Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Max Groot Ruud van Luijk TL;DR A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. As no server-side […]
Detecting anomalous Vectored Exception Handlers on Windows
We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous
Detecting Karakurt – an extortion focused threat actor
NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt.
During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.
Log4Shell: Reconnaissance and post exploitation network detection
Note: This blogpost will be live-updated with new information. NCC Group’s RIFT is intending to publish PCAPs of different exploitation methods in the near future – last updated December 15th at 17:30 UTC tl;dr In the wake of the CVE-2021-44228, CVE-2021-45046 and CVE-2021-44832 (a.k.a. Log4Shell) vulnerability publication, NCC Group’s RIFT immediately started investigating the vulnerability in […]
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted. The prevalence of encrypted traffic As a company that provides Managed Network […]
Cracking RDP NLA Supplied Credentials for Threat Intelligence
In this post, we discuss our work in cracking the hashed passwords being sent over NLA connections to ascertain those supplied by threat actors.
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
NCC Group is offering a new fully Managed Detection and Response (MDR) service for our customers in Azure. This blog post gives a behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our scripting and automated build and […]
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
tl:dr Incremental Learning is an extremely useful machine learning paradigm for deriving insight into cyber security datasets. This post provides a simple example involving JA3 hashes showing how some of the foundational algorithms that enable incremental learning techniques can be applied to novelty detection (the first time something has happened) and outlier detection (rare events) […]
Detecting Rclone – An Effective Tool for Exfiltration
NCC Group CIRT has responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. We provide some techniques for detection.
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
We prototyped a Windows Installer Package Canary to help detect certain first stage trade craft. The ultimate goal being to alert for those threat actors targeting security products through uninstallation.