Hello mr. Impacket – I am back! Today I will write about Impacket. Last time I wrote about the psexec and smbexec modules which I found to be the most logical start to the series (BTW I would like to remind that 2 posts can be series). You know, it is a gift which...
Exploring hunting options for catching Impacket
Hunting for usage of Impacket Impacket is one of those tools which the threat actors are constantly using during the attacks. It is interesting tool as it allows interacting with several protocols with Python. It, for example, allows for a PsExec like behavior which is very often one of the key tools the threats...
Threat hunting for signs of credential dumping
Why this topic? I chose this topic because I’ve seen a lot of different queries to hunt for signs of credential dumping. However, these have been mostly developed around finding certain tools which do dump the credentials. My idea was to try to hunt for the activity done by the application which dumps the...
Hunting for signs of SEO poisoning
How to hunt for SEO poisoning? Well this is a good question to which I don’t have a good answer. This query is going to go through the very basics of how this can be started but it is not really that easy to do. I’ve had several different ideas of how to hunt...
Rare process launch as a service
Back after a long break The last post on this blog was published on mid-September 2023 so it has been a while since I was able to update the blog. The main reason for this is that I have been too busy. I’ve had extremely busy season at work and on top of that...
Analysis of the current malware – Icedid
Making the decision of what to analyze The last blog post that I wrote was about creating an ELK with a Kibana view of the currently active malware, using the common publicly available sandbox services. This gives some insight of what is currently active and I think it can be quite current as I...
Hunting for msbuild based execution
Why? There has been a new Advanced Persistent Threat group, named Dark Pink which have been using the msbuild.exe LOLBIN for doing their malicious deed. The group has been especially active in the APAC area, with some activity in Europe too – specifically in Bosnia and Herzegovina – weirdly enough. The group is mostly...
AsyncRAT
I haven’t observed any interesting new techniques recently, which is why I decided to analyze something that has been around for some time now. I’ve been interested in AsyncRAT for a while and decided to analyze it closer with threat hunting in mind. AsyncRAT is a Remote Access Tool which has been according to...
Running live malware for threat hunting purposes
This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MDE agent installed. This could potentially provide great telemetry data to generate ideas for threat hunting purposes....
Detecting a Payload delivered with ISO files with MDE
It’s been a little quiet on my blog for a while now – reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some free time to keep on blogging. While I was on a vacation I read an...