Author: Ruud van Luijk Attacks need to have a form of communication with their victim machines, also known as Command and Control (C2) [1]. This can be in the form of a continuous connection or connect the victim machine directly. However, it’s convenient to have the victim machine connect to you. In other words: It … Continue reading Hunting for beacons
Detecting random filenames using (un)supervised machine learning
Combining both n-grams and random forest models to detect malicious activity. Author: Haroen Bashir An essential part of Managed Detection and Response at Fox-IT is the Security Operations Center. This is our frontline for detecting and analyzing possible threats. Our Security Operations Center brings together the best in human and machine analysis and we continually … Continue reading Detecting random filenames using (un)supervised machine learning
Office 365: prone to security breaches?
Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often. Office 365 breach investigations are common at our department. You’ll find that this blog post actually doesn’t make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office … Continue reading Office 365: prone to security breaches?
Using Anomaly Detection to find malicious domains
Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of our Security Operations Center. One of these areas is applying data science techniques to real world data in real … Continue reading Using Anomaly Detection to find malicious domains
Syncing yourself to Global Administrator in Azure Active Directory
This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. Because of the way accounts are commonly configured, this could often enable an attacker to take … Continue reading Syncing yourself to Global Administrator in Azure Active Directory
Export corrupts Windows Event Log files
Exported .evtx files may contain corrupted data - Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged, but applications … Continue reading Export corrupts Windows Event Log files
Getting in the Zone: dumping Active Directory DNS using adidnsdump
Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any … Continue reading Getting in the Zone: dumping Active Directory DNS using adidnsdump
mkYARA – Writing YARA rules for the lazy analyst
Writing YARA rules based on executable code within malware can be a tedious task. An analyst cannot simply copy and paste raw executable code into a YARA rule, because this code contains variable values, such as memory addresses and offsets. The analyst has to disassemble the code and wildcard all the pieces in the code … Continue reading mkYARA – Writing YARA rules for the lazy analyst
PsiXBot: The Evolution Of A Modular .NET Bot
PsiXBot: The Evolution Of A Modular .NET Bot Summary In this blog we will share our analysis of a modular piece of malware which is referred to by the author as PsiXBot. The malware first surfaced in 2017 but has recently undergone significant developments of its core and modules, which include the logging of keystrokes … Continue reading PsiXBot: The Evolution Of A Modular .NET Bot
Identifying Cobalt Strike team servers in the wild
How an anomalous space led to fingerprinting Summary On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an "extraneous space". This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past … Continue reading Identifying Cobalt Strike team servers in the wild