08/02/2024Veeam Backup & Replication is a widely-used software suite for creating and managing backups of virtual, physical and cloud machines. In a remote incident response, where efficient data access is key, Veeam metadata files can be used to list and search for Backup objects. This article explores the structure of Veeam metadata and how to use a Velociraptor artifact to restructure this data.
29/01/2024On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads ...
27/09/2023Legitimate data transfer tools are more and more used by threat actors. During our incident response engagements, we often see the use of several administration tools, including tools for transferring data to SFTP servers or directly to the cloud. These are widely used by attackers as means of exfiltration. The issue of exfiltrated data is one of the most important and hardest topic in the case of ransomware incidents. As the subject has already been widely covered, the aim of this article is to centralize the traces left by most com...
28/08/2023As remote work surges, VPNs gain significance. With employees using their devices in uncontrolled networks, VPNs are certainly now a serious option for attackers to gain an initial foothold on the corporate network. Microsoft offers a VPN solution called Remote Access Service. This article sheds light on Microsoft VPN service's inner workings, and provides forensic aspects to improve incident response and the monitoring of this service.
03/03/2023When a hardware keylogger is found on a computer, you can assume the user account and its secrets are compromised. In this article, we will present how to get access to the data stored on both a basic keylogger and a more advanced model with Wi-Fi access.
05/12/2022A few months after the leak of Babuk source code in September 2021, new ransomware families with very similar capabilities already seem to emerge. During an incident response, Synacktiv's CSIRT detected a new ESX encryptor dubbed PrideLocker that is based on Babuk ESX encryptor, with new additions. This article provides an in-depth analysis of PrideLocker, and a method using IDAPython to decrypt its strings, as well as tips to detect its encryption capabilities.
20/10/2022Legitimate remote access tools are more and more part of threat actors toolbox: in order to gain remote access on targets, keep persistence, deploy malicious payload as well as leveraging trusted connections between an IT provider and its customers. Therefore, detection and incident response teams must have a good grasp on traces left by those tools on the system. In this context, this article aims to collect host forensic evidence of four famous legitimate remote access tools.
13/09/2022A real ninja leaves no traces. However, in the Windows context, a lot of information are disseminated when performing actions and can be leveraged by DFIR analysts. Focusing on remote command execution techniques used by attackers and red-teamers, this article aims to get a collection of artifacts that can collected by analysts.
20/06/2022During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attacker’s action. The following article aims to explore some key features of this tool from a forensic perspective. We will see how to identify the items that have been deleted and how they could be recovered. We focused on the free desktop version v6.00.9727.
08/06/2022Thanks to Ready for IT organizers so we can shared a feedback regarding our incident response services (CSIRT Synacktiv) and red team activities. Below is a summary of the intervention.