This Week's Read List - 18-25 APR 2021
This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.
Malware, Campaigns and TTPs
Lazarus APT Hackers are now using BMP images to hide RAT malware - Lazarus Groups hackers have been found to conceal malicious code inside of bitmap (.BMP) images to drop RATs capable of stealing sensitive information. The technique involves embedding an HTA script file disguised as a compressed zlib file within a PNG file, which is then decompressed during run time, converting itself into a BMP file.
Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise - FireEye details three 0-days in SonicWall's Email Security product which have been actively exploited in the wild. Monitoring and detection strategies discussed.
HabitsRAT Used to Target Linux and Windows Servers - Intezer details a newly discovered malware, named HabitsRAT, that is targeting both Windows and Linux machines. HabitsRAT is written in Go with ability to control a compromised machine remotely by using commands that are signed with the attackers private key.
Blue Team Techniques
Finding Buried Treasure in Server Message Block (SMB) - Black Hills Infosec takes a look at SMB enumeration to better understand attack surface exposure using the PowerSploit PowerView script. Topics covered range from creating host triage lists based on Windows version, identifying sensitive content, and mitigations strategies to assist in better protecting SMB.
Windows Event Logging & Collection Guidance - The Netherlands Joint Sigint Cyber Unit (JSCU) has released hands-on guidance on how how to configure Windows Event Logging and centralizing the collection using Windows Event Forwarding.
Tools
PyOTI - PyOTI is a Python module to easily query various threat intelligence APIs. API sources include: CheckDMARC, CIRCLPDNS, IrisInvestigate, WhoisXML, DisposableEmails, EmailRepIO, MalwareHashRegistry, AbuseIPDB, SpamhausIntel, GoogleSafeBrowsing, LinkPreview, Phishtank, CIRCLPSSL, DNSBlockList, HybridAnalysis, MaltiverseIOC, MISP, Onyphe, OTX, Pulsedive, URLhaus, URLscan, and VirusTotal.
netdata - netdata is a distributed real-time monitoring agent designed to collect metrics from systems, hardware, containers and applications with zero configurations.
Azure Sentinel Notebooks - Azure Sentinel Notebooks if a repository of Jupyter notebooks to interact with and analyze Azure Sentinel data.
Educational Resources
Offensive Security Guide to SSH Tunnels and Proxies - SpecterOps with an excellent writeup on not only SSH basics, but on how to use SSH local and remote forwarding, as well as SOCKS proxy, for a multitude of applications.
Attack Detection Fundamentals 2021: AWS - Lab #1 - F-Secure continues its Attack Detection fundaments workshop series with a focus on AWS this time around. Part 1 looks at performing some basic enumeration with compromised credentials. Part 2 takes a look at making changes to an account, and leveraging privileged access to add additional access keys and login profiles. Part 3 wraps up by exfiltrating data from an S3 bucket and modifying access policies.