*" T1059 - PowerShell Web Request Detect the use of PowerShell for web requests, which is a common technique in fileless malware attacks. Query: parser:"winevtx" AND (event_identifier:"4104" OR event_identifier:"4688" OR event_identifier:"1") AND (message:"*Invoke-WebRequest*" OR message:"*iwr*" OR message:"*wget*" OR message:"*curl*" OR message:"*Net.WebClient*" OR message:"*Start-BitsTransfer*") T1059.001 - PowerShell Configuration Monitor changes to PowerShell settings, which might indicate an attacker attempting to modify execution policies or script logging. Query: parser:"winreg" AND key_path:"*Microsoft\\PowerShell*" AND (message:*EnableScript* OR message:*ExecutionPolicy* OR message:*EnableModuleLogging*) 5. Security Monitoring and Defense Evasion T1070.001 - Windows Log Cleared This query detects the clearing of Windows event logs, a common technique used by attackers to cover their tracks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Eventlog" AND event_identifier:"1102" T1078 - Windows Account Activity Monitor for changes in user accounts, such as enabling, disabling, or modifying permissions. Query: parser:"winevtx" AND (event_identifier:"4722" OR event_identifier:"4724" OR event_identifier:"4728" OR event_identifier:"4634" OR event_identifier:"4672" OR event_identifier:"4733") T1078.003 - Query for a Blank Password for An Account Detect attempts to query or check for blank passwords on accounts, which may indicate password-guessing attacks. Query: parser:"winevtx" AND event_identifier:"4797" 6. Detecting Suspicious Network Activity and Proxy Configurations T1090 - Proxy Config Identify modifications to proxy settings, which may indicate the presence of proxy-aware malware or unauthorized network changes. Query: parser:"winreg" AND key_path:"HKEY_LOCAL_MACHINE\\Software\\*\\Microsoft\\Windows\\CurrentVersion\\Internet Settings*" AND (values:*AutoDetect* OR values:*ProxyServer* OR values:*ProxyOverride* OR values:*ProxyEnable*) T1110 - SQL Server Failure Monitor SQL Server authentication failures, which may indicate brute-force or dictionary attacks. Query: parser:winevtx AND display_name:"*Logs\\Application\.evtx" AND event_identifier:"18456" T1110 - Suspicious Logon Failures Track multiple failed login attempts across different accounts, which may be indicative of password spraying or brute force attacks. Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Security-Auditing" AND (event_identifier:"4625" OR event_identifier:"4767" OR event_identifier:"4740" OR event_identifier:"4776") T1197-Suspicious BitsTransfer Activity Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Bits-Client" AND event_identifier:"59" AND (strings:"*\.ps1*" OR strings:"*\.bat*" OR strings:"*\.exe*" OR strings:"*\.dll*" OR strings:"*\.zip*" OR strings:"*\.rar*" OR strings:"*\.7z*" OR strings:"*\.tar*") T1204-Execution Query: (parser:"winreg" AND (key_path:"*Microsoft\\Windows\\ShellNoRoam\\MUICache*" OR key_path:"*Software\\Microsoft\\Windows\\Shell\\MUICache*")) OR parser:"prefetch" OR (parser:"winevtx" AND event_identifier:"4688") OR (parser:"winreg" AND key_path:"*LastVisitedPidlMRU*") OR (parser:"winreg" AND key_path:"*LastVisitedMRU*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Application-Experience" AND event_identifier:"500") T1204-Execution of a Binary via BAM Query: parser:"bam" AND binary_path:*exe T1204-Execution or Existence of a File Query: parser:"appcompatcache" AND (path:*exe* OR path:*cpl* OR path:*ps1* OR path:*msi* OR path:*dll* OR path:*bat*) T1204-User Execution or Shortcut Query: parser:"userassist" AND (value_name:*lnk* OR value_name:*exe*) T1543-Installation or Execution of a Windows Service Query: parser:"winevtx" AND (event_identifier:"7045" OR event_identifier:"4697") AND NOT message:"*svchost.exe -k*" T1546.003-WMI CommandLine Consumer Query: tag:Execution AND message:*wmiprvse* T1547.001-Windows Autorun Query: parser:"windows_run" AND (message:*exe* OR message:*.dll* OR message:*.bat* OR message:*.ps1*) T1548.002-UAC Disabled in Registry Query: parser:"winreg" AND key_path:"*Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA" AND message:"*DisplayType: [REG_DWORD_LE] 0*" T1560 or T1083-File Save or Discovery Query: parser:"winreg" AND key_path:*OpenSave*MRU* AND message:*Shell* T1560.001-Archived Files Query: (data_type:"windows:lnk:link" OR data_type:"windows:shell_item:file_entry" OR data_type:"olecf:dest_list:entry" OR data_type:"windows:registry:mrulistex") AND (message:*.zip* OR message:*.7z* OR message:*.tar.gz* OR message:*.tar* OR message:*.gz*) T1562.001-Win Defender Disabled Query: parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Defender" AND (event_identifier:"5001" OR event_identifier:"5010" OR event_identifier:"5012") T1562.001-Windows Defender Disabled Registry Key Query: parser:"winreg" AND key_path:"*Microsoft\\Windows Defender*" AND (values:"*DisableRealtimeMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiSpyware: \[REG_DWORD_LE\] 1*" OR values:"*DisableAntiVirus: \[REG_DWORD_LE\] 1*" OR values:"*DisableBehaviorMonitoring: \[REG_DWORD_LE\] 1*" OR values:"*DisableIOAVProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableOnAccessProtection: \[REG_DWORD_LE\] 1*" OR values:"*DisableScanOnRealtimeEnable: \[REG_DWORD_LE\] 1*" OR values:"*DisableEnhancedNotifications: \[REG_DWORD_LE\] 1*" OR values:"*DisableBlockAtFirstSeen: \[REG_DWORD_LE\] 1*") T1562.001-Windows Defender Disabled via PS Query: parser:"winevtx" AND message:"*Set-MpPreference*" AND (message:"*Disable*" OR message:"*Reporting*" OR message:"*SubmitSamplesConsent*" OR message:"*DefaultAction*") T1562.001-Windows Defender Exclusions Query: (parser:"winreg" AND key_path:"*Windows Defender\\Exclusions\*" AND NOT message:*empty*) OR (parser:"winevtx" AND event_identifier:"5007" AND message:*Exclusions*) T1562.004-Windows Firewall Disabled Query: parser:"winreg" AND (display_name:*SOFTWARE OR display_name:*SYSTEM) AND (message:"*EnableFirewall: [REG_DWORD] 0x00000000*" OR message:"*EnableFirewall: [REG_DWORD_LE] 0*") T1562.004-Windows Firewall Rules Query: (parser:"winreg" AND key_path:"*FirewallRules*") OR (parser:"winevtx" AND source_name:"Microsoft-Windows-Windows Firewall With Advanced Security" AND event_identifier:"2005") Timezone Query: parser:"winreg" AND key_path:"*Control\\TimeZoneInformation*" Windows Network Adapter Details Query: parser:"winreg" AND key_path:"*Tcpip/Parameters/Interfaces*" AND NOT message:*empty* Windows OS Version Query: parser:"winreg" AND data_type:"windows:registry:installation" Windows Patch Installation Success Query: parser:"winevtx" AND source_name:"Microsoft-Windows-WindowsUpdateClient" AND display_name:"*System\\.evtx" AND event_identifier:"19" Windows User Profiles Query: parser:"winreg/winreg_default" AND key_path:"*ProfileList*" These queries form the backbone of effective threat detection and forensic analysis. Happy hunting! Akash Patel

Ransomware attacks continue to evolve, with actors using advanced tactics to access and exfiltrate sensitive data. Understanding their methods is crucial for preventing and mitigating the damage they cause. 1. Data Access: Network Shares – Enumerated and Reviewed One of the primary targets for ransomware actors is your network shares. To find and exploit them, attackers use various tools, such as: VeilFramework's Invoke-ShareFinder cmdlet:  This tool allows a ttackers to enumerate network shares within a domain. You can explore the tool or test its capabilities by visiting its GitHub repository at Veil-PowerView's Invoke-ShareFinder . SharpShares:  Another popular tool among ransomware actors is SharpShares, which queries all hosts in a domain and checks the current user's access to shares . You can find more about SharpShares at SharpShares GitHub . Example commands from the leaked Conti chat logs illustrate how these tools are used: 1. Invoke-ShareFinder -Domain [domain_name_here].local | Out-File sharfindINFO.txt 2. SharpSharesNG.exe shares Attackers may also map shares directly using legitimate tools and commands, like: net use * "\\192.168.168.10\Shares" /persistent:no /user:DOMAIN\username To detect such share access attempts, two essential event IDs should be enabled: Event ID 5140:  A network share object was accessed. Event ID 5145:  A network share object was checked to see if the client could be granted access. These events can be enabled with the following command: auditpol /set /category:"Object Access" /success:enable Enabling these events allows you to monitor share access and changes, offering insights into potential data exfiltration activities. 2.   Identifying Network Share Access via the Registry Network share access can also be traced through various registry keys: Mapped Network Drive Most-Recently Used (MRU) items: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU Mapped Network Drives (Network Drive Wizard): HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Items Typed into Windows Explorer: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths Items Typed into the Windows Run Dialog: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU All Open Shares on a System: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares 3. Forensic Analysis of File and Folder Access From a forensic perspective, identifying which files or folders were accessed is crucial. Here are some key artifacts to examine: Open/Save MRU, Recent Files, Shellbags, LNK Files, Last-Visited MRU, Office Recent Files. For Files or folders were accessed, refer to my previous blog posts: Artifacts for File Opening & Creation (Part 1): Open/Save MRU, Recent Files, Shellbags Artifacts for File Opening & Creation (Part 2): Last-Visited MRU, Office Recent Files, LNK Files To identify deleted files or evidence of file access, explore these links: Artifacts for Deleted File & File Knowledge (Part 1): ACMRU, Last-Visited MRU, Vista/Win7/10 Artifacts for Deleted File or File Knowledge (Part 2): Search, WordWheelQuery, Index.dat File 4. Registry Artifacts: TypedPaths & TypedURLs TypedPaths can reveal user activity within the Windows Registry: TypedPaths:  Insights available at Part 1: Windows Registry Artifacts - Insights into User Activity TypedURLs are stored in the following registry path: NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs TypedURLs store locations entered into the Internet Explorer/Edge address bar, similar to TypedPaths. Data Exfiltration 1. Data Exfiltration: Staging and Compression Before exfiltrating data, ransomware actors typically compress the data into archive files. Common formats include .zip, .7z, and .rar. Adversaries often use tools like 7za.exe or rar.exe to perform these actions. Be alert for these file types in your network, especially .rar files. Native compression methods that can be leveraged include: Compress-Archive cmdlet tar command Send to > Compressed folder 2. Data Staging Attackers often prepare data for exfiltration by copying files to a staging directory, typically a temporary folder. Files may be copied, renamed, or bundled into archives. These operations might go unnoticed unless specific alerts are configured. When reviewing a system for potential data staging , you want to focus on archive creation. Analysis of the MFT and UsnJrnl can prove extremel y useful in this endeavor. Reviewing Sysmon Event ID 11 (File Creation) can be very useful, as you can see the exact size of any archives created. 3. Creation of Multiple Text Files Adversaries may redirect tool outputs to text files since text files compress well, reducing the size of exfiltrated data significantly. By converting large files into text format, gigabytes of data can be reduced to mere megabytes, making exfiltration easier and less detectable. Note: Adversaries (especially in ransomware cases!) often will delete the archives they have exfiltrated. They do not want you to have access to what they stole. In this case, you may need to rely on $UsnJrnl:$J analysis. You might ask question  If you have $mft why you need to rely on $UsnJrnl:$J analysis, to identify data exfiltration? Answer is  1. While $MFT provides a snapshot of the file system at specific points in time, the $UsnJrnl:$J tracks file system events in greater detail over time 2. Exfiltration might involve subtle modifications, renaming, or deletion of files. The $MFT might not capture all of these events, while the $UsnJrnl:$J can give you insights into every file operation, which is crucial for detecting sophisticated exfiltration techniques. Example: If an attacker creates a zip file to bundle exfiltrated data, the $MFT will record the creation of that zip file . However, the $UsnJrnl:$J will log the sequence of events , like file additions to the zip, the exact time of zipping, and any renaming or moving of the file before exfiltration. 4. WinZip, 7-Zip, and WinRAR Artifacts Adversaries frequently use popular tools like WinZip, 7-Zip, and WinRAR to compress and archive data. These tools leave traces in the registry, which can be useful for forensic analysis: WinZip Registry Path : NTUSER.DAT\Software\Nico Mak Computing\WinZip\ 7-Zip Registry Path : NTUSER.DAT\Software\7-Zip\ WinRAR Registry Path : Located in the user's NTUSER.DAT hive, this data can provide valuable information about archives created or manipulated during the incident. 5. Detecting Renamed Executables Ransomware actors often rename executables (PE files), but they rarely edit the file's VERSIONINFO resource . This metadata includes fields like Description, Product, Company , and OriginalFileName . The OriginalFileName can be particularly useful for threat hunting. You can query identify these executables in Sysmon Event ID 1, Security Event ID 4688/4689, or via your EDR if deployed. Cloud-Based File Sharing Sites Adversaries might use cloud services like MEGA, SendSpace, WeTransfer, Google Drive, Dropbox, Box, OneDrive, or cloud-based storage buckets such as AWS, GCP, and Azure. Blocking unauthorized access to these platforms can prevent exfiltration. The "Living Off Trusted Sites" (LOTS) project catalogs sites used for malicious purposes, including data exfiltration and phishing. You can explore the LOTS project. https://lots-project.com/ FTP/SFTP Exfiltration Despite FTP being an insecure protocol, it remains a popular choice for data exfiltration. FTP uses ports 20 and 21, while SFTP uses port 22. Tools like WinSCP and FileZilla are often employed by adversaries: FileZilla Log Locations : %APPDATA%\FileZilla\filezilla.xml %APPDATA%\FileZilla\recentservers.xml %APPDATA%\FileZilla\trustedcerts.xml %APPDATA%\FileZilla\sitemanager.xml %APPDATA%\FileZilla\*.sqlite3 Example of PowerShell code used for FTP data transfer $FTPRequest = [System.Net.FtpWebRequest]::Create("$RemoteFile") $FTPRequest = [System.Net.FtpWebRequest]$FTPRequest $FTPRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile $FTPRequest.Credentials = new-object System.Net.NetworkCredential($Username, $Password) $FTPRequest.UseBinary = $true $FTPRequest.UsePassive = $true 2. WinSCP Registry Artifacts WinSCP, another popular file transfer tool, leaves traces in the registry that may help in detecting exfiltration: Registry Paths : HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget HKCU\SOFTWARE\Martin Prikryl\WinSCP2\Configuration\History\RemoteTarget 3. RDP Exfiltration Exfiltration through Remote Desktop Protocol (RDP) is challenging to detect , as Windows does not log what files are copied out of the network. However, RDP clients can map local drives to remote sessions, creating shares such as \\tsclient\C\. These UNC paths may appear in process creation events or command lines. (i). RDP bitmap cache parsing is a longshot when it comes to identifying potential exfil. 4. Rclone – The Ransomware Actor’s Little Buddy Rclone, a synchronization tool compatible with over 40 services, is often used by ransomware actors for data exfiltration. Adversaries usually do not rename rclone.exe or rclone.conf, making them easier to detect. You can learn more about Rclone and its supported services on its https://rclone.org/docs/#config-config-file the list of https://rclone.org/#providers 5. Power Consumption as a Detection Method Data exfiltration can be associated with high power consumption. Transferring data requires power for the network interface and the transferring program. Tools like Rclone and MEGAsync might show up in power efficiency reports stored at C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics. The SRUM database has also proven useful for power consumption analysis, which can help identify suspicious exfiltration activities. You can explore SRUM further in the following posts: SRUM: The Digital Detective in Windows How to Use SRUMECmd to Parse and Analyze SRUDB.dat Files 6. MEGAsync IOCs MEGAsync, another tool often used for exfiltration, leaves behind artifacts that could aid in investigation: Scheduled Task Name : \MEGA\MEGAsync Update Task Config File  (encrypted): %LOCALAPPDATA%\Mega Limited\MEGAsync\MEGAsync.cfg Executable : %LOCALAPPDATA%\Mega Limited | %LOCALAPPDATA%\MEGAsync Log Files : %LOCALAPPDATA%\Mega Limited\MEGAsync\logs\ Registry Setting : HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CLSID of Mega}\Instance\InitPropertyBag\TargetFolderPath 7. LockBit’s StealBit Tool LockBit ransomware operators have developed a custom exfiltration tool called StealBit, known for its high efficiency and speed. For a deep dive into LockBit’s arsenal and the StealBit tool, check out Cybereason’s threat analysis report . 9. Network-Based Exfiltration Detection While network logs such as firewall and NetFlow logs can help determine the amount of data exfiltrated, they do not reveal the content. Look for traffic spikes, off-hours activity, or protocol tunneling (e.g., DNS) as indicators of potential exfiltration. Though it may be difficult to prove what exact data was exfiltrated, tracking these indicators can provide valuable leads in your investigation. Be vigilant, keep learning stay safe Akash Patel

Lateral movement refers to how attackers move through a network after gaining initial access. This allows them to explore the environment, escalate privileges, and reach their final target, often sensitive data or critical systems. Lateral movement is hard to track due to the variety of methods used. Common Lateral Movement Protocols Server Message Block (SMB) : Used for file sharing over the network. TCP ports 137, 138, 139, and 445 are utilized. Tools: PsExec  (SysInternals), smbexec  (Impacket). Event IDs to monitor: 5140 : A network share object was accessed. 4688/4689 : Process creation (Sysmon Event IDs 1 / 5). 7045/7036 : Service creation and status changes. Remote Desktop Protocol (RDP) : Enables remote access to systems. Attackers often add themselves to the “Remote Desktop Users” group. Monitor for Event ID 4728 : "A member was added to a security-enabled global group". RDP Cached Bitmaps: RDP clients store 64x64-pixel bitmap tiles, which are cached by default. These cached images can be obtained and parsed for forensic analysis. I have created an complete blog to analyze RDP Cached Bitmaps (Do check it out to learn more Link below) https://www.cyberengage.org/post/analyzing-and-extracting-bitmap-cache-files-from-rdp-sessions Windows Remote Management (WinRM) : Microsoft’s implementation of the WS-Man protocol. WinRS (Remote Shell) is commonly used in ransomware campaigns. Monitoring: Check for command lines such as winrs.exe -r:target /username:admin /password:pass. Tools like SharpSphere can compromise vSphere infrastructure through WinRM . Windows Management Instrumentation (WMI) : Allows for administrative tasks on remote systems. Often abused by ransomware operators to execute commands or transfer files. Background Intelligent Transfer Service (BITS) : Used for downloading files in the background. Attackers utilize BITS for stealthy data transfers and task execution. Tools Commonly Used for Lateral Movement Ransomware operators and threat actors use a variety of scanners to identify targets for lateral movement: Advanced IP Scanner Advanced Port Scanner Angry IP Scanner Cobalt Strike (built-in scanning capabilities) KPort Scanner nmap Qfinder Pro SoftPerfect Network Scanner Detailed Protocol Insights Server Message Block (SMB) SMB is a primary target for lateral movement. PsExec, for instance, is a popular tool for running processes remotely: PsExec Process : Opens an SMB session to the target. Uploads PSEXESVC.exe  to the ADMIN$ share. Creates a named pipe( Example:- \\client\pipe\svcctl) to talk to the Service Control Manager (SCM). Calls CreateService using the newly uploaded PSEXESVC.exe as ImageFile. Calls StartService to run the service. Detection: File Creations : Monitor for the creation of PSEXESVC.exe. Registry Key : The EULA acceptance is stored in the registry at HK_USERS\[SID]\Software\Sysinternals\PsExec\EulaAccepted. Additional reading on PsExec and SMBexec: Windows Lateral Movement with smb, psexec and alternatives. https://nv2lt.github.io/windows/smb-psexec-smbexec-winexe-how-to/ Remote Desktop Protocol (RDP) For RDP-based lateral movement: Group Membership : Check Event ID 4728 when users are added to the “Remote Desktop Users” group. Bitmap Cache : RDP client stores bitmaps locally, which can be parsed using tools like RdpCacheStitcher, EnCase, and BMC Tools. These tools can help reconstruct images that were viewed during the session, potentially revealing sensitive information. Detecting and Hunting Lateral Movement Detecting PsExec Activity : Process Creation Events : Event IDs 4688/4689   (or S ysmon Event IDs 1/5) . Service Creation : Event IDs 7045/7036  for PSEXESVC, File creations (Sysmon Event ID 11) Registry Monitoring : Look for EULA acceptance in the registry. File Creations : Track the creation of PSEXESVC.exe. Detecting smbexec Activity : Lucene-based queries can help identify smbexec usage. For example: • CommandLine:"powershell.exe -NoP -NoL -sta -NonI -W Hidden -Exec Bypass" • CommandLine:("\\127.0.0.1\C$\__output" OR "127.0.0.1 AND __output") • CommandLine:"%COMSPEC% AND /Q AND /c" • CommandLine:"%COMSPEC%" • FileName:("execute.bat OR __output") • EventID:7045 AND ServiceName:"BTOBTO" To learn more about hunting for Impacket/smbexec, see Riccardo Ancarani’s “Hunting for Impacket” article here: https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/ Ransomware Evolution: Expanding Beyond Windows Ransomware groups are increasingly targeting non-Windows platforms, including Linux, macOS, and virtualization platforms like VMware's vCenter, vSphere, and ESXi. Attacks on vSphere Infrastructure : Tools like SharpSphere  allow attackers to gain control over vSphere infrastructure. Attackers can list VMs, dump memory, or execute code on virtual machines. Targeting ESXi Servers : Attackers exploit vulnerabilities in ESXi servers to encrypt multiple VMs simultaneously. Examples include using custom Python scripts to target ESXi servers. Ransomware-as-a-Service (RaaS) and ESXi Payloads : RaaS platforms like LockBit 3.0 and BlackBasta are generating native ESXi ransomware payloads, making it easier for attackers to target virtualized environments. Incident Response and Forensics on Non-Windows Platforms Manual Artifact Collection: Before mid-2022, collecting forensic artifacts from ESXi and other Unix-like systems was mostly manual, making it a time-consuming process during incident response. Unix-like Artifacts Collector (UAC): Developed by Thiago Canozzo Lahr, this tool automates the collection of system artifacts from various Unix-like operating systems, including ESXi, Linux, macOS, and others. This automation improves the speed and efficiency of incident response efforts. Learning Resources: Leonard Savina's presentation attaching below Thiago Canozzo Lahr's presentation attaching below  Conclusion: By covering all key protocols, tools, detection techniques, and the latest ransomware trends, this blog provides a comprehensive understanding of lateral movement and how to defend against it. Stay vigilant, and make sure to incorporate the detection strategies discussed to protect your network from lateral movement attacks. Akash Patel I have created an blog and a pdf file which will help you investigate artifact in source system and destination system. The pdf contain detection or analysis based on Event IDs as well as based on File system artifact link below: https://www.cyberengage.org/post/understanding-lateral-movement-in-cyber-attacks

LNK (Shortcut) Files: LNK files are Windows shortcut files that contain metadata about the file or program they link to. They can reveal information such as the target file's path, icon location, creation time, and last accessed time. Useful for understanding user behavior, application us age patterns, and potentially identifying executed files. Prefetch Files: Prefetch files are used by Windows to optimize the loading time of frequently accessed programs. They contain metadata about the execution of programs, including the program's name, path, last run time, and frequency of use. Valuable for identifying frequently executed programs and estab lishing user activity patterns. AMCACHE (AMCache.hve): AMCACHE is a Windows registry hive that stores information about program executions and installations. It contains details such as program names, paths, execution counts, first and last execution times, and digital signatures. Provides insights into program execution history, in cluding newly installed software and potentially malicious activities. Shimcache: The Shimcache, found in the Windows registry , maintains a record of executed programs, even if they have been deleted or moved. It includes information such as program paths, last modified timestamps, and execution counts. Useful for identifying executed programs, even if th ey were attempted to be concealed or removed. Note for Shimcache : - Shimcache tracks files that were executed as well as executables that were browsed via File Explorer . Shimcache is located within memory and is written to the registry upon shutdown. This is important to note when collecting a triage image from an online system. If the machine has been running without any reboot/restart/logoff, this artifact will not be available. Shimcache order of execution: Shimcache stores the most recently executed or interacted with files at the top of the registry key. By sorting on the Line column, we're able to view the executables in chronological order, regardless of the file modification timestamp. Jump Lists: Jump Lists are a feature of the Windows taskbar and Start menu that provide quick access to recently or frequently used files and programs. They store information about accessed files, including file names, paths, timestamps, and usage frequency. Helpful for reconstructing user activities , identifying accessed files, and understanding user preferences and behavior. Shell Bags: These structures store information about which folders were most recently browsed by the user , including details such as folder view settings and the last time a folder was visited or updated.