DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Blog

Fast Flux - DNS

9/7/2019

 
Domain Name Server (DNS) is one of the most common protocol. We use it multiple times a day without realizing it. Popularly known for converting a do main name into an IP address. Think of it as a glue between human and the network. Newer Content Delivery Networks (CDN) use DNS to ensure a client is send to the server closest to it's geography.

In today's post we are going to talk about the common DNS attacks used by malwares called Fast Flux. This may fall under the "Command and Control" Category in MITRE ATT&CK Framework.

In order to avoid blocking a malware owner quickly changes the resolved IP Addresses. So, every-time you'll query a host-name it'll give you a different IP Address. Usually, time to live (TTL) for each IP address is around 300 Seconds.  This technique is most commonly used by Botnets. A key thing to remember is the DNS Servers participates in the Fast-Flux is usually for Malicious purpose.

Investigation Tips:

Look for TTL < 300
DNS Count > 12
Recently registered domain.
Learn more about Fast Flux: http://www.honeynet.org/node/136


Hack the box - Reminiscent

7/29/2019

 
Suspicious traffic was detected from a recruiter's virtual PC. A memory dump of the offending VM was captured before it was removed from the network for imaging and analysis. Our recruiter mentioned he received an email from someone regarding their resume. A copy of the email was recovered and is provided for reference. Find and decode the source of the malware to find the flag.

Note: Find and Decode the source of the malware to find the flag. The reading the email file we know following information

Filename: resume.zip
IP: http://10.10.99.55:8080/resume.zip

Used following command to analyze the process
Picture
Found some suspicious stuff
Picture
Used netscan plugin to analyze the network connection and identified that process powershell is connecting to the Malicious IP address found the email. The malicious process is powershell 2752.
Picture
Lets perform a filescan and see if we can find the resume file in the memory.
Picture
We have some hits - lets dump them out and do strings on them.
Picture
Lets do strings on the dumped files.
Picture
There is some data in Base 64 - lets use cyberchef to decode it.
Picture
The output of base 64 has another base64 encoding in it. Looks like someone is running powershell
Picture
Finally we got some readable text and I can see the flag HTB{$_j0G_y0uR_M3m0rY_$}  in it.

Picture

Hack the box - "Took the byte"

7/21/2019

 
Someone took my bytes! Can you recover my password for me?

Well, this challenge is not as easy as it looks for 20 points, but tools like CyberChef helps us in solving it quickly. Load the file in CyberChef and enjoy the magic!

Upload the password file to cyber chef and use the following Recipe available in the image below:
​
Picture

Marshal in the Middle

3/10/2019

 
Hack the box Forensic Challenge Library:
The security team was alerted to suspicious network activity from a production web server.Can you determine if any data was stolen and what it was?

Solution:
 Hackinthebox will provide you following data - pcapng file, and lot of bro logs:
Picture
While reviewing the log files - I noticed pastebin.com access from ip 10.10.20.13
Picture

​

Picture
Decrypte the data by the secrets.log file provided by hackthebox to view the content in plain text
Picture
Followed the TCP Stream for ip.addr == 10.10.20.13
Picture
There was a post request made (as seen in about screenshot). Filters packets by HTTP Post
Picture
Credit Card Data in Plain Text
Picture
Hack the box key below:
Picture





MAC Timeline Analysis

6/5/2017

 
In this article, I am going to talk about basic forensic time analysis procedure:
  1. Identify the partition in an image using mmld <filename> command. Don’t forget to make a note of start sector of the partition.
  2. Identify the type of filesystem is has using fsstat -o <start sector> command.
  3. List all the files including deleted files by name using this command :fls -o <offset> -f <filesystem> -m “/“ -r <filename>  > flsbody
  4. What if the deleted file does not have a name- use this command ils -o <offset> -f <filesystem> -m   <filename>  > ilsbody

What is a Cluster

11/14/2015

 
​
Cluster is smallest allocation unit in a hard-drive. Cluster is a set of sectors and tracks. The file system divides the storage on a disk volume into discreet chunks of data for efficient disk usage & performance. This chunks are called cluster. 

To put it in simple terms, you get a sector when you take a bunch of things and divide them. You get a cluster when you take a bunch of things and put them together.

What is a sector?

11/14/2015

 
Sector is smallest physical storage unit on a disk platter. Normally holds 512 Bytes and few additional bytes for drive control & error correction.
Data is stored on a disk in a contiguous series (Sharing a common border)
For example: if file size in 700 Bytes, two 512 sectors are allocated to the file.

    Mac Forensics
    Windows Forensics
    Forensic Tools

    Categories

    All
    Attack
    Bash
    Bigdata
    Corporate
    Ctf
    Data
    Digital Forensics
    Docker
    EDR
    Forensics
    Hacking
    Hadoop
    HDFS
    Health Care
    Linux
    Memory
    Network
    Network Forensics
    PCIP
    SQL
    Windows
    Wireshark

    Archives

    October 2019
    September 2019
    July 2019
    June 2019
    May 2019
    March 2019
    April 2018
    March 2018
    February 2018
    July 2017
    June 2017
    May 2017
    November 2015
    October 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity