Latest Posts (20 found)
dfir.ch 6 months ago

Linux Capabilities Revisited

Introduction Notes to kernel developers: The goal of capabilities is divide the power of superuser into pieces, such that if a program that has one or more capabilities is compromised, its power to do damage to the system would be less than the same program running with root privilege. Capabilities(7) — Linux manual page Capabilities are a fine-grained access control mechanism in Linux, allowing more granular permissions than the traditional superuser (root) model.

linux Linux security Security
0 views
dfir.ch 8 months ago

FIRST Technical Colloquium Amsterdam: In-Depth Study of Linux Rootkits

Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.

security Security
0 views
dfir.ch 8 months ago

BSides Kent: The Gist of Hundreds of Incident Response Cases

Abstract How to become an Incident Response Rockstar? After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder - which also holds true in digital forensics.

security Security
0 views
dfir.ch 9 months ago

Today I Learned - Protected Symlinks

Introduction A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp. Source: Sysctl Explorer The protected_symlinks setting within the Linux Kernel helps prevent TOCTOU (time-of-check-time-of-use) vulnerabilities in privileged processes.

programming Programming security Security
0 views
dfir.ch 9 months ago

macOS Extended Attributes: Case Study

Introduction Extended attributes (EAs) are a powerful and sometimes overlooked feature of macOS’s file system, storing additional metadata about files beyond what standard attributes like file name, size, and permissions allow. While these attributes are invisible in typical file interactions, they play a critical role in various macOS features and workflows. Inspecting Extended Attributes macOS provides several tools for working with extended attributes. These include: The ls command (the @ at the end of the permissions indicates extended attributes): -rw-r--r--@ 1 malmoeb staff 202767345 Jan 6 13:29 Webex.

tutorial Tutorial programming Programming
0 views
dfir.ch 10 months ago

Tear Down The Castle - Part 2

This is the second part of a two-part series about Active Directory security. Read the first part here. To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments. We indicate how many of the 250 domains checked were affected by the finding (Affected Domains: N/250). PingCastle is a popular tool for auditing the security of Active Directory environments, pinpointing vulnerabilities, and offering actionable recommendations for improvement.

security Security devops DevOps
0 views
dfir.ch 10 months ago

Oh my .. ! - Suspicious network traffic detected including Ransomware

Introduction A customer contacted us due to a high-severity ransomware alert in Windows Defender for Endpoint (Figure 1). Figure 1: Suspicious network traffic detected including Ransomware Clicking on one of the alerts does not reveal additional details besides the IP address (Figure 2). Figure 2: Process Tree After further clicks, we end up at the explanation in Figure 3, which doesn’t inspire confidence. What exactly is happening here, and which process on the host is responsible for these network connections?

security Security
0 views
dfir.ch 10 months ago

Tear Down The Castle - Part 1

Introduction In the realm of IT infrastructure, Active Directory (AD) serves as a crucial backbone, enabling organizations to manage users, devices, and resources efficiently. However, given its central role, it also presents a significant security target, and maintaining its integrity is paramount. Misconfigurations and overlooked security gaps in AD can expose an organization to critical vulnerabilities, leading to potential breaches, data theft, and system downtime. To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments.

security Security
0 views
dfir.ch 10 months ago

Analysis of Python's .pth files as a persistence mechanism

Introduction The purpose of the update.py script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth. The backdoor, written in Python, starts by an import and its main content is stored as a base64 encoded blob. The .pth extension is used to append additional paths to a Python module. Starting with the release of Python 3.5, lines in .pth files beginning with the text “import” followed by a space or a tab, are executed as described in the official documentation.

security Security python Python
0 views
dfir.ch 11 months ago

Today I Learned - setfacl

Introduction setfacl is a command-line utility in Linux/Unix systems used to set Access Control Lists (ACLs) on files and directories. ACLs provide a more flexible permission mechanism than the traditional owner-group-other model. They allow for the assignment of specific permissions to individual users or groups beyond what the basic file system permissions support. setfacl [options] [permissions] file/directory Options: -m: Modify or add an ACL entry. -x: Remove an ACL entry. -b: Remove all ACL entries.

devops DevOps security Security
0 views
dfir.ch 11 months ago

Shell Script Compiler (shc)

Introduction After installing the payload, the shell script inst.sh runs a backdoor binary that matches the target device’s architecture. The backdoor is a shell script compiled using an open-source project called Shell Script Compiler (shc), and enables the threat actors to perform subsequent malicious activities and deploy additional tools on affected systems." Source: IoT devices and Linux-based systems targeted by OpenSSH trojan campaign, Microsoft Threat Intelligence In this blog post, we will analyze Shc - A generic shell script compiler, mentioned by Microsoft in the linked blog post above.

security Security shell Shell
0 views
dfir.ch 1 years ago

DeepSec: RAT Builders - How to catch them all

Abstract Cybercriminals now have unprecedented ease in creating their own remote access trojans (RATs), thanks to a plethora of open-source or leaked builders. One can generate a new binary with just a click of a button. We meticulously examine different builders, such as AgentTesla, DCRat, Nanocore, and others, to extract Indicators of Compromise. These indicators serve as valuable instruments for targeted hunting to detect infections within our networks. Building up on my research from last year, “N-IOC’s to rule them all”, we will analyze the binaries the same way, but this time with a focus on open-source builders for RATs.

open-source Open Source security Security
0 views
dfir.ch 1 years ago

BSides Munich: /proc for Security Analysts

Abstract In the intricate landscape of cybersecurity, the ability to uncover hidden threats and analyze system behaviors is paramount.T The /proc filesystem, a critical component of Unix-like operating systems, serves as a treasure trove of real-time data and system information. In this talk, “/proc for Security Analysts,” will delve into the forensic value of /proc, demonstrating how it can be leveraged to detect rootkits, uncover anomalies, and gain a profound understanding of the operating system.

linux Linux security Security
0 views
dfir.ch 1 years ago

Reptile's Custom Kernel-Module Launcher

Introduction “In REPTILE version 2.0, the original developer of REPTILE altered how the Kernel-level component is loaded, switching from using insmod to a custom launcher. The launcher Mandiant observed UNC3886 use throughout their operations, based on the custom launcher, was updated with a new function to daemonize a process.” — Mandiant, Cloaked and Covert: Uncovering UNC3886 Espionage Operations, 2024. This analysis will examine how the Reptile rootkit loader bypasses the standard Linux insmod command for loading Kernel modules and will explore methods for detecting the use of this custom loader.

programming Programming security Security linux Linux
0 views
dfir.ch 1 years ago

Hack.lu: The Gist of Hundreds of Incident Response Cases

Abstract How to become an Incident Response Rockstar? After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder - which also holds true in digital forensics.

career Career security Security
0 views
dfir.ch 1 years ago

Hack.lu: In-Depth Study of Linux Rootkits: Evolution, Detection, and Defense

Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.

security Security
0 views
dfir.ch 1 years ago

bedevil: Dynamic Linker Patching

Introduction bedevil (bdvl), according to the GitHub page, is an LD_PRELOAD rootkit. Therefore, this rootkit runs in userland. The group Muddled Libra used bedevil to target VMware vCenter servers, according to Palo Alto’s Unit42 Blog, 2024. The rootkit comes with a nifty feature called Dynamic Linker Patching: Upon installation, the rootkit will patch the dynamic linker libraries. Before anything, the rootkit will search for a valid ld.so on the system to patch.

security Security
0 views
dfir.ch 1 years ago

Microsoft Defender XDR's Deception Technology

Introduction This week wasn’t the first time we’ve investigated a case where a customer reported suspicious accounts that couldn’t be linked to any employees. In this case, two domain admin users were found on the affected network, but neither is employed by the company. Both accounts had logged into nearly every device within the organization, which understandably caused concern among those responsible, prompting them to ask us to investigate further.

security Security
0 views
dfir.ch 1 years ago

tmate - Instant Terminal Sharing (or How To Backdoor a Linux Server)

Introduction Over the last three years, various cyber security companies wrote about TeamTNT TTPs, notably about the use of tmate as their tool of choice for backdooring Linux servers after a compromise: TeamTNT: Cryptomining Explosion (Intezer, 2021) Attackers Abusing Various Remote Control Tools (ASEC, 2022) TeamTNT Reemerged with New Aggressive Cloud Campaign (Aqua, 2023) In this short blog post, we examine the traces left behind from a tmate installation and some hints on where to find traces when actively looking for backdoored Linux servers with an active tmate instance running.

devops DevOps security Security linux Linux
0 views
dfir.ch 1 years ago

EDR: The Great Escape - RomHack Training Review

This course aims to provide a comprehensive understanding of the architecture of modern EDRs and their underlying Antivirus (AV) systems. It delves deeply into the complexity of modern EDRs, their structure, including the components responsible for real-time monitoring, data collection, and threat analysis. [..] 50% of the course will be dedicated to hands-on labs showing how to translate the theory principles into practice. Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

security Security
0 views