Incident Response

This post was inspired by the amazing research done by thedigitaldetective found on RDP Forensics Part 2: Fingerprinting Attacks with Timezone, OS Type, and Monitor Display Resolution As a follow up on my previous post about Hunting Keyboard locales with Velociraptor I decided to make another Velociraptor based on @thedigitaldective’s article about digging deeper into adversary attribution and fingerprinting by looking at more RDP specific artifacts. What to understand from his research is that when a client system is using the Remote Desktop Protocol it leaves several artifacts on the destination system that can help identify what operating system the client is coming from, what the timezone offset is and what the requested resolution for the RDP session is. This post is focused on the first two pieces of evidence. ...

This post was inspired by the amazing research done by thedigitaldetective found on RDP Forensics Part 1: Fingerprinting Attacks with Keyboard Layout Data I have always thought that adversarial attribution is interesting and trying to get a glimpse of whos actually behind the keyboard excites me. As the adversaries is just humans - and humans makes mistakes - sometimes its possible to find some of the OPSEC issues they leave behind, e.g. it being them accedentily authenticating over SSH without specifying their username resulting in the SSH client will automatically use the local account name of the attacker’s machine. ...

Most attackers don’t walk into your tenant and announce themselves. They quietly blend into normal logins and API calls, making life annoying for incident responders. Until now, tracing what happened during a single session across Microsoft 365 was slow, messy, and filled with guesswork. If you have ever worked an AiTM phishing case, you know the pain. The attacker steals a token, skips MFA, and suddenly starts pulling emails and good luck figuring out which login that activity actually came from. ...

The research is still ongoing :-) I have been studying mr.d0x blogposts, and recently stumbled upon his new article about ClickFix and FileFix. For those of you that do not know what ClickFix is about, it is a sneaky social engineering trick. Attackers set up fake sites like fake updates or CAPTCHA pages that copy a malicious command to your clipboard. You are then told to hit Win+R, paste, and run it. Just like that, you install the malware yourself. ...

SANS FOR509 in Copenhagen – What a week Thanks Antti for the image Last week I attended SANS FOR509 – Enterprise Cloud Forensics and Incident Response in Copenhagen. The course is focused on cloud investigations across Microsoft 365, Azure, AWS, Google Workspace and Kubernetes. It was taught by Korstiaan Stam, who brought tons of experience. Before the course I had worked quite a bit with Azure and had handled a few BEC cases in M365. I had no real experience with AWS, GCP or Kubernetes. That changed quickly. The course does a great job at tying things together and focusing on what matters during an investigation. ...