Skip to content

Instantly share code, notes, and snippets.

View dfirnewbie's full-sized avatar

dfirnewbie

15 followers · 16 following
View GitHub Profile
@dfirnewbie
dfirnewbie / 1757782249553224163
Created February 16, 2024 15:45
1757782249553224163
Network/DLP data
- for signs of data exfiltration
Event logs/centralized logging/SIEM
- to see if the file server has any suspicious activities such as RDP logins when most users access it through other methods
- determine if the file server could be used for suspicious activities
- any new processes created, especially processes that may be related to malware or data exfiltration activities such FileZilla
- determine files accessed, files deleted (https://www.varonis.com/blog/windows-file-system-auditing)
Access/web logs
@dfirnewbie
dfirnewbie / 1747272506116047341
Created January 17, 2024 17:17
1747272506116047341
1. Pull out the relevant EDR data for the file hash and its properties. While the file name suggests it belongs to a legitimate software, file name can be deceiving
2. Determine when it was loaded (at startup or because someone executed a software which loaded the driver)
3. Review the process tree to determine if the software is still running
4. Review EDR data for any other signs of suspicious activities based on open source reports about the misuse of the driver
Assuming that a user executed a software which loaded the driver and no other suspicious activities are observed, it would be a pretty confident assessment that there's no incident. However, will keep monitoring in case the threat actor decides to lie low.
If there is information to suggest that suspicious activities have occurred, it would be regarded as a potential incident or an incident, if evidence points to other malicious activities occurring.
@dfirnewbie
dfirnewbie / 1744358357366960375
Created January 13, 2024 20:14
1744358357366960375
1. Google about the ET rules to determine what they are trying to alert about
2. Google about the CVE and read how it could be exploited and what artifacts are available that caused the detection
3. Check if Confluence is vulnerable and if it's already patched, particularly if it's public facing. If it's not public facing, determine how it got compromised
4. Preserve a copy of the compromised Confluence server
5. Check EDR data and alerts (if available) for the usage of those commands
6. Check network logs for the mentioned outbound connections by those commands (if there's no EDR)
7. For #3, if it's unpatched and is internet facing, try to minimize the impact of any possible exploitation by applying the workarounds suggested. Also review for signs of compromise as shared by Confluence. Determine the possible access routes to the Confluence server for non-public facing Confluence servers and gather the necessary logs and triage the affected systems. Preserve those systems for further investigations if necessa
@dfirnewbie
dfirnewbie / 20220402-OceanLotus,json
Created April 6, 2022 16:48
20220402 360 OceanLotus Brief Analysis
{
"name": "OceanLotus",
"versions": {
"attack": "10",
"navigator": "4.5.5",
"layer": "4.3"
},
"domain": "enterprise-attack",
"description": "",
"filters": {
@dfirnewbie
dfirnewbie / Post-Conti_Leaks_TTPs.json
Created April 4, 2022 23:33
Post-Conti Leaks TTPs
{
"name": "Post-Conti Leaks TTPs",
"versions": {
"attack": "10",
"navigator": "4.5.5",
"layer": "4.3"
},
"domain": "enterprise-attack",
"description": "Post-Conti leaks TTPs",
"filters": {
@dfirnewbie
dfirnewbie / Phobos.json
Created July 6, 2021 03:13
Phobos ATT&CK
{
"name": "Phobos",
"versions": {
"attack": "9",
"navigator": "4.3",
"layer": "4.2"
},
"domain": "enterprise-attack",
"description": "Phobos ransomware TTPs",
"filters": {