Publications

Using Veeam metadata for efficient extraction of Backup artefacts (2/3)

30/08/2024
CSIRT
In a previous blogpost, we explored Veeam Backup & Replication's "backup chain metadata" files and how to parse them in a comprehensive Velociraptor artifact. In this article, we complement our findings with metadata embedded directly in VBR's Storage files. Then, we create a Velociraptor pipeline to remotely access relevant forensic artefacts in backed up data. This aims to enable DFIR analysts to extend the time horizon in their investigations using Veeam backups and Velociraptor, while minimizing network bandwidth usage and extensi...

LAPSUS$ is dead, long live HexaLocker?

18/08/2024
CSIRT
The LAPSUS$ threat group has been known since 2021 for spear phishing, data theft, and extortion against large companies (e.g., Microsoft, Nvidia, Uber). Although evidence of destruction methods was reported, there was no known use of ransomware. In June 2024, LAPSUS$ announced its closure. However, two months later, a new ransomware called HexaLocker was advertised on Telegram channels. Its "only real" admin and probable developer is ZZART3XX, one of the LAPSUS$ administrators. This article will dissect the HexaLocker ransomware samp...

VMware ESXi Forensic with Velociraptor

28/03/2024
CSIRT
If you are a regular Velociraptor user, you'll no doubt have noticed the introduction of new features since release 0.7.1 that extend its forensic capabilities on various systems. If not, this article will show you how to leverage those new features in order to perform forensic analysis of a VMware ESXi hypervisor.

Using Veeam metadata for efficient extraction of Backup artefacts (1/3)

08/02/2024
CSIRT
Veeam Backup & Replication is a widely-used software suite for creating and managing backups of virtual, physical and cloud machines. In a remote incident response, where efficient data access is key, Veeam metadata files can be used to list and search for Backup objects. This article explores the structure of Veeam metadata and how to use a Velociraptor artifact to restructure this data.

KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises

29/01/2024
CSIRT
On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads ...

Legitimate exfiltration tools : summary and detection for incident response and threat hunting

27/09/2023
CSIRT
Legitimate data transfer tools are more and more used by threat actors. During our incident response engagements, we often see the use of several administration tools, including tools for transferring data to SFTP servers or directly to the cloud. These are widely used by attackers as means of exfiltration. The issue of exfiltrated data is one of the most important and hardest topic in the case of ransomware incidents. As the subject has already been widely covered, the aim of this article is to centralize the traces left by most com...

Forensic Aspects of Microsoft Remote Access VPN

28/08/2023
CSIRT
As remote work surges, VPNs gain significance. With employees using their devices in uncontrolled networks, VPNs are certainly now a serious option for attackers to gain an initial foothold on the corporate network. Microsoft offers a VPN solution called Remote Access Service. This article sheds light on Microsoft VPN service's inner workings, and provides forensic aspects to improve incident response and the monitoring of this service.

Hardware investigation of wireless keyloggers

03/03/2023
CSIRT
Hardware
When a hardware keylogger is found on a computer, you can assume the user account and its secrets are compromised. In this article, we will present how to get access to the data stored on both a basic keylogger and a more advanced model with Wi-Fi access.

PrideLocker - a new fork of Babuk ESX encryptor

05/12/2022
CSIRT
A few months after the leak of Babuk source code in September 2021, new ransomware families with very similar capabilities already seem to emerge. During an incident response, Synacktiv's CSIRT detected a new ESX encryptor dubbed PrideLocker that is based on Babuk ESX encryptor, with new additions. This article provides an in-depth analysis of PrideLocker, and a method using IDAPython to decrypt its strings, as well as tips to detect its encryption capabilities.

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

20/10/2022
CSIRT
Legitimate remote access tools are more and more part of threat actors toolbox: in order to gain remote access on targets, keep persistence, deploy malicious payload as well as leveraging trusted connections between an IT provider and its customers. Therefore, detection and incident response teams must have a good grasp on traces left by those tools on the system. In this context, this article aims to collect host forensic evidence of four famous legitimate remote access tools.