malmoeb.bsky.social
@malmoeb.bsky.social
Head of Investigations at InfoGuard AG - dfir.ch
The company, for whatever reason, turned off logging for Logons, as a quick check with auditpol revealed (see image). However, "Logon and Logoff" auditing is enabled by default. [1]
You might want to consider checking your audit policy settings before writing yet another playbook 🤓
You might want to consider checking your audit policy settings before writing yet another playbook 🤓
December 26, 2025 at 1:48 PM
The company, for whatever reason, turned off logging for Logons, as a quick check with auditpol revealed (see image). However, "Logon and Logoff" auditing is enabled by default. [1]
You might want to consider checking your audit policy settings before writing yet another playbook 🤓
You might want to consider checking your audit policy settings before writing yet another playbook 🤓
We were investigating yet another compromised network, where we were at first puzzled by the missing logon records inside the Security event logs. Log clearing, anti-forensics?
It turned out to be something simpler.
It turned out to be something simpler.
December 26, 2025 at 1:48 PM
We were investigating yet another compromised network, where we were at first puzzled by the missing logon records inside the Security event logs. Log clearing, anti-forensics?
It turned out to be something simpler.
It turned out to be something simpler.
So, this means that every time the Scheduled Task runs, the Python interpreter is executed, effectively loading the malicious Python file named b5yogiiy3c.dll. A pretty sneaky way, and something you should watch out for during your next hunting session or IR gig. 🤓
[1] detection.fyi/elastic/dete...
[1] detection.fyi/elastic/dete...
December 25, 2025 at 9:01 AM
So, this means that every time the Scheduled Task runs, the Python interpreter is executed, effectively loading the malicious Python file named b5yogiiy3c.dll. A pretty sneaky way, and something you should watch out for during your next hunting session or IR gig. 🤓
[1] detection.fyi/elastic/dete...
[1] detection.fyi/elastic/dete...
Adversaries can exploit these files to maintain persistence by injecting malicious code." [1]
Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py
Content: See the image below.
Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py
Content: See the image below.
December 25, 2025 at 9:01 AM
Adversaries can exploit these files to maintain persistence by injecting malicious code." [1]
Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py
Content: See the image below.
Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py
Content: See the image below.
Our initial hypothesis was DLL sideloading. After examining the Python directory, we identified a file named sitecustomize[.]py:
"Python's sitecustomize[.]py and usercustomize[.]py are scripts that execute automatically when Python starts, allowing for environment-specific customizations.
"Python's sitecustomize[.]py and usercustomize[.]py are scripts that execute automatically when Python starts, allowing for environment-specific customizations.
December 25, 2025 at 9:01 AM
Our initial hypothesis was DLL sideloading. After examining the Python directory, we identified a file named sitecustomize[.]py:
"Python's sitecustomize[.]py and usercustomize[.]py are scripts that execute automatically when Python starts, allowing for environment-specific customizations.
"Python's sitecustomize[.]py and usercustomize[.]py are scripts that execute automatically when Python starts, allowing for environment-specific customizations.
There are a few things odd here. First, the name of the Scheduled Task (some random numbers). Second, the installation Path (Programdata\cp49s\). Third, Python is launched without any command-line arguments or a reference to a Python script, meaning the interpreter is started by itself.
December 25, 2025 at 9:01 AM
There are a few things odd here. First, the name of the Scheduled Task (some random numbers). Second, the installation Path (Programdata\cp49s\). Third, Python is launched without any command-line arguments or a reference to a Python script, meaning the interpreter is started by itself.
Despite the classic forensic artifacts that could show the attacker opened various files of interest, this was another fun artifact to discover (and surely yet another tool attackers use to stay under the radar).
[1] www.voidtools.com
[1] www.voidtools.com
December 14, 2025 at 7:18 AM
Despite the classic forensic artifacts that could show the attacker opened various files of interest, this was another fun artifact to discover (and surely yet another tool attackers use to stay under the radar).
[1] www.voidtools.com
[1] www.voidtools.com
The file consists of Filename (self-explanatory, with the full path), Run Count (how many times have I opened the file), and Last Run Date (represented in Windows FILETIME, a count of the number of 100-nanosecond ticks since 1 January 1601 00:00:00).
December 14, 2025 at 7:18 AM
The file consists of Filename (self-explanatory, with the full path), Run Count (how many times have I opened the file), and Last Run Date (represented in Windows FILETIME, a count of the number of 100-nanosecond ticks since 1 January 1601 00:00:00).
The interesting thing here is that Everything keeps track of files opened from within its interface. This information is stored in the file Run History.csv.
December 14, 2025 at 7:18 AM
The interesting thing here is that Everything keeps track of files opened from within its interface. This information is stored in the file Run History.csv.
If you haven't read it or never heard of it, now is the time to read it.
BEC Guide: github.com/PwC-IR/Busin...
BEC Guide: github.com/PwC-IR/Busin...
github.com
December 13, 2025 at 9:39 AM
If you haven't read it or never heard of it, now is the time to read it.
BEC Guide: github.com/PwC-IR/Busin...
BEC Guide: github.com/PwC-IR/Busin...
So, just based on such an Inbox Rule, you can immediately tell that the account is compromised, and you can start the full investigation circle. I still recommend the Business-Email-Compromise-Guide from PwC left and right, because it sums up all these cases around Inbox Rules well.
December 13, 2025 at 9:39 AM
So, just based on such an Inbox Rule, you can immediately tell that the account is compromised, and you can start the full investigation circle. I still recommend the Business-Email-Compromise-Guide from PwC left and right, because it sums up all these cases around Inbox Rules well.
It's also interesting how much of a giveaway such an Inbox Rule can be. Once you have found such a rule in the mailbox of one of your employees, the chance that it is a false positive is really small.
December 13, 2025 at 9:39 AM
It's also interesting how much of a giveaway such an Inbox Rule can be. Once you have found such a rule in the mailbox of one of your employees, the chance that it is a false positive is really small.
Silly-named rule names (three stars in this example, a dash sometimes, three points, you get it), moving emails to specific folders (RSS, Conversation History), and marking them as read. Nothing you could not spot from your own investigation.
December 13, 2025 at 9:39 AM
Silly-named rule names (three stars in this example, a dash sometimes, three points, you get it), moving emails to specific folders (RSS, Conversation History), and marking them as read. Nothing you could not spot from your own investigation.
The owner of the mailbox will never see that email, because honestly, who is looking at the RSS folder anyway? At least not your regular employee.
This is a super common pattern in our investigations.
This is a super common pattern in our investigations.
December 13, 2025 at 9:39 AM
The owner of the mailbox will never see that email, because honestly, who is looking at the RSS folder anyway? At least not your regular employee.
This is a super common pattern in our investigations.
This is a super common pattern in our investigations.
There are various ways to register such password filters, but the screenshot is from a recent case (and from one of my presentations) in which the attacker registered a new NetworkProvider to steal cleartext credentials.Techniques that are 10+ years old are still working and (mis-)used by attackers.
December 12, 2025 at 9:15 AM
There are various ways to register such password filters, but the screenshot is from a recent case (and from one of my presentations) in which the attacker registered a new NetworkProvider to steal cleartext credentials.Techniques that are 10+ years old are still working and (mis-)used by attackers.
specific requirements, such as length and complexity. This way, the ProjectSauron passive backdoor module starts every time any domain, local user, or administrator logs in or changes a password, and promptly harvests the passwords in plaintext."
December 12, 2025 at 9:15 AM
specific requirements, such as length and complexity. This way, the ProjectSauron passive backdoor module starts every time any domain, local user, or administrator logs in or changes a password, and promptly harvests the passwords in plaintext."
"ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter. This feature is typically used by system administrators to enforce password policies and validate new passwords to match
December 12, 2025 at 9:15 AM
"ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter. This feature is typically used by system administrators to enforce password policies and validate new passwords to match
References:
[1] unit42.paloaltonetworks.com/npm-supply-c...
[2] github.com/trufflesecur...
[3] github.com/trufflesecur...
[4] threats.wiz.io/all-tools/tr...
[1] unit42.paloaltonetworks.com/npm-supply-c...
[2] github.com/trufflesecur...
[3] github.com/trufflesecur...
[4] threats.wiz.io/all-tools/tr...
"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26)
Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more.
unit42.paloaltonetworks.com
December 11, 2025 at 6:08 AM