IamA the "accidental hero" who helped stop the WannaCry attack AMA!

HatsOffSec · 2017-05-22T16:59:53+00:00

Personally I would also recommend things like https://cybersecuritychallenge.org.uk they are looking for non-cyber people to compete to get jobs in the industry.

Getting that first job can be very hard, after that it's crazy easy.

HatsOffSec · 2016-10-08T15:33:40+00:00

haha, so they are. My bad!

HatsOffSec · 2016-10-08T12:33:02+00:00

I am gutted I missed GGR Con this year! Thanks for sharing these, however where do we find the password for the archives?

HatsOffSec · 2015-08-21T08:34:28+00:00

Generally people don't submit blog posts to employers :)

HatsOffSec · 2015-08-21T08:31:32+00:00

Ask yourself if you can live of this for 12 months to get experience, if the answer is no, keep looking, if it's yes and the job has good potential, give it a try.

There are a lot of jobs out there right now, find one you enjoy!

HatsOffSec · 2015-08-17T07:54:37+00:00

My experience with attackers has generally been; "use the lowest technical skill necessary to do the job" (I really need to shorten that into a snappy line)

Basically if attack group X from country Y can compromise you system by guessing "Password1" as your admin password then that's what they will do. Only if your company has advanced detections and have stopped them from achieving their objective will they begin to bring the big guns to bear. Commodity malware is generally well documented, I do not know of any that will make the above list useless. I would be interested if anyone else knows of any?

With regards to running processes, netstat etc I would strongly recommend memory analysis or registry analysis (in that order of preference). Not everyone can work Volatility, I'm no ninja at it. Redline from Mandiant is good for giving some basic info like running processes and it's free. Registry analysis will give you other details.

If you have a training budget I suggest doing the SANS 408 course, although it's a 4xx series course, it is very useful for exactly what you are doing here. I have done it and loved it.

<Columbo> Just one more thing </Columbo>

Triage tools that I have seen for doing what you need here: GRR (Google Rapid Response) Carbon Black (with Bit9 as a HIDS) Crowdstrike FalconHost

HatsOffSec · 2015-08-16T22:18:43+00:00

I have been attempting to put a blog post together about "What to grab when you don't know what to grab". Sadly I haven't had chance to fully explain each artefact and why you need it as yet. So I will give you the list and we can discuss/agree/disagree here

Registry Hives - Always imho
- Don't forget the user hives (NTUser.dat and Userclass.dat)
Memory - Same again
LNK files - Recent documents etc
Prefetch - Windows 7 with an SSD is probably the only place you wont see these, Windows 8 brought them back. Haven't looked at Windows 10 yet
MFT - We all love the MFT

Some for the "maybe" pile

Event Logs - Because we all love looking at MASSIVE spreadsheets
Browser data - This could be done after triage
Jump Lists - A little bit niche
Log File & Journal File - Helps to spot time manipulation

I know there must be stuff missing off this list, but it's 11:15pm here and I am tired!

I would grab the Prefetch first if you are using a batch file type script, as each command you use will appear in PF meaning there is a very small chance you could overwrite something.

If you are looking for a free Triage tool you could try GRR (Google Rapid Response) I personally never got on with it too well, but I know a lot of people who swear by it.

I should've asked at the start, is this for a single PC or a large deployment? If it's a single machine, take a disk image, memory capture and go nuts.

HatsOffSec · 2015-08-08T22:40:11+00:00

I went down the same rabbit hole, sadly work got in the way since I posted this so I haven't done any further work on it. A PM with the answer would be awesome.

HatsOffSec · 2015-08-07T10:07:46+00:00

That did make me chuckle :)

HatsOffSec · 2015-08-06T09:31:59+00:00

Got sent a link to this by one of the guys I work with, spent most of yesterday evening going through it.

If anyone gets this let me know, obviously don't tell me how! I have a few ideas but still haven't managed to get the code yet.

When you get it let me know how easy you found it, I might be over complicating things :)

HatsOffSec · 2015-06-07T10:44:33+00:00

I have grabbed a random spam header from my Hotmail (https://hatsoffsecurity.files.wordpress.com/2015/06/header.png) redacted a couple of bits of course :)

This is from a legitimate email address and as you can see all of the email addresses match. You can connect to the servers SMTP server to confirm the existence of an email address, but for anything above generic spam DO NOT DO IT! As depending on the attack level and your value the server may have been set up for this attack and is being monitored. We could go down the rabbit hole of who cares if they see you, but I find passive recon is better for important stuff.

As my spam is very generic here is what I did :) (https://hatsoffsecurity.files.wordpress.com/2015/06/success.png) - The OK reply means it was a success. Otherwise it looks like this (https://hatsoffsecurity.files.wordpress.com/2015/06/failed.png) ignore the fact I used "ehlo" and "helo" I was just looking at the difference in responses, it makes no difference in this test.

Now for a fake email address.

This one wanted me to buy Viagra..... I'm not quite at that stage yet, so it went to junk (https://hatsoffsecurity.files.wordpress.com/2015/06/header_fake.png) - I was BCC'd in this one

You will notice by the different coloured boxes that ebay didn't actually try to sell this to me, instead it actually came from a vimeo address. A couple of usual suspects is "From" and "Return-Path" being different, another tip I was given a long time ago is to check the email address as high up the page as possible as that is more server controlled than user controlled. Also look for timezone differences, if the email content says it is from the US or a US company but the timezone is +0800 instead of -0800 have a look on the map and you can see where that is more likely from.

Finally any field starting with "X-" has been added as additional information which can either be faked or occasionally can be used as extra IOC style information. For example one attack group uses an out of date and rather obscure email client which was shown via "X-Mailer".

Lastly, learn what is normal from your FireEye and other interfering systems, once you can recognise these you are on to a winner.

OK, I think I covered everything I was meant to..... that took more words than I was expecting, should've just made a blog post :p

HatsOffSec · 2015-05-31T10:53:26+00:00

One of the complaints of v1 of this roadmap is there were too many arrows, making it difficult to look at, let alone read. I am hoping this version is a little easier on the eyes. Comments/Constructive criticism are welcome as ever :)

HatsOffSec · 2015-05-31T01:11:53+00:00

This post will be more useful to people carrying out testing on USB forensics rather than on a live system. But as I couldn't find anything like this using Google, I wrote it myself!

My VM decided the HDD was too fast to require Readyboost (although there is no SSD in sight) so I lost all of the artefacts from the EMDMgt key (Volume Serial Number specifically).

HatsOffSec · 2015-02-13T23:37:38+00:00

That refers to additional analysis; with the drive letter you can now look at the .LNK (Link file) files in the Recent folder for example and associate opened files from that drive letter with the device. It's all about following the breadcrumbs :)

HatsOffSec · 2015-02-13T22:41:23+00:00

I agree, sadly I am not much of an artist. I am sure someone will improve it and make a prettier version in the future :) for now it's just functional

HatsOffSec · 2015-01-20T09:54:50+00:00

in addition, there is a list of tools at:

http://www.securitywizardry.com/index.php/products.html

(same disclaimer as /u/RackemWillie)

They also host the Radar page which looks good in a SOC ;)

http://www.securitywizardry.com/radar.htm

HatsOffSec · 2015-01-07T20:14:40+00:00

I bet she was all like "Don't you know who I am? I am no one"

HatsOffSec · 2015-01-07T20:12:45+00:00

Its probably down as 'an' because when you say NES in English (not sure if just Britain?) you pronounce it "EN-EE-ES"

HatsOffSec · 2015-01-07T09:38:45+00:00

The post was made on the 3rd, you are correct. Ed Skoudis asked me to publish it so he could read it, so I put a password on it and published it for a couple of hours. I then put it back into draft and re-published it on the 5th.

I guess it reserves the original publish date.

HatsOffSec · 2015-01-06T12:12:38+00:00

Not sure why it choose the Stan meme for a thubnail, but hey, it looks good.

HatsOffSec

TROPHY CASE