Investigation Scenario

PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:

What do you look for to investigate whether an incident occurred and its extent?

In the course of its investigations, @volexity frequently encounters malware samples written in Golang. This reflects the increase in popularity of the Golang generally, and presents challenges to reverse engineering tools.
 
Today, @volexity is releasing GoResolver, open-source tooling to help reverse engineers understand obfuscated samples. @r00tbsd & Killian Raimbaud presented details at INCYBER Forum earlier today.
 
GoResolver uses control-flow graph similarity to identify library code in obfuscated code, leaving analysts with only malware functions to analyze. This saves time & speeds up investigations!
 
Check out the blog post on how GoResolver works and where to download it: https://www.volexity.com/blog/2025/04/01/goresolver-using-control-flow-graph-similarity-to-deobfuscate-golang-binaries-automatically/
 
#dfir #reversing #malwareanalysis

Mini Blue Team Diaries story:

There was a break-in over the weekend at one of our US offices. We occupied one floor of a shared office building, and two crooks managed to get in by going to an open floor above ours and breaking a lock on the fire escape.

Rather brilliantly, a building security guard was doing rounds and actually caught the pair stuffing iPads from conference rooms into a rucksack. However, when challenged they claimed to be employees and were left alone.

Anyway they ended up with about a half dozen iPads from Zoom rooms. Annoying but not the end of the world.

Those iPads were clearly sold on, as they were connected to an MDM server and started to pop up in locations all over the city over the course of the next week.

One of them was especially interesting. Because it was connected to our MDM Apple ID, it was syncing files to iCloud. This included photos. We noticed a lot of selfies of one particular dude show up. The dude looked a lot like one of the guys who we’d seen in our office on our security cameras. Yup.

We of course passed on all the information, including the location of the selfie generating iPad, to law enforcement.

I wish there was a more interesting ending - but they never followed up on the lead, of course. So the iPads lived on, slowly filling up with various photos and memories from the crook and the people they’d been sold on to.

Read more, slightly less mini stories, at infosecdiaries.com

#DFIR #threatintel Webserver-Logs of Edge-Devices are really helpful sometimes.

Investigation Scenario

You’ve received an alert derived from a Sigma rule indicating a short name path was used in the command line.

Sigma Rule Source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml

What do you look for to investigate whether an incident occurred?

Seen a lot of hype about this Trend Micro blog, but im not sure I can get on board with it. The whole thing seems a bit of a stretch.

Whether there are blank characters or line breaks doesn't change how the technique works, its only prevents a user easily spotting it via the lnk file

The push on zero day, vulnerability, 1000s of instances across multiple 'APTs' is a bit much and comes across as marketing hype too.

https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

Fun Linux DFIR question for you! You're looking at your SSH logs and you find a root login using pubkey auth:

2025-03-20T07:44:00-0400 labpc sshd[15420]: Accepted publickey for root from 10.1.1.5 port 46698 ssh2: ED25519 SHA256:6ynkM0+FOrHtoQlkPOOQ415tvRGdBaBEMs2KWtGB1Bo

There are multiple keys in /root/.ssh/authorized keys. How can you tell which one was used for this login?

@cR0w @hal_pomeranz One of my favorite #DFIR memes.

Investigation Scenario

A server on your network suddenly sent DNS requests to several (100+) known malicious domains. but did not connect to them.

What do you look for to investigate the source and disposition of this event?

Investigation Scenario

Proxy logs show a Linux database server making HTTP requests with an empty User Agent string.

You don't have PCAP or other network logs.

What do you look for to investigate whether an incident occurred?

If you can't explain how it works, what will you do when it doesn't work?

Huge THANK YOU to everyone who joined the DFIR Labs CTF this weekend!

Over 200 people from around the world jumped in to tackle challenges based on a real case—and we hope you all had fun, learned something new, and sharpened your DFIR skills

Keep an eye on our socials for the next DFIR Labs CTF announcement!

Interested in running a CTF at your organization? Please fill out this form and we’ll get in touch: https://form.jotform.com/243245571640252

The case featured in this CTF is now available: https://store.thedfirreport.com/products/mud-in-the-water-private-case-29823

This paper from Reeves & Ashenden provides some insights on how attackers' awareness of deception technology can change and affect their decisions.

Notably, simply announcing the use of deception technology or the attacker discovering it could lead them to seek easier targets or take more time. Both are useful for the defender.

#DFIR #Honeypots #Detection

https://scholarspace.manoa.hawaii.edu/server/api/core/bitstreams/6c188375-03f6-4d66-afee-296308c9f2c0/content

There is a new #Fediverse bot that facilitates web forensic analysis of websites.

You can submit a domain for crawling by messaging @lookyloo, and it will respond with the analysis results.

#cybersecurity #threatintel #dfir

services is provided by @circl

https://lookyloo.circl.lu

Thanks to @rafi0t for the new bot.

Investigation Scenario

You’ve discovered a Windows system with screenshots of the user’s desktop in the %appdata%\ScreenShot\ directory.

What do you look for to investigate whether an incident occurred?

Coty Tuggle put together this cool lightweight incident tracking framework (adapted from earlier work by CrowdStrike). If you're dealing with Windows event logs in your investigation, this looks like a great resource for individual analysts to organize their investigations and produce incident timelines in a reproducible manner. Coty's example does it with Splunk, but it should be easy to adapt his framework to your preferred log analysis platform.

https://medium.com/@ctugglev/you-can-run-but-my-tracker-is-faster-38f9bacaf324

TR-93 - Financial transaction fraud after system compromise.

This document outlines a malspam attack targeting businesses through fraudulent emails that exploit Remote Monitoring & Management (RMM) tools. The attackers deceive recipients into clicking a malicious link disguised as an invoice, which installs an RMM tool on their system. Since these tools are legitimate applications, they evade antivirus detection.

#cybersecurity #fraud #dfir

https://circl.lu/pub/tr-93/

Investigation Scenario

You retrieved a running process list from a single department of 20 Windows systems.

What is your approach to find anomalies in this data set? What do you look for to investigate whether an incident occurred?

Super happy to see the open source sysdiagnose joining the hackathon.lu held in Luxembourg on April 8th and 9th, 2025.

sysdiagnose is an open-source framework developed to facilitate the analysis of the Apple sysdiagnose files and especially the one generated on mobile devices (iOS / iPadOS). In the light of targeted attacks against journalists, activist, representatives from the civil society and politicians, it empowered incident response team to review device behaviour and ensure their integrity. This tool is initially the result of a joint effort between EC DIGIT CSOC (European Commission DG DIGIT) and CERT-EU (https://cert.europa.eu/).

https://hackathon.lu/projects/#sysdiagnose-analysis-framework

Don't hesitate to register and add your project!

#opensource #dfir #forensic #hackathon #luxembourg

Thanks to @ddu and the team to join us.