![]() In this example, I am using Rekall to quickly run malfind and then piping that to a grep command looking for MZ headers. Let's first have some fun with Malfind, chock full of false positives and VAD tags. Why doesn't this guy start with a Pslist and grep for WinHost? You're right, I could totally do that but that is not a PoSeidon Adventure and this would be a very short blog post. In this case I will forego the aforementioned steps and instead shoot to kill. I will typically start with these first and spit them out to a file to grep through later, however I have a very specific piece of malware that I am after and I already read Eric's blog. ![]() Psxview – Another plugin that can help detect hidden processes. ![]() Malfind – Uses VAD (Virtual Address Descriptor) tags and page permissions to detect injected code.Pstree – Another list of running processes but in a tree view.Pslist – This will get a list of running processes.As I said, I have a memory image and nothing else, so the list in my head before I dig deeper is: Every IR person has their own set of ways in which they start out, but the first few steps after acquisition are generally some form of triage. Last but not least I have a memory image that was acquired using WinPmem v 2.0.1.įirst thing's first! On any new case there is a little bit of triage that has to happen. In the following examples I'm giving, I will be using a SIFT box with the following: Trustwave would likely make me put a disclaimer on future posts if that were to happen. I want to make sure that if you're trying this at home you don't hurt yourself or someone else in frustration. Nothing is worse than a blogger that doesn't list out the tool versions they are using in the examples they give. So now that you have read up on it, you did didn't you?.We are ready to go! Should be easy enough, given all that we know about PoSeidon and if you find you need a refresher, there is a great article that our own Eric Merritt has written up on the topic here: In this particular case I have been handed a memory dump and tasked with determining if PoSeidon was running on the system. Exfiltration can vary from dump files on disk encrypted or not or the malware will send it out over port 80 or 443. These malware families come in all shapes, sizes and names but they are always running in memory and are waiting for Track data to flow through whereby it captures it and exfiltrates it. To be more specific, I deal with a lot of Track 2 memory scrapers. I have nestled the sub-headings in these, to make life a bit easier.As an Incident Responder I get the unique opportunity to see a lot of malware and in most cases that I investigate, the malware is of the card number stealing type. This is a small table of contents, and it will help you figure out where you are, where you've been, and where you're goingĪs you go through sections, you may notice the arrowhead that says 'section contents'. Wherever you are in the Blue Team Notes, if you look to the top-left of the readme you'll see a little icon. Transparency, Consent, and Control (TCC)Īs you scroll along, it's easy to lose orientation.I have some UK charities you could donate to: Great Ormond Street - Children's hospital, Cancer Research, and Feeding Britain - food charity Table of Contents If you've benefited from the Blue Team Notes, would you kindly consider making a donation to one or two charities.ĭonate as much or little money as you like, of course. I hope the Blue Team Notes help you catch an adversary, thwart an attack, or even just helps you learn. If you want to find me elsehwere, for reasons(?), searching 'Dray Agha' on the internets should find whatever it is you're looking for. If you want to contribute I'd be grateful for the command and a screenshot. If you see a mistake, or have an easier way to run a command then you're welcome to hit me up on Twitter or commit an issue here. I've included screenshots where possible so you know what you're getting. A collection of one-liners, small scripts, and some useful tips for blue team work.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |