blue tangle

  Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so

    Time for part 2 of a few blogposts on threat actors disabling Windows updates. We covered why in the last post along with how, this time around we will be mostly focusing on detections.   We aren't just detecting disabled Windows updates though, we're detecting the steps required to actually delete and remove installed updates. First we look at usage of the Windows native binary takeown , which enables an administrator to recover access to files that was previously denied.   In this case we are looking at takeown grabbing access of folders relating to Windows updates Our Splunk search looks like this:   index=winlogs EventCode=4688  Process_Command_Line IN ("*\Windows 10 install\*", "*\Windows10Upgrade\*")  New_Process_Name="*\\takeown. exe" | stats  min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name Account_Name ComputerName  | c

  There is never necessarily a good time for Windows updates, but if you are running Windows and care about security, you're going to have to do it eventually, right? Some Threat Actors would prefer that those updates remain uninstalled though, this blog and the research that went into it is inspired by this Scadafence paper entitled " Anatomy of a Targeted Ransomware Attack " which includes this list, pay particular attention to 2. "Disabling Windows updates", this got me thinking. I had a look through ATT&CK to try to map this TTP but to no avail, asking in the ATT&CK Slack I think "Impair Defenses: Disable or Modify Tools" (T1562.001) or "Service Stop" (T1489) seem most appropriate, but I'll leave it up to you as it could fit under a few techniques. I couldn't find any detections for this, so I decided to make my own and share them. Why would a threat actor want to stop Windows updates or even roll them back? I think TAs, e