-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathindex.xml
180 lines (180 loc) · 21.8 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Home on Matt's DFIR blog</title>
<link>https://mgreen27.github.io/</link>
<description>Recent content in Home on Matt's DFIR blog</description>
<generator>Hugo</generator>
<language>en-us</language>
<lastBuildDate>Fri, 01 Nov 2024 00:00:00 +0000</lastBuildDate>
<atom:link href="https://mgreen27.github.io/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>Finding the LNK: Techniques and methodology for advanced analysis</title>
<link>https://mgreen27.github.io/posts/2024/finding_the_lnk/</link>
<pubDate>Fri, 01 Nov 2024 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2024/finding_the_lnk/</guid>
<description>Malicious exploitation of LNK files, commonly known as Windows shortcuts, is a well-established technique used by threat actors for delivery and persistence. While the value of LNK forensics for cyber threat intelligence (CTI) is fairly well-understood, analysts may overlook less well-known data points and miss valuable insights. In this post, we explore the structure of LNK files using Velociraptor. We will walk through each LNK structure and discuss some analysis techniques frequently used on the Rapid7 Labs team.</description>
</item>
<item>
<title>How To Hunt For UEFI Malware</title>
<link>https://mgreen27.github.io/posts/2024/uefi/</link>
<pubDate>Thu, 29 Feb 2024 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2024/uefi/</guid>
<description>UEFI threats have historically been limited in number and mostly implemented by nation state actors as stealthy persistence. However, the recent proliferation of Black Lotus on the dark web, Trickbot enumeration module (late 2022), and Glupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field.</description>
</item>
<item>
<title>DEATHcon2023: Practical DEATH by Velociraptor</title>
<link>https://mgreen27.github.io/projects/deathcon2023-practical-death-by-velociraptor/</link>
<pubDate>Mon, 20 Nov 2023 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/projects/deathcon2023-practical-death-by-velociraptor/</guid>
<description><p><a href="https://www.notion.so/mgreen27Velociraptor-DEATHcon-2023-25d9760af2ac4b419ff39c2a48f7bb2c">











<figure class="">

 <div>
 <img loading="lazy" alt="" src="https://mgreen27.github.io/projects/deathcon2023-practical-death-by-velociraptor/skulls.png" width="728px" height="410px">
 </div>

 
 <div class="caption-container">
 <figcaption> Workshop link </figcaption>
 </div>
 
</figure>
</a></p>
<p>DEATHcon Velociraptor workshop was held November 2023. I covered practical break down of Velociraptor and VQL, incorporated into real world scenarios.</p>
<ol>
<li>Brief introduction to Velociraptor and lab setup</li>
<li>Available data / VQL accessors</li>
<li>VQL Performance and Yara.</li>
<li>ATT&amp;CK Detection use case: RDP patching</li>
<li>UEFI BlackLotus</li>
<li>LNK Analysis</li>
</ol></description>
</item>
<item>
<title>Content Management Like a Boss!</title>
<link>https://mgreen27.github.io/projects/content-management-like-a-boss/</link>
<pubDate>Wed, 13 Sep 2023 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/projects/content-management-like-a-boss/</guid>
<description><p>Content management is one of the most under rated Velociraptor capabilities used by mature users. This talk will walk through some basics of content management, introduce automation and hopefully leave you with actionable ideas on how to do Velociraptor Content like a boss.</p>
<p>
 <div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
 <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="allowfullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/DjMAri17-MI?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
 </div>

<em>Presentation</em></p></description>
</item>
<item>
<title>Automating Qakbot decode at scale</title>
<link>https://mgreen27.github.io/posts/2023/qakbot/</link>
<pubDate>Wed, 05 Apr 2023 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2023/qakbot/</guid>
<description>This is a technical post covering practical methodology to extract configuration data from recent Qakbot samples. In this blog, I will provide some background on Qakbot, then walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.</description>
</item>
<item>
<title>DEATHcon 2022 Velociraptor workshop</title>
<link>https://mgreen27.github.io/projects/deathcon-2022-velociraptor-workshop/</link>
<pubDate>Sat, 05 Nov 2022 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/projects/deathcon-2022-velociraptor-workshop/</guid>
<description><p>DEATHcon Velociraptor workshop was held November 2022. We cover some basic VQL use cases including NTFS, Event Logs, Yara and memory artifacts.</p>
<p>The workshop was implemented with Velociraptor 0.6.6 although the data generation can be applied to any version.</p>
<p><a href="https://gist.github.com/mgreen27/05f95f27f70234ea7242190c5c62a62a">Data generation scripts </a></p>
<p><div id="Container"
 style="padding-bottom:56.25%; position:relative; display:block; width: 100%">
 <iframe id="googleSlideIframe"
 width="100%" height="100%"
 src="https://docs.google.com/presentation/d/1HRIjfPXxSu95tfkyCs7PNqQon1HTeHTz-sQ4-wdWlNA/embed"
 frameborder="0" allowfullscreen=""
 style="position:absolute; top:0; left: 0"></iframe>
</div>

<em>Workshop slides</em></p>
<p>
 <div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
 <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="allowfullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/LZYeL3AKXvs?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
 </div>

<em>Workshop introduction</em></p></description>
</item>
<item>
<title>Notebook and VQL - data munging your way to victory!</title>
<link>https://mgreen27.github.io/projects/notebook-and-vql-data-munging-your-way-to-victory/</link>
<pubDate>Sat, 17 Sep 2022 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/projects/notebook-and-vql-data-munging-your-way-to-victory/</guid>
<description><p>Velociraptor notebook is a feature that supercharges analysis and speeds up many components of incident response. New users are often intimidated by advanced VQL and don’t know where to start. This talk aims to shed some light on data manipulation in VQL and provide some practical examples that can be taken away for better artifacts and analysis.</p>
<p><div id="Container"
 style="padding-bottom:56.25%; position:relative; display:block; width: 100%">
 <iframe id="googleSlideIframe"
 width="100%" height="100%"
 src="https://docs.google.com/presentation/d/1Ev1o3nDmTyejOj2RDjiscRvV_SeS0E90ygrlZU0wsig/embed"
 frameborder="0" allowfullscreen=""
 style="position:absolute; top:0; left: 0"></iframe>
</div>

<em>Presentation slides</em></p>
<p>
 <div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
 <iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="allowfullscreen" loading="eager" referrerpolicy="strict-origin-when-cross-origin" src="https://www.youtube.com/embed/VoO7y65TOsE?autoplay=0&amp;controls=1&amp;end=0&amp;loop=0&amp;mute=0&amp;start=0" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" title="YouTube video"></iframe>
 </div>

<em>Presentation</em></p></description>
</item>
<item>
<title>WMI Event Consumers: what are you missing?</title>
<link>https://mgreen27.github.io/posts/2022/wmi-eventing/</link>
<pubDate>Wed, 12 Jan 2022 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2022/wmi-eventing/</guid>
<description>WMI Eventing is a fairly well known technique in DFIR, however some tools may not provide the coverage you expect. This article covers WMI eventing visibility and detection including custom namespaces.</description>
</item>
<item>
<title>Cobalt Strike Payload Discovery And Data Manipulation In VQL</title>
<link>https://mgreen27.github.io/posts/2021/cobaltstrike_vql/</link>
<pubDate>Tue, 09 Nov 2021 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2021/cobaltstrike_vql/</guid>
<description>Velociraptor’s ability for data manipulation is a core platform capability that drives a lot of the great content we have available in terms of data parsing for artifacts and live analysis. After a recent engagement with less common encoded Cobalt Strike beacons, and finding sharable files on VirusTotal, I thought it would be a good opportunity to walk through some workflow around data manipulation with VQL for analysis. In this post I will walk though some background, collection at scale, and finally talk about processing target files to extract key indicators.</description>
</item>
<item>
<title>Windows IPSEC for endpoint quarantine</title>
<link>https://mgreen27.github.io/posts/2020/ipsec/</link>
<pubDate>Thu, 23 Jul 2020 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2020/ipsec/</guid>
<description>This post is going to talk about using Windows IPSec for a quarantine use case. Im going to explain the background, how to configure a policy and some of the design decisions as I was initially looking at building an endpoint based containment capability.</description>
</item>
<item>
<title>Local Live Response with Velociraptor ++</title>
<link>https://mgreen27.github.io/posts/2019/local_liveresponse_with_vr/</link>
<pubDate>Sun, 08 Dec 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2019/local_liveresponse_with_vr/</guid>
<description>In this post im going to talk about a live response use case leveraging the Velociraptor project worth sharing. Specifically, live response with ancillary collection by third party tools embedded to minimise user impact. As usual, im going to provide some background and walk through the steps then share the code.</description>
</item>
<item>
<title>Live response automation with Velociraptor</title>
<link>https://mgreen27.github.io/posts/2019/liveresponse_with_vr/</link>
<pubDate>Sun, 10 Nov 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2019/liveresponse_with_vr/</guid>
<description>This post is going to talk about the Velociraptor project. Specifically, live response and automation I have built for my own engagements. Im going to provide some background and walk through a proof of concept, then share the code.</description>
</item>
<item>
<title>Endpoint Hunting in an AntiEDR World</title>
<link>https://mgreen27.github.io/projects/endpoint-hunting-in-an-antiedr-world/</link>
<pubDate>Wed, 26 Jun 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/projects/endpoint-hunting-in-an-antiedr-world/</guid>
<description><p>With the proliferation of EDR we have seen attackers at all levels upping their game to bypass brittle (and not so brittle) endpoint detection. This talk showcases the background to EDR technology and some practical real world examples of detection bypasses.</p>
<p><a href="https://github.com/mgreen27/mgreen27.github.io/raw/master/static/talks/2019-06-26-AntiEDR.pdf">














<figure class=" img-small">

 <div>
 <img loading="lazy" alt="" src="https://mgreen27.github.io/projects/endpoint-hunting-in-an-antiedr-world/hunting.png#small" width="439px" height="436px">
 </div>

 
 <div class="caption-container">
 <figcaption> Download slides </figcaption>
 </div>
 
</figure>
</a></p>
<p>Originally presented at a local SANs and community event (modification with additional presentations since).</p></description>
</item>
<item>
<title>O365: Hidden InboxRules</title>
<link>https://mgreen27.github.io/posts/2019/o365_hiddenrules/</link>
<pubDate>Sun, 09 Jun 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2019/o365_hiddenrules/</guid>
<description>In this post Im going to talk about Office365 hidden inbox rules. Im going to give some background, show rule modification, and talk about detection methodology.</description>
</item>
<item>
<title>Binary Rename 2</title>
<link>https://mgreen27.github.io/posts/2019/binaryrename2/</link>
<pubDate>Wed, 29 May 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2019/binaryrename2/</guid>
<description>This is my second Binary Rename post, in this post I am focusing on static detection, that is assessing files on disk. I am going to describe differences between both Yara and Powershell based detections, then share the code.</description>
</item>
<item>
<title>Blue Team Hacks - Binary Rename</title>
<link>https://mgreen27.github.io/posts/2019/binaryrename/</link>
<pubDate>Sun, 12 May 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2019/binaryrename/</guid>
<description>In this post I thought I would share an interesting proof of concept I developed to detect Binary Rename of commonly abused binaries. Im going to describe the detection, its limitations and share the code.</description>
</item>
<item>
<title>Live Response Script Builder</title>
<link>https://mgreen27.github.io/posts/2019/invoke-liveresponse_builder/</link>
<pubDate>Sun, 07 Apr 2019 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2019/invoke-liveresponse_builder/</guid>
<description>In this post I thought I would share some practical new features implemented in a recent refactor of Invoke-LiveResponse. These features enable fast and modular generation of live response scripts compatible with legacy Powershell. Im going to walk through the background then some of the new features and script creation.</description>
</item>
<item>
<title>Powershell Download Cradles</title>
<link>https://mgreen27.github.io/posts/2018/downloadcradle/</link>
<pubDate>Mon, 02 Apr 2018 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2018/downloadcradle/</guid>
<description>In this post I thought I would share some information on Powershell download cradles I put together recently. I’m going to provide an overview, highlighting areas I found interesting thinking about detection from both network and endpoint views.</description>
</item>
<item>
<title>Sharing my BITS</title>
<link>https://mgreen27.github.io/posts/2018/sharing_my_bits/</link>
<pubDate>Sun, 18 Feb 2018 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2018/sharing_my_bits/</guid>
<description>I thought I would share some research on Microsoft BITS after a recent tool released by the French ANSSI to parse BITS job artefacts. This tool has sparked my interest due to previous research on download cradles and an interest in the client side forensics. I’m going to give a brief background, talk about some nuances in collection types and provide some background information when I was thinking about detection.</description>
</item>
<item>
<title>Invoke-LiveResponse</title>
<link>https://mgreen27.github.io/posts/2018/invoke-liveresponse/</link>
<pubDate>Sun, 14 Jan 2018 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2018/invoke-liveresponse/</guid>
<description>In this post, I am going to talk about a Powershell module I have authored as a simple implementation for live response and file collections over Powershell remoting. The initial use case was considered after an endpoint vendor appliance failed and capability for raw collections was limited. The module uses Powerforensics over WinRM, and after some interest, I think is worth sharing.</description>
</item>
<item>
<title>Invoke-LiveResponse</title>
<link>https://mgreen27.github.io/projects/invoke-liveresponse/</link>
<pubDate>Sun, 14 Jan 2018 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/projects/invoke-liveresponse/</guid>
<description><p><a href="https://github.com/mgreen27/Invoke-LiveResponse">Invoke-LiveResponse</a> is a Powershell module I put together to enable raw disk collections over WinRM and local script execution. Leveraging Powerforensics via a custom Powershell function it enabled collections of key forensic artefacts and stdout of script results typical for live response tasks.</p>
<p><a href="https://github.com/mgreen27/Invoke-LiveResponse">











<figure class="">

 <div>
 <img loading="lazy" alt="" src="https://mgreen27.github.io/projects/invoke-liveresponse/powershell.png" width="1229px" height="612px">
 </div>

 
 <div class="caption-container">
 <figcaption> See Invoke-LiveResponse on Github </figcaption>
 </div>
 
</figure>
</a></p></description>
</item>
<item>
<title>Blue Team Hacks - WMI Eventing</title>
<link>https://mgreen27.github.io/posts/2017/wmi_eventing/</link>
<pubDate>Mon, 03 Apr 2017 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/posts/2017/wmi_eventing/</guid>
<description>In this post I am going to cover a little Windows Management Instrumentation (WMI), and in particular an interesting use case for potential use in older environments with Process Monitoring gaps. Thinking about this gap led to me looking at WMI starting as an alternate near real time detection fix, and during feature investigation ended with another technically novel solution I thought was interesting enough to share.</description>
</item>
<item>
<title>PowerShell Remoting and Incident Response</title>
<link>https://mgreen27.github.io/posts/2017/powershell_remoting_ir/</link>
<pubDate>Thu, 12 Jan 2017 12:00:00 +1000</pubDate>
<guid>https://mgreen27.github.io/posts/2017/powershell_remoting_ir/</guid>
<description>PowerShell is quickly becoming a tool of choice for many IT Operations staff and Security Practitioners alike. This post is a quick overview of using Windows Remote Management and PowerShell for Incident Response. I will also provide some proof of concept setup instructions and general themes for those interested in further research on this topic.</description>
</item>
<item>
<title>About</title>
<link>https://mgreen27.github.io/about/</link>
<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
<guid>https://mgreen27.github.io/about/</guid>
<description><p>I am a DFIR and threat detection guy from Sydney Australia. Most of my focus is on Windows internals based DFIR and various threat intelligence research however I also have interest in coding, reverse engineering and other topics.</p>
<p>Feel free to reach out if you want to collaborate, have any questions or anything to add to a post.
The best contact is via X or LinkedIn as I have direct messages open.</p></description>
</item>
</channel>
</rss>