Zero2auto review, 0x02 initial stagers
My schedule has been crazy busy lately so apologies for only just getting round to the chapter 2 review of the Zero2Auto course. Part one which covers the ‘Algorithms’ chapter of the course can be found here.
Malware, Threat Hunting & Incident Response
My schedule has been crazy busy lately so apologies for only just getting round to the chapter 2 review of the Zero2Auto course. Part one which covers the ‘Algorithms’ chapter of the course can be found here.
I’m always on the lookout for any decent books or online videos that can help me level up my malware analysis skills and for the past couple of months, I’ve had my eye on the Zero2Auto Course.
PowerSploit is a collection of PowerShell modules which each contain a unique set of scripts that can be used in multiple phases of an attack.
Mimikatz is a tool used to dump credentials from memory and has been used by numerous APT groups including Wizard Spider, Stone Panda, APT 41, Fancy bear, Refined Kitten, Helix Kitten, Remix Kitten and Static Kitten. If not detected by AV this tool can be quite stealthy as it operates in memory and leaves few artefacts behind. Mimikatz can also perform pass the hash attacks and generate golden tickets allowing an attacker to move laterally.
Impacket is a collection of Python scripts that can be used by an attacker to target Windows network protocols. This tool can be used to enumerate users, capture hashes, move laterally and escalate privileges. Impacket has also been used by APT groups, in particular Wizard Spider and Stone Panda.
My YouTube channel is now up and running, if you’re looking to go from a malware noob to ninja then be sure to check it out here
I recently did a deep dive analysis of Emotet and thought I would share the analysis I have done. I havent spent too much time on the macros/PowerShell used to download the malware as there are already plenty of resources available that have that covered. Using x32dbg I have broken down how the malware creates the seemingly random filenames for the malware, enumerates and encrypts the running processes, how the malware sets up it’s C2 connectivity and also how to extract the config.
Malware authors are always using different tricks and techniques to try and stop malware analysts from analysing their malware. One common technique a malware analyst will do is take a look at the Import Address Table (IAT) once they have unpacked sample and see if the IAT gives any clues as to how the malware may behave.
I’ve recently been looking into what options are available for opensource honeypots, I’ve always wanted to setup a honeypot and see what malware samples I can get hold of and also see what threat intel I can generate. I thought I would do a bit of a write up on what honeypots I have been playing around with and how to replicate what I have setup.
I’ve put this post together to try and demonstrate how to reverse engineer heavily obfuscated malicious code. Attackers will obfuscate their code as they obviously don’t want security analysts to see what they are trying to achieve. This is done by declaring random variables and function names, adding functions that don’t do anything, adding functions that perform tasks that in the end do nothing all in an attempt to make their code unreadable. In this example I will attempt to try and explain how I have pulled apart a piece of malicious obfuscated code. I’m no expert in coding and have only recently started attempting to analyse malicious scripts.
SQLrat is a clever piece of malware which is dropped onto the compromised machine using a malicious Word Document. The document contains macros written in Visual Basic which drop a number of files to disk which run malicious code and will also create scheduled tasks so the malware can persist on disk. One file is obfuscated and uses SQL commands in order to connect to the attackers C2 infrastructure.
Here’s a quick post on how to use Cyber Chef to pull out the obfuscated URL’s in the latest Emotet word doc i’ve seen.
This blog post is aimed at incident response teams who need to investigate and gather evidence from a cisco router in a forensically sound manner. This may be where an internet facing router has been identified and is using default logon creds, perhaps Cisco Smart install was left enabled or you may just want to take a look at who has been poking around on the box. This post outlines how to gather simple things such as logs from the device and also check to see if the IOS has been tampered with and potentially implanted with something malicious.
I’ve taken a look at a couple of Emotet emails today and noticed they have tried to hide their list of C2’s that are embedded within the document.
Here is some analysis I completed on an email I came across that contained a malicious RTF file that dropped Lokibot malware.
I thought this would be a good starting point to share some simple behavioural malware analysis. The sample in this post came from a phishing email that contained a malicious Microsoft Excel file.
I’ve put together this blog for anybody who has an interest in Malware and all the geeky stuff that goes along with it. In my current role I do a lot of Malware analysis and thought it would be cool to share some of what I do with the security community.