blue tangle

    I noticed on Twitter a new, relatively novel obfuscation or anti-forensics technique that Qakbot (or qbot) have started using. It surprises me that more threat actors don't employ some basic command-line obfuscation techniques, as they can really screw with SIEM detections with a minimum of effort. Credit to Max_Malyutin on Twitter for flagging this and grabbing my attention:   I hadn't seen multiple path escape backslashes like this on the Windows command line, but sure enough, it works, here's what an event looks like in Splunk:     This takes advantage of the way that SIEMs like Splunk handle backslashes, they themselves need to be escaped, so to search for a normal file path for a file (in this case cmd.exe) would look like this in Splunk:     To look for our obfuscated command-line with extra backslashes we'll want to look for more than 4 backslashes in a row, escaped in Splunk we wind up with 8 backslashes in our search:   Or in SPL:   index=<your-index-he

  Following on from reading an unSafe.sh post about recent Lockbit ransomware gang activity, aka the new "Lockbit Black", I decided to look into a file that was posted along with the analysis, "123.bat".   You can view or grab a gist of the batch file below: We're going to run this batch file on a test VM and have a look at the resulting logs for some detection ideas, I'll be giving examples in Splunk SPL but I am certain with a little SIEM magic you can adapt the content to elastic, Sentinel or Defender Advanced Hunting queries instead. Lets get to it. The first questions we have to ask though, are around log availability and log visibility.  Are you ingesting Windows EventID 4688 and command line parameters along with that? How about logs from Powershell? If you are still running an older version of Powershell in your estate and finding motivation to update to 5+ is tough then here's your driver, better security and better logs that you can bung i

  In part one of these blog entries on command line obfuscation in Windows ( which you can find here , if you haven't read it), we covered some real basic SPL for detecting the usage of double quotes to potentially circumvent SIEM detections. One of the things I forgot to mention then is that counting specific characters in fields has a lot of potential uses within Splunk searches if you are prepared to think outside the box a little. For instance let's say you were looking at Apache web logs and you were wanting to find instances of directory (or path) traversal, someone appending something like "../../../../../../../../../../../../etc/passwd%00" to a url to try to get at your valuable files, you could modify the SPL as follows:   index=apache sourcetype=access_combined | eval traversalCount=mvcount(split( uri,"."))-1 | where traversalCount >=4 | stats values(uri) BY traversalCount clientip status   This would give you any instances of uris containing

  If you want inspiration for a slidedeck on the history of ransomware look no further. Where I wanted to nail down specific dates I looked for when ransomware strains or incidents made the mainstream news and used that as my base timeline. The slides cover the first incident of data held for ransom that I could find (in 1981) through to Karakurt as what I see as the future of ransomware, touching on targeted ransomware attacks and the advent of Big Game Hunting in between. The talk is made to be delivered in about 25 - 30 minutes, though I was cutting it rather close with that timing. Feel free to use and alter this PowerPoint as you wish.