-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathindex.html
604 lines (324 loc) · 18.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
<!DOCTYPE html>
<html lang="en-us"
dir="ltr">
<head>
<meta name="generator" content="Hugo 0.140.0">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<link rel="icon" type="image/ico" href="https://mgreen27.github.io//favicon.ico">
<link rel="icon" type="image/png" sizes="16x16" href="https://mgreen27.github.io//favicon-16x16.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://mgreen27.github.io//favicon-32x32.png">
<link rel="icon" type="image/png" sizes="192x192" href="https://mgreen27.github.io//android-chrome-192x192.png">
<link rel="apple-touch-icon" sizes="180x180" href="https://mgreen27.github.io//apple-touch-icon.png">
<link rel="alternate" type="application/rss+xml" href="https://mgreen27.github.io/index.xml" title="Matt's DFIR blog">
<meta name="description" content="Matt's DFIR blog: Incident Response, DFIR, CTI, Detection, Threat Hunting, Velociraptor, RE, Malware, Programming."/>
<title>
Matt's DFIR blog
</title>
<link rel="canonical" href="https://mgreen27.github.io/"/>
<meta property="og:url" content="https://mgreen27.github.io/">
<meta property="og:site_name" content="Matt's DFIR blog">
<meta property="og:title" content="Home">
<meta property="og:description" content="Matt's DFIR blog: Incident Response, DFIR, CTI, Detection, Threat Hunting, Velociraptor, RE, Malware, Programming.">
<meta property="og:locale" content="en_us">
<meta property="og:type" content="website">
<link rel="stylesheet" href="/assets/combined.min.186794b3399a702d3092949042cdc215dea303c17e71e7c0254768448de11db8.css" media="all">
<script async src="https://www.googletagmanager.com/gtag/js?id=G-G41G20SLQN"></script>
<script>
var doNotTrack = false;
if ( false ) {
var dnt = (navigator.doNotTrack || window.doNotTrack || navigator.msDoNotTrack);
var doNotTrack = (dnt == "1" || dnt == "yes");
}
if (!doNotTrack) {
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-G41G20SLQN');
}
</script>
</head>
<body class="auto">
<div class="content">
<header>
<div class="header">
<h1 class="header-title">
<a href="https://mgreen27.github.io/">Matt's DFIR blog</a>
</h1>
<div class="flex">
<p class="small bold ">
<a href="/" >
/home
</a>
</p>
<p class="small ">
<a href="/posts" >
/posts
</a>
</p>
<p class="small ">
<a href="/about" >
/about
</a>
</p>
<p class="small ">
<a href="/projects" >
/projects
</a>
</p>
</div>
</div>
</header>
<main class="main">
<div class="intro">
<p>Im a seasoned cybersecurity professional with a passion for incident response and threat research.<br>
Currently working in Rapid7 labs tracking adversaries, and working with Velociraptor.<br>
This is a personal DFIR and technology blog to document some of my projects.</p>
</div>
<div class="social-icons">
<a href="https://github.com/mgreen27" target="_blank"
rel="noopener noreferrer me"
title="Github">
<svg role="img" fill="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>GitHub</title><path d="M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12"/></svg>
</a>
<a href="https://www.linkedin.com/in/mgreen27/" target="_blank"
rel="noopener noreferrer me"
title="Linkedin">
<svg role="img" fill="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>LinkedIn</title><path d="M20.447 20.452h-3.554v-5.569c0-1.328-.027-3.037-1.852-3.037-1.853 0-2.136 1.445-2.136 2.939v5.667H9.351V9h3.414v1.561h.046c.477-.9 1.637-1.85 3.37-1.85 3.601 0 4.267 2.37 4.267 5.455v6.286zM5.337 7.433c-1.144 0-2.063-.926-2.063-2.065 0-1.138.92-2.063 2.063-2.063 1.14 0 2.064.925 2.064 2.063 0 1.139-.925 2.065-2.064 2.065zm1.782 13.019H3.555V9h3.564v11.452zM22.225 0H1.771C.792 0 0 .774 0 1.729v20.542C0 23.227.792 24 1.771 24h20.451C23.2 24 24 23.227 24 22.271V1.729C24 .774 23.2 0 22.222 0h.003z"/></svg>
</a>
<a href="https://x.com/mgreen27" target="_blank"
rel="noopener noreferrer me"
title="X">
<svg role="img" fill="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>X</title><path d="M18.901 1.153h3.68l-8.04 9.19L24 22.846h-7.406l-5.8-7.584-6.638 7.584H.474l8.6-9.83L0 1.154h7.594l5.243 6.932ZM17.61 20.644h2.039L6.486 3.24H4.298Z"/></svg>
</a>
<a href="https://bsky.app/profile/mgreen27.bsky.social" target="_blank"
rel="noopener noreferrer me"
title="Bluesky">
<svg role="img" fill="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>Bluesky</title><path d="M12 10.8c-1.087-2.114-4.046-6.053-6.798-7.995C2.566.944 1.561 1.266.902 1.565.139 1.908 0 3.08 0 3.768c0 .69.378 5.65.624 6.479.815 2.736 3.713 3.66 6.383 3.364.136-.02.275-.039.415-.056-.138.022-.276.04-.415.056-3.912.58-7.387 2.005-2.83 7.078 5.013 5.19 6.87-1.113 7.823-4.308.953 3.195 2.05 9.271 7.733 4.308 4.267-4.308 1.172-6.498-2.74-7.078a8.741 8.741 0 0 1-.415-.056c.14.017.279.036.415.056 2.67.297 5.568-.628 6.383-3.364.246-.828.624-5.79.624-6.478 0-.69-.139-1.861-.902-2.206-.659-.298-1.664-.62-4.3 1.24C16.046 4.748 13.087 8.687 12 10.8Z"/></svg>
</a>
</div>
<div class="list-container">
<h1> Posts </h1>
<div class="post-line">
<p class="line-date">1 Nov 2024 </p>
<div>
<p class="line-title">
<a href="/posts/2024/finding_the_lnk/">
Finding the LNK: Techniques and methodology for advanced analysis
</a>
</p>
<p class="line-summary"> Malicious exploitation of LNK files, commonly known as Windows shortcuts, is a well-established technique used by threat actors for delivery and persistence. While the value of LNK forensics for cyber threat intelligence (CTI) is fairly well-understood, analysts may overlook less well-known data points and miss valuable insights. In this post, we explore the structure of LNK files using Velociraptor. We will walk through each LNK structure and discuss some analysis techniques frequently used on the Rapid7 Labs team. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">29 Feb 2024 </p>
<div>
<p class="line-title">
<a href="/posts/2024/uefi/">
How To Hunt For UEFI Malware
</a>
</p>
<p class="line-summary"> UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">5 Apr 2023 </p>
<div>
<p class="line-title">
<a href="/posts/2023/qakbot/">
Automating Qakbot decode at scale
</a>
</p>
<p class="line-summary"> This is a technical post covering practical methodology to extract configuration data from recent Qakbot samples. In this blog, I will provide some background on Qakbot, then walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">12 Jan 2022 </p>
<div>
<p class="line-title">
<a href="/posts/2022/wmi-eventing/">
WMI Event Consumers: what are you missing?
</a>
</p>
<p class="line-summary"> WMI Eventing is a fairly well known technique in DFIR, however some tools may not provide the coverage you expect. This article covers WMI eventing visibility and detection including custom namespaces. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">9 Nov 2021 </p>
<div>
<p class="line-title">
<a href="/posts/2021/cobaltstrike_vql/">
Cobalt Strike Payload Discovery And Data Manipulation In VQL
</a>
</p>
<p class="line-summary"> Velociraptor’s ability for data manipulation is a core platform capability that drives a lot of the great content we have available in terms of data parsing for artifacts and live analysis. After a recent engagement with less common encoded Cobalt Strike beacons, and finding sharable files on VirusTotal, I thought it would be a good opportunity to walk through some workflow around data manipulation with VQL for analysis. In this post I will walk though some background, collection at scale, and finally talk about processing target files to extract key indicators. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">23 Jul 2020 </p>
<div>
<p class="line-title">
<a href="/posts/2020/ipsec/">
Windows IPSEC for endpoint quarantine
</a>
</p>
<p class="line-summary"> This post is going to talk about using Windows IPSec for a quarantine use case. Im going to explain the background, how to configure a policy and some of the design decisions as I was initially looking at building an endpoint based containment capability. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">8 Dec 2019 </p>
<div>
<p class="line-title">
<a href="/posts/2019/local_liveresponse_with_vr/">
Local Live Response with Velociraptor ++
</a>
</p>
<p class="line-summary"> In this post im going to talk about a live response use case leveraging the Velociraptor project worth sharing. Specifically, live response with ancillary collection by third party tools embedded to minimise user impact. As usual, im going to provide some background and walk through the steps then share the code. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">10 Nov 2019 </p>
<div>
<p class="line-title">
<a href="/posts/2019/liveresponse_with_vr/">
Live response automation with Velociraptor
</a>
</p>
<p class="line-summary"> This post is going to talk about the Velociraptor project. Specifically, live response and automation I have built for my own engagements. Im going to provide some background and walk through a proof of concept, then share the code. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">9 Jun 2019 </p>
<div>
<p class="line-title">
<a href="/posts/2019/o365_hiddenrules/">
O365: Hidden InboxRules
</a>
</p>
<p class="line-summary"> In this post Im going to talk about Office365 hidden inbox rules. Im going to give some background, show rule modification, and talk about detection methodology. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">29 May 2019 </p>
<div>
<p class="line-title">
<a href="/posts/2019/binaryrename2/">
Binary Rename 2
</a>
</p>
<p class="line-summary"> This is my second Binary Rename post, in this post I am focusing on static detection, that is assessing files on disk. I am going to describe differences between both Yara and Powershell based detections, then share the code. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">12 May 2019 </p>
<div>
<p class="line-title">
<a href="/posts/2019/binaryrename/">
Blue Team Hacks - Binary Rename
</a>
</p>
<p class="line-summary"> In this post I thought I would share an interesting proof of concept I developed to detect Binary Rename of commonly abused binaries. Im going to describe the detection, its limitations and share the code. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">7 Apr 2019 </p>
<div>
<p class="line-title">
<a href="/posts/2019/invoke-liveresponse_builder/">
Live Response Script Builder
</a>
</p>
<p class="line-summary"> In this post I thought I would share some practical new features implemented in a recent refactor of Invoke-LiveResponse. These features enable fast and modular generation of live response scripts compatible with legacy Powershell. Im going to walk through the background then some of the new features and script creation. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">2 Apr 2018 </p>
<div>
<p class="line-title">
<a href="/posts/2018/downloadcradle/">
Powershell Download Cradles
</a>
</p>
<p class="line-summary"> In this post I thought I would share some information on Powershell download cradles I put together recently. I’m going to provide an overview, highlighting areas I found interesting thinking about detection from both network and endpoint views. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">18 Feb 2018 </p>
<div>
<p class="line-title">
<a href="/posts/2018/sharing_my_bits/">
Sharing my BITS
</a>
</p>
<p class="line-summary"> I thought I would share some research on Microsoft BITS after a recent tool released by the French ANSSI to parse BITS job artefacts. This tool has sparked my interest due to previous research on download cradles and an interest in the client side forensics. I’m going to give a brief background, talk about some nuances in collection types and provide some background information when I was thinking about detection. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">14 Jan 2018 </p>
<div>
<p class="line-title">
<a href="/posts/2018/invoke-liveresponse/">
Invoke-LiveResponse
</a>
</p>
<p class="line-summary"> In this post, I am going to talk about a Powershell module I have authored as a simple implementation for live response and file collections over Powershell remoting. The initial use case was considered after an endpoint vendor appliance failed and capability for raw collections was limited. The module uses Powerforensics over WinRM, and after some interest, I think is worth sharing. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">3 Apr 2017 </p>
<div>
<p class="line-title">
<a href="/posts/2017/wmi_eventing/">
Blue Team Hacks - WMI Eventing
</a>
</p>
<p class="line-summary"> In this post I am going to cover a little Windows Management Instrumentation (WMI), and in particular an interesting use case for potential use in older environments with Process Monitoring gaps. Thinking about this gap led to me looking at WMI starting as an alternate near real time detection fix, and during feature investigation ended with another technically novel solution I thought was interesting enough to share. </p>
</div>
</div>
<div class="post-line">
<p class="line-date">12 Jan 2017 </p>
<div>
<p class="line-title">
<a href="/posts/2017/powershell_remoting_ir/">
PowerShell Remoting and Incident Response
</a>
</p>
<p class="line-summary"> PowerShell is quickly becoming a tool of choice for many IT Operations staff and Security Practitioners alike. This post is a quick overview of using Windows Remote Management and PowerShell for Incident Response. I will also provide some proof of concept setup instructions and general themes for those interested in further research on this topic. </p>
</div>
</div>
</div>
</main>
</div>
<footer>
<p>Powered by
<a href="https://gohugo.io/">Hugo</a>
and
<a href="https://github.com/tomfran/typo">tomfran/typo</a>
</p>
</footer>
</body>
<script>
function isAuto() {
return document.body.classList.contains("auto");
}
function setTheme() {
if (!isAuto()) {
return
}
document.body.classList.remove("auto");
let cls = "light";
if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
cls = "dark";
}
document.body.classList.add(cls);
}
function invertBody() {
document.body.classList.toggle("dark");
document.body.classList.toggle("light");
}
if (isAuto()) {
window.matchMedia('(prefers-color-scheme: dark)').addListener(invertBody);
}
setTheme();
</script>
</html>