Research

This post was inspired by the amazing research done by thedigitaldetective found on RDP Forensics Part 2: Fingerprinting Attacks with Timezone, OS Type, and Monitor Display Resolution As a follow up on my previous post about Hunting Keyboard locales with Velociraptor I decided to make another Velociraptor based on @thedigitaldective’s article about digging deeper into adversary attribution and fingerprinting by looking at more RDP specific artifacts. What to understand from his research is that when a client system is using the Remote Desktop Protocol it leaves several artifacts on the destination system that can help identify what operating system the client is coming from, what the timezone offset is and what the requested resolution for the RDP session is. This post is focused on the first two pieces of evidence. ...

This post was inspired by the amazing research done by thedigitaldetective found on RDP Forensics Part 1: Fingerprinting Attacks with Keyboard Layout Data I have always thought that adversarial attribution is interesting and trying to get a glimpse of whos actually behind the keyboard excites me. As the adversaries is just humans - and humans makes mistakes - sometimes its possible to find some of the OPSEC issues they leave behind, e.g. it being them accedentily authenticating over SSH without specifying their username resulting in the SSH client will automatically use the local account name of the attacker’s machine. ...

Most attackers don’t walk into your tenant and announce themselves. They quietly blend into normal logins and API calls, making life annoying for incident responders. Until now, tracing what happened during a single session across Microsoft 365 was slow, messy, and filled with guesswork. If you have ever worked an AiTM phishing case, you know the pain. The attacker steals a token, skips MFA, and suddenly starts pulling emails and good luck figuring out which login that activity actually came from. ...

The research is still ongoing :-) I have been studying mr.d0x blogposts, and recently stumbled upon his new article about ClickFix and FileFix. For those of you that do not know what ClickFix is about, it is a sneaky social engineering trick. Attackers set up fake sites like fake updates or CAPTCHA pages that copy a malicious command to your clipboard. You are then told to hit Win+R, paste, and run it. Just like that, you install the malware yourself. ...