Python
CyberCorp2
βοΈ Spoiler alert!
Case Details
This is not an investigation like the previous one. This is threat hunting. So, we have only logs via Kibana available. To harden my knowledge with this technologies I’ve had a very quick overview on ElasticStack website and enrolled in this course. Basically, I will have to answer questing having a loads of logs and a query engine available.
Questions
1. WMI Event Consumer name?
β The Threat Hunting process usually starts with the analyst making a hypothesis about a possible compromise vector or techniques used by an attacker. In this scenario, your initial hypothesis is as follows: “The attacker used the WMI subscription mechanism to obtain persistence within the infrastructure”. Verify this hypothesis and find the name of the WMI Event Consumer used by the attacker to maintain his foothold.
CyberCorp1
βοΈ Spoiler alert!
Case Details
Artefacts in posession: memory dump, OS event logs, registry files, Prefetch files, $MFT file, ShimCache, AmCache, network traffic dumps. I’ve decided to analyse each artefact, what can I get from it in this specific case and how. Then, I am going to outline my strategy in approaching this case.
We are looking for indicators of compromise. There are no details as to what is the group and what was its aim. But itβs known that there was abnormal traffic detected that has launched this IR process. So, at least, we must have some suspicious traffic, possibly open or terminated connections. These should have been launched by some process, so we are looking for malware. Also, since the attacker needed an account to get in, I will be looking for an account take over attempts and possibly, new account creation.
Once There Lived Admin
Hey, ps! Would like you to hear a fairy tale? I am sure that you do! It all happened not long long time ago and not in a galaxy far far away… . Let’s imagine that in the J.Rowling’s universe there were cybersecurity specialists as well and Hogwarts had a real website in the Internet. Funky idea! π‘
A very hard-working girl, let’s call her Rachel (yeah, Rachel π) was sitting at her table, working as usual when she suddenly saw her phone vibrating nearby. She picked up the phone, hoping that wasn’t a spam. Indeed it wasn’t. That was her colleague, asking if she is interested in a little side project.
Diffie-Hellman Key Exchange
I’ve written this article while I was untanging RSA and Deffie Hellman inside my head. What I need to stree right here, in the article description, the main difference between them is the Deffie Hellman is NOT a encryption algorithm! It’s an algorithm of generating a symmetric key using principles of asymmetric cryptography.
For the mathmatics topics needed to understand this algorothm, please, refer to the math sections.
There is a peculiar characteristic of prime numbers π and their respective primitive roots π¦·:
RSA
To my utter embarrassment I had to admit that I’ve recently realized I didn’t remember how the RSA worked…. What I though to be RSA turned out to be Diffie-Hellman algorithm… Oops 😬. So, I’ve rewatched Khan’s video about RSA and was surprised I could every confuse the two. This article and another one about Diffie-Hellman is my way of explaining cryptographic notions: visual representation, verbal explanation and… code. Thanks to Python 🐍.
Mutable vs Immutable
>>> import ctypes
>>> a = 5
>>> address = id(a)
>>> address
4307917216
>>> ctypes.cast(address, ctypes.py_object).value
5
>>> a = 3
>>> ctypes.cast(address, ctypes.py_object).value
5
Similarly, regardless of whether you flag some UITextField as Secure Text Entry or not, it always returns data in the form of a String or NSString.
On the other hand, using the overwritten data outside the compiler’s scope (e.g., serializing it in a temp file) guarantees that it will be overwritten but obviously impacts performance and maintenance. You should try to overwrite critical objects with random data or content from non-critical objects. This will make it really difficult to construct scanners that can identify sensitive data on the basis of its management. This can be only done by low-level languages because the compilers and just-in-time virtual machines will ignore those operations for performance reasons if the optimization routines detect that the buffer is no longer used after being overwritten.