Skip to content

Laskowski-Tech

  • Home
  • Projects
    • Calamity – Malware Triage from Memory Dumps
    • LW-yara Malware signature database
    • Minerchk – malicous crypto-mining detection
    • Blazescan – Linux Webserver Malware scanner and DFIR toolset
    • Drupal Check CVE 2018-7600
  • Resources
    • pfSense
    • Securing WordPress
    • Web Server Malware Investigating
  • Articles
  • CV
  • Contact

Category: soc

Breakout Time: Trickbot edition (Gtags QWE, lib693, tt0002)

Posted on March 16, 2020March 30, 2020 by admin

In 2018 Crowdstrike began tracking a metric they refer to as breakout time in their yearly global threat report. Essentially what it boils down to is after a threat actor establishes a foothold in your network how long until they begin moving

Read More

Posted in analysis, dfir, malware, soc

Remco’s RAT, AMSI killing in the wild and defender evasion.

Posted on March 3, 2020March 30, 2020 by admin

So with emotet being quiet the plethora of unique malware continues. Today I’ve got a walk through of a Remcos RAT malware sample. A Remote Access tool that tends to be marketed to perform malicious activity over any legitimate usage, with many

Read More

Posted in analysis, dfir, malware, soc

Definitely Racoon this time!

Posted on February 28, 2020February 28, 2020 by admin

Last week I had a malware sample I thought might be racoon stealer. This week got my hands on the real deal.  This doc appeared to be using some kind of older Office CVE using the RTF file format. Being that an

Read More

Posted in dfir, malware, soc

OSTAP: Maldocs, with a sprinkle of Jscript

Posted on February 25, 2020February 25, 2020 by admin

Emotet is away so on to other malware of interest. Today looking at two samples of maldoc loader malware, which according to OSINT belongs to the OSTAP family. A particularly good write up is available here by Kirk Sayre, or this compendium

Read More

Posted in analysis, dfir, malware, soc

Is That Really Your AV Company? (Trickbot gtag mor85)

Posted on January 29, 2020March 16, 2020 by admin

In the past 2 weeks since emotet has returned our collection has become almost 100% URL linked in emails as opposed to nearly all be attached documents during the Fall 2019 run of the group. To look into the current TTP’s of

Read More

Posted in analysis, dfir, malware, soc

.Club Phish

Posted on January 15, 2020January 15, 2020 by admin

Last week we came across an increase in captured messages in one of our phish trap mailboxes and decided to look further into the cause of the increase. Upon extracting the phishing domain using our scripts we submitted the URL to standard

Read More

Posted in analysis, dfir, soc

Emotet’s away but Trickbot still wants to play

Posted on January 14, 2020January 15, 2020 by admin

Emotet went on break again this year over the Winter holiday’s with the last new malspam having been seen back on 12.20.19. **Post update, yes I know Emotet came back alive this morning 01.13.20 but I wrote this first, and it was

Read More

Posted in analysis, dfir, malware, soc

The Empire Rises again…

Posted on December 20, 2019December 20, 2019 by admin

In August 2019 the team behind Powershell Empire announced that development on the project would cease as the reason behind its development had come to pass, that is awareness around malicious powershell methodology and better detection capabilities for defenders. During that same

Read More

Posted in dfir, soc

OSINT Threat Hunting Powershell Empire

Posted on December 17, 2019March 16, 2020 by admin

Lately Empire has been showing up more frequently in my sandbox testing with Emotet/Trickbot generally being the sample that brings the Empire afterwards for recon and active directory exploitation. One thing that had confused me about these Empire samples however is that

Read More

Posted in dfir, soc

Emotet, an Analysis of TTP’s: Part II For the Watch

Posted on October 22, 2019October 22, 2019 by admin

Last post we took a deep dive into what can happen post breach with emotet. But with the return of emotet I think it also bears looking into detection and how the actor has changed their operation to better evade detection over

Read More

Posted in analysis, dfir, malware, soc

Emotet, an Analysis of TTP’s: Part 1 The Break-in

Posted on October 16, 2019October 17, 2019 by admin

Emotet has been around since around 2014, and over their 5-year run they have morphed and changed to become one of the most omnipresent threats today. While there has been much written about them we want to look a bit deeper into

Read More

Posted in dfir, malware, soc

Lokibot, a trickster bot indeed

Posted on July 6, 2019 by admin

So since Emotet has more or less out of the picture since early June there has been some time to look into other malware that I have not had a chance to look into first hand before. Small Update for #Emotet and

Read More

Posted in analysis, malware, soc

Calamity, a Volatility script to aid Malware Triage

Posted on May 18, 2019May 18, 2019 by admin

So a few months ago I wrote a basic workflow for IR analysts to be able to look for traces of known malware in RAM memory dumps using Volatility. That post received an overwhelming positive response, so I decided to take it

Read More

Posted in analysis, dfir, malware, soc

Volatility Workflow for Basic Incident Response

Posted on February 18, 2019February 18, 2019 by admin

Recently I found myself needing to do some investigations of full memory dumps. This was a pretty untried arena for me, even if it has been on my radar to learn for a while. After a bit of blindly stumbling around I

Read More

Posted in analysis, dfir, malware, soc

Everything and the Kitchen Sink

Posted on January 30, 2019February 18, 2019 by admin

So earlier this past month I was looking over my web attack dashboard and normally I see standard recon scanning for phpmyadmin and known wordpress shells, but on the 17th, something stood out to me. An attack that looked to be targeting

Read More

Posted in analysis, cryptomining, dfir, malware, soc

Detecting Emotet, and other Downloader Malware with OSSEC/Wazuh

Posted on November 28, 2018November 28, 2018 by admin

So if you talk to most infosec professionals I think you find most would agree that malware goes in and out of fashion, back in 2016 ransomware was hot, at the end of 2017 cryptominers were everywhere. Today I don’t think many

Read More

Posted in analysis, dfir, malware, monitoring, soc

Webserver Malware Investigations – Blazescan Tutorial

Posted on November 10, 2018November 10, 2018 by admin

Originally published at Eforensics magazine: Today when you look at the market of malware you will find an overwhelming domination of malicious windows software.  So looking for security products you can find many that exist for Windows, and write up after write

Read More

Posted in dfir, monitoring, soc, web server, wordpress

Updates to the good old HIDS Ossec-Wazuh

Posted on September 25, 2018September 25, 2018 by admin

So back in the day I began working with OSSEC, the open source host based intrusion detection system. OSSEC has been running sonce around 2008, and been shepherded by Trend Micro since 2009. I ran the base package for some years, but

Read More

Posted in dfir, logging, monitoring, soc

ClamAV Analyzer for TheHive and Cortex

Posted on July 24, 2018July 24, 2018 by admin

So I have been using ClamAV for a while now and have found it to be a very effective and modular tool, especially due to the fact that you can use it with you own custom signatures using sigtool and yara to

Read More

Posted in dfir, malware, soc

Recent Articles

  • Opnsense and SSL decryption using sslsplit
  • TIL: How to Unpatch Office and get that sweet execution
  • Breakout Time: Trickbot edition (Gtags QWE, lib693, tt0002)
  • Remco’s RAT, AMSI killing in the wild and defender evasion.
  • Definitely Racoon this time!
  • OSTAP: Maldocs, with a sprinkle of Jscript
  • What is this? Bad for sure! Racoon Stealer, maybe?
  • Is That Really Your AV Company? (Trickbot gtag mor85)
  • .Club Phish
  • Emotet’s away but Trickbot still wants to play

Categories

All rights reserved © Laskowski-Tech Powered by WordPress Theme by Mina Themes