blue tangle

    I'm very aware that in infosec we tend to be like magpies, distracted by new and shiny objects while sometimes underestimating the impact of the boring tried and true techniques that hackers use day in and day out because they just work. Having said that, I'm only human and when I see something I haven't seen before it piques my curiosity. That was the case with this tweet by Jazi , a Fortinet threat intel researcher, talking about a Darkbit payload. Before we get into the content of that tweet though let's have a quick look at Darkbit, as there are so many ransomware groups now, and the smaller ones can start to blur together as there are only so many adjectives that they seem to favour.   Darkbit are not a very active ransomware group, from what I can tell they have had one high profile victim, the Technion - Israel Institute of Technology. The group heavily implies that they are a disgruntled former tech worker, the further implication is that they may have work

    I noticed on Twitter a new, relatively novel obfuscation or anti-forensics technique that Qakbot (or qbot) have started using. It surprises me that more threat actors don't employ some basic command-line obfuscation techniques, as they can really screw with SIEM detections with a minimum of effort. Credit to Max_Malyutin on Twitter for flagging this and grabbing my attention:   I hadn't seen multiple path escape backslashes like this on the Windows command line, but sure enough, it works, here's what an event looks like in Splunk:     This takes advantage of the way that SIEMs like Splunk handle backslashes, they themselves need to be escaped, so to search for a normal file path for a file (in this case cmd.exe) would look like this in Splunk:     To look for our obfuscated command-line with extra backslashes we'll want to look for more than 4 backslashes in a row, escaped in Splunk we wind up with 8 backslashes in our search:   Or in SPL:   index=<your-index-he

    I wrote a Sigma rule for security/hacking tool Seatbelt, you can find it below.

  If you want inspiration for a slidedeck on the history of ransomware look no further. Where I wanted to nail down specific dates I looked for when ransomware strains or incidents made the mainstream news and used that as my base timeline. The slides cover the first incident of data held for ransom that I could find (in 1981) through to Karakurt as what I see as the future of ransomware, touching on targeted ransomware attacks and the advent of Big Game Hunting in between. The talk is made to be delivered in about 25 - 30 minutes, though I was cutting it rather close with that timing. Feel free to use and alter this PowerPoint as you wish.