Latest Posts (20 found)
dfir.ch 1 months ago

Anatomy of a Deno-Based Proxy & RAT

This is a copy of a blog post I wrote for my employee for InfoGuard LABS. Executive Summary In a recent investigation, we encountered malware that combined aggressive social engineering with the unconventional use of Deno, a secure JavaScript and TypeScript runtime built on V8. The attack began with a large-scale email flooding campaign, commonly referred to as mailbombing, designed to overwhelm employees and create confusion. Shortly afterward, the targeted users received Microsoft Teams calls from an attacker impersonating internal IT support.

0 views
dfir.ch 2 months ago

Brucon: Anti-Forensics (and Anti-Anti-Forensics) Techniques

Abstract A full-spectrum dive into anti-forensics across Windows and Linux (with a tad of MacOS, if time permits), centered on real incidents and modern attacker behavior. The course walks through classic log wiping, deeper filesystem tricks, PowerShell, timestomping, sandbox artifacts, memory-only execution, endpoint solution blind spots, and advanced Linux log manipulation. Each technique is paired with detection logic, weaknesses in attacker tradecraft, and practical forensic recovery paths. The material emphasizes hands-on analysis, including MFT/MSRUM/USN artifacts, ETW traces, VHDX extraction, /proc-based investigation, and highlights new research and tooling that shape current offensive and defensive strategies.

0 views
dfir.ch 3 months ago

Botconf: Tomb Raider - In Search of the Lost Signatures

Abstract We explored a decade of open-source offensive tools used in operations worldwide. After analysing hundreds of APT reports and threat-intelligence publications, we compiled a collection of tunnelling tools, reverse shells, loaders, RATs, and living-off-the-land components that threat actors have repeatedly repurposed. This presentation examines if these legacy tools still “work,” how reliably they operate today, and, most critically, whether modern AV and EDR solutions still detect them. We evaluated whether security products have deprioritized or even dropped signatures for aging tools, inadvertently creating blind spots that sophisticated threat actors continue to exploit.

0 views
dfir.ch 4 months ago

FIRST Technical Colloquium Paris: Inside Mythic: Dissecting a Modern Attack Framework

Abstract Your mission if you choose to accept it: take on the role of a detection engineer to dissect the most popular attack framework for attacks against macOS, Mythic. Mythic has various agents that can be easily integrated into the framework. In this talk, we will show common features of the agents, including how C2 communication works, how persistence can be set up, and how additional code can be executed.

0 views
dfir.ch 8 months ago

Dissection of a PHP Backdoor leveraging php-win.exe

Introduction During a recent Incident Response engagement, my colleague Asger Deleuran Strunk identified an unusual Scheduled Task while reviewing AutoRuns data from all servers and workstations across the network. The task, named ClockLauncher, referenced a batch file located at: C:\Windows\Temp\{0b1281f3-c9bc-4b85-ad92-0803ed04208f}\php_2\run-clock.bat Here is the content of the file run-clock.bat: @echo off cd /d "C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\" "C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\php-win.exe" "C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\5.php" exit The executable php-win.exe is running 5.php from a non-standard directory, C:\Windows\Temp\{0B1281F3-C9BC-4B85-AD92-0803ED04208F}\php_2\. The whole chain, starting from the filename to the directory, looks highly suspicious.

0 views
dfir.ch 8 months ago

BSides Berlin: Inside Mythic: Dissecting a Modern Attack Framework

Abstract Your mission, if you choose to accept it: take on the role of a detection engineer to dissect the most popular attack framework for attacks against macOS, Mythic. Mythic has various agents that can be easily integrated into the framework. In this talk, we will show common features of the agents, including how C2 communication works, how persistences can be set up, and how additional code can be executed. Our goal is to develop robust strategies for detecting these agents and to identify additional traces on the system that can be found by executing these agents on an infected computer.

0 views
dfir.ch 8 months ago

BSides Chisinau: Congratulations, You're Still Insecure!

Abstract For two decades, the security industry has promised progress: firewalls, antivirus, EDR, XDR, Zero Trust. Budgets have soared, tools have multiplied. And yet attackers still win with the same tricks. Why? Because while we buy shiny solutions, we continue to neglect the basics. This keynote cuts through the illusion of progress and shows why culture and discipline - not the next silver bullet product- are the real missing pieces.

0 views
dfir.ch 8 months ago

Today I learned: binfmt_misc

Introduction binfmt_misc (short for Binary Format Miscellaneous) is a Linux kernel feature that allows the system to recognize and execute files based on custom binary formats. It’s part of the Binary Format (binfmt) subsystem, which determines how the kernel runs an executable file. Normally, Linux only knows how to run native binaries (like ELF files compiled for the system’s CPU architecture, and a few other file types). binfmt_misc extends this by allowing other kinds of files, scripts, binaries for other architectures, or even custom file types, to be executed as if they were native.

0 views
dfir.ch 8 months ago

Hack.lu: Anti-Forensics - You are doing it wrong

Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response.

0 views
dfir.ch 1 years ago

Troopers: Anti-Forensics - You are doing it wrong

Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response.

0 views
dfir.ch 1 years ago

FIRST Conference: Anti-Forensics - You are doing it wrong

Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response.

0 views
dfir.ch 1 years ago

Euskalhack: In-Depth Study Of Linux Rootkits

Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.

0 views
dfir.ch 1 years ago

x33fcon: From Zero to a Moderately Skilled MacOS Forensic Analyst

Abstract Learn the essentials of macOS forensic analysis, from foundational concepts to advanced techniques, in this comprehensive journey into the world of macOS security. Figure 1: From Zero to a Moderately Skilled MacOS Forensic Analyst Youtube Video

0 views
dfir.ch 1 years ago

SecurityFest: Anti-Forensics - You are doing it wrong

Abstract In this talk, we’ll dissect common anti-forensics strategies—like USN Journal deletion, shellbag clearing, timestamp manipulation, and disabling access time updates—and reveal how they are often executed ineffectively or misunderstood. From registry edits like masking user account activity to configuring Windows EFS, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent. Attendees will gain a comprehensive understanding of what works and what doesn’t and how to identify these techniques during incident response.

0 views
dfir.ch 1 years ago

Linux Capabilities Revisited

Introduction Notes to kernel developers: The goal of capabilities is divide the power of superuser into pieces, such that if a program that has one or more capabilities is compromised, its power to do damage to the system would be less than the same program running with root privilege. Capabilities(7) — Linux manual page Capabilities are a fine-grained access control mechanism in Linux, allowing more granular permissions than the traditional superuser (root) model.

0 views
dfir.ch 1 years ago

FIRST Technical Colloquium Amsterdam: In-Depth Study of Linux Rootkits

Abstract This talk, “In-Depth Study of Linux Rootkits,” will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.

0 views
dfir.ch 1 years ago

BSides Kent: The Gist of Hundreds of Incident Response Cases

Abstract How to become an Incident Response Rockstar? After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder - which also holds true in digital forensics.

0 views
dfir.ch 1 years ago

Today I Learned - Protected Symlinks

Introduction A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp. Source: Sysctl Explorer The protected_symlinks setting within the Linux Kernel helps prevent TOCTOU (time-of-check-time-of-use) vulnerabilities in privileged processes.

1 views
dfir.ch 1 years ago

macOS Extended Attributes: Case Study

Introduction Extended attributes (EAs) are a powerful and sometimes overlooked feature of macOS’s file system, storing additional metadata about files beyond what standard attributes like file name, size, and permissions allow. While these attributes are invisible in typical file interactions, they play a critical role in various macOS features and workflows. Inspecting Extended Attributes macOS provides several tools for working with extended attributes. These include: The ls command (the @ at the end of the permissions indicates extended attributes): -rw-r--r--@ 1 malmoeb staff 202767345 Jan 6 13:29 Webex.

0 views
dfir.ch 1 years ago

Tear Down The Castle - Part 2

This is the second part of a two-part series about Active Directory security. Read the first part here. To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments. We indicate how many of the 250 domains checked were affected by the finding (Affected Domains: N/250). PingCastle is a popular tool for auditing the security of Active Directory environments, pinpointing vulnerabilities, and offering actionable recommendations for improvement.

0 views