Posts

How I gained initial access using Social Engineering

Image
Cybercriminals have done a lot of damage to organization through Social Engineer Attack from FireEye to Cisco & recently Uber they all were hacked because of social engineering. This reminds me of my own internal pentesting in one of my organization which I did in 2021, I used social engineering technique to deliver and execute my payload. I was asked to check if I can gain access to any of our employee's computer using any method I can think of.  In this blog, I will simulate the same attack and will try to show how I gained initial access by using a social engineering technique.   Attack Phase 1: Information gathering As it was from internal network i decided to compromise one employee. Here the person is a network engineer. Before attacking the target i started the attack with information gathering. The first thing I started with checking all open port in my network range. To do this I used masscan, so i used command masscan -p445  192.168.7.1/24 --rate=1000           I foun

Extracting digital evidence using memory imaging and bulk extractor

Image
  In this quick post we are going to extract juicy info from a raw memory image. This method can be helpful to find digital evidence from suspect computer.  This post is not beginner friendly, so you need to have knowledge of some concept like Memory Imaging . In short Memory imaging is the process of making a bit-by-bit copy of RAM.  Why memory Imaging   As your computer memory stores a lot of information and we know the information which can be recovered from a disk image can also be recoverable from memory which can help investigator to extract a lot of sensitive information like runtime system activity, stored password, command and process which was executed recently. Why Bulk Extractor Bulk extractor is really useful open source tool, it ignores the file system structure and can scan disk image, memory image, etc and can also extract email, URL, credit card details, etc. This can help investigator to get a good lead in his investigation and can also help malware analyst to get Ind

Parent process spoofing and how to detect them

Image
  Malware uses vaious techniques to hide it or evade from antivirus or EDR system.  So I decided to discuss about a very intresting malware hiding technique Parent process spoofing.  This technique is well discussed by many other infosec people and Didier Stevens blogged about this in 2009. I decided to discuss in layman form. parent process spoofing technique allows a malicious program to spawn a process of its choice. It helps the malicious program to hide itself from the parent-child process analyzing which helps defender to find anomalies. How Does It work This is an abuse of windows feature It uses a Windows API CreatProcessA function which use to create a new process. This function has a parameter lpStartupinfo which allows you to choose the parent process.    lpStartupinfo points to STARTUPINFOEX structure    The STARTUPINFOEX structure contains lpAttributeList lpAttributelist is created by InitializeProcThreadAttributeList function this function will allocate the m

Testing capa the Malware analysis tool

Image
    Recently FireEye has released open-source malware analysis tool  capa . It became very popular among malware analysts because of its ability to tell the capability of malware that's what a portable executable file can do on executing on the windows machine.  I decided to test it on some custom malware samples to see how does it works. I chose one malware sample from thezoo , a repository of LIVE malwares. I selected a binary file Trojan.Dropper.GEN On checking virus total this one has a detection rate of 43/63 I did some basic behavior analysis on any.run and here is it's summary of it. On checking process graph it's clear this binary file drop and executes multiple malicious files So I started analysis with ailiao.exe with capa On executing, capa give result about this binary file's capabilities and also shows what ATT&CK Tactic and Technique the threat actor has used We can see capa has reported that it matches 11 malicious activities which include connecting