Detecting DCSync and DCShadow Network Traffic

This blog post on detecting Mimikatz' DCSync and DCShadow network traffic, accompanies SANS webinar "Detecting DCSync and DCShadow Network Traffic". Intro Mimikatz provides two commands to interact with a Windows Domain Controller and extract or alter data from the Active Directory database. These two commands are dcsync and dcshadow. The dcsync command can be used, … Continue reading Detecting DCSync and DCShadow Network Traffic →

PowerShell Inside a Certificate? – Part 3

In the first part of this series, we explained the internal structure of certificates and how this knowledge can help us detect fake certificates. In this part, we will provide different rules that you can use in your organization to detect these certificates. YARA This is the YARA rule that started this research: This YARA … Continue reading PowerShell Inside a Certificate? – Part 3 →

PowerShell Inside a Certificate? – Part 2

In our previous blogpost, we developed a method to detect certificate files that do not contain a real certificate. Trojanized certificates like these are often not detected by AV and IDS. Although we found all kinds of payloads, fake certificates containing a Windows executable appear to be the most common. In this post we will … Continue reading PowerShell Inside a Certificate? – Part 2 →

PowerShell Inside a Certificate? – Part 1

With the help of a specifically crafted YARA rule developed by NVISO analysts, we found multiple certificate files (.crt) that do not contain a certificate, but instead a malicious PowerShell script. In this blog post, we explain how we crafted this YARA rule. Certificates Certificate files in Windows can have different extensions, like .cer and … Continue reading PowerShell Inside a Certificate? – Part 1 →

Using binsnitch.py to detect files touched by malware

Yesterday, we released binsnitch.py - a tool you can use to detect unwanted changes to the file sytem. The tool and documentation is available here: https://github.com/NVISO-BE/binsnitch. Binsnitch can be used to detect silent (unwanted) changes to files on your system. It will scan a given directory recursively for files and keep track of any changes it detects, based … Continue reading Using binsnitch.py to detect files touched by malware →

Developing complex Suricata rules with Lua – part 2

In part 1 we showed a Lua program to have Suricata detect PDF documents with obfuscated /JavaScript names. In this second part we provide some tips to streamline the development of such programs. When it comes to developing Lua programs, Suricata is not the best development environment. The "write code & test"-cycle with Suricata can … Continue reading Developing complex Suricata rules with Lua – part 2 →