Windows Incident Response
It’s great when a plan, or a puzzle, comes together, isn’t it?
I’m not just channeling my inner Hannibal Smith…I’m talking about bringing various pieces or elements together to build a cohesive, clear picture, connecting the dots into a cohesive analysis.
To kick this off, Florian had this to say about threat actors moving to using ISO/IMG files as result of Microsoft disabling VBA macros in docs downloaded from the Internet, a change which results in entirely new artifact constellations. After all, a change in TTPs is going to result in changes as to how the system is impacted, and a change in the resultant constellations. So, this sets the stage for our example.
In this case, the first piece of the puzzle is this tweet from Max_Mal_, which points to the BumbleBee campaign (more info from TAG here), described in the Orion Threat Alert. Per the tweet, the infection looks like this:
Zip -> ISO -> LNK -> rundll32.exe (LOLBin) -> Cobalt Strike
This all starts with a zip archive being delivered to or downloaded by the user; however, what’s not mentioned or described here are the system impacts. Downloading the archive often (depending upon the process) results in MOTW being “attached” to the zip archive. This tweet thread by Florian Roth includes a couple of resources that discuss MOTW, one of which is an excellent article by Mike Wolfe that provides a really nice explanation and details regarding MOTW. I’ve been fascinated by NTFS alternate data streams (ADSs) since I first encountered them, in particular how they’re used by the OS, as well as by the adversary. As a result, I’ve been similarly interested in really leveraging MOTW in every way possible.
The other useful component of Florian’s thread is this tweet by Nobutaka Mantani&
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article:
