Posts

Tracking Malicious Files with Favicons

Image
In today's post, we're diving into the world of favicons and their role in malware detection with VirusTotal Enterprise. If you read my last blog, you’ll remember we explored using VirusTotal Diff to track down new iterations of DarkGate malware. Though it might seem like I live and breathe VirusTotal, I assure you there are other tools I use. However, I do find these ad-hoc workflows interesting, and although I rarely document them, I'm making another post. Imagine you’re part of a product company that distributes a high volume of binaries, software, and various other items across a vast amount of websites. Often, third-party partners host legitimate versions of these products on their sites and SEO boosts. Unfortunately, this widespread distribution gives attackers a chance to mimic your products by using similar file names and even your company's favicon to deceive users. This is by no means a novel or new technique, in fact, it's quite trivial in my opinion, w

VirusTotal Enterprise - Starting Workflow

Image
In 2023, I set out to write a personal blog every four months but didn't quite meet that goal. Reflecting on the year, it's amusing to think I attributed this to writer's block. My role in threat intelligence and working with an advanced pursuit team involves crafting internal reports and advisories. Realizing this could have been a goldmine for blog content, I'm reminded of one of my favorite quotes, "I'm going to make this way harder than it needs to be." So, let's dive in. I frequently utilize what I term 'open source databases' – resources like Shodan, Censys, VirusTotal, and AbuseIPDB. These databases provide intelligence on various artifacts, with limitations typically based on the account type (free, verified, or paid). Today, I want to focus on how I leverage VirusTotal Enterprise in my daily workflow. Before we delve deeper, a quick tip: check the VT Enterprise Group tab under your profile to monitor your monthly usage. These resources

Certifried Red Team Operator

Image
I wasn't actually planning on writing up a blog about passing the CRTO, but here I am about two months since passing and felt like writing down some after-thoughts. Now that all the information has had time to simmer, there have been some key takeaways I've noticed in my day to day working in threat research. If you're not familiar with the CRTO, a TLDR is this focuses on using the C2 framework CobaltStrike from a red team perspective created by RastaMouse at Zero Point Security .    If you've ever worked in a SOC before, you've maybe heard the long standing joke 'it's an admin, false positive'. It used to make me laugh, until I moved in threat hunting and intelligence. Now hearing this just gives me anxiety. Elevating privileges typically isn't that difficult to accomplish but, detecting and preventing it before it has a negative impact is challenging. This is even more difficult when going against a skilled attacker that understands elevating privi

Creating Windows Defender Exclusions

Image
Something interesting I've come across, admittedly only a handful of times, is that the `MpPreference` cmdlet is being used in nefarious ways. Specifically, this involves instances where Domain Admin accounts have been compromised, and they are being to create exclusions that bypass Windows Defender detections.  The `MpPreference` cmdlet family is related to Windows Defender. There are 12 different cmdlets in this family, but I've really only encountered `Add-MpPreference` in the wild. On that note, this is not referring to Windows Defender for Endpoint, ATP, or whatever it was called before that. One important aspect of using MpPreference is that it requires some form of an elevated account to create the exclusions. I first came across this technique when I observed a script being executed after a DA pushed a GPO that did a few interesting things. This script disabled AVs, EDRs, backups, grabbed a malicious executable from a network share, and cleared audit logs. The fact that