At this year's #DEATHCon I was fortunate enough to present my workshop on #Kusto graph semantics. Now I release it for free to everybody.

#KQL #Security #Kraph

https://cloudbrothers.info/en/workshop-kusto-graph-semantics-explained/

Didn't make it #DeathCon? Not to worry! 😅 You can catch Carla Garcia's awesome presentation on "How to Use #Graylog as a Home Lab", right here.
🏠 🖥️👇

In this video Carla walks you through:
1️⃣ Installing Graylog
2️⃣ Installing #OpenSearch
3️⃣ Installing Graylog Sidecar for hashtag#Windows

Capture your Windows Logs!!
https://www.youtube.com/watch?v=rDSjD_IBdy8

@OpenSearchProject

What a beautiful challenge coin.

Thanks to the whole @DEATHCon2024 team for having me and for so the volunteers creating an awesome lab + the other workshop leaders for their time.

#DEATHCon

Don't be fooled by polished #PR texts: (Kan-) #Ye West is an #antisemitic scumbag and an enormous amplifier for nonsensical #conspiracytheories.
He only started to feel sorry about his hateful #deathcon rant when checking the balance of his bank account, realizing how much money he's lost with his unhinged ramblings.

Go get some professional help, Ye. Then get back with real remorse and try again.
PS: What is "go fuck yourself" in Hebrew? Asking for Ye know whom...
https://www.huffpost.com/entry/kanye-west-apology-antisemitism_n_658beb5de4b014ec45a2c07e

🦖Day 62 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]System[.]VAD

Author: @mgreen27

Link: https://docs.velociraptor.app/exchange/artifacts/pages/windows/system/vad

----

This artifact enables enumeration of process memory sections via the Virtual Address Descriptor (VAD). The VAD is used by the Windows memory manager to describe allocated process memory ranges.

With this artifact, we can highlight suspicious process memory sections.

----

This a useful tool to have when trying to detect C2/process injection/hollowing, such as that performed by Cobalt Strike or other platforms/tools, especially where sections are unmapped and/or have certain permissions.

----

We might first use something like Windows[.]Detection[.]YARA[.]Process in a hunt to cast a wide net.

https://docs.velociraptor.app/artifact_references/pages/windows.detection.yara.process/

----

From the results, we can see the MSBuild process is listed as a match for a Cobalt Strike YARA rule.

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility, compile inline, and bypass application control defenses.

https://attack.mitre.org/techniques/T1127/001/

----

We can go a step further and dig into memory sections by leveraging the 'Windows[.]System[.]VAD' artifact.

If we specify a process regex of 'msbuild', and choose to highlight unmapped sections with RWX permissions, again using the Cobalt Strike YARA rule, we have a match.

----

The following information is included in the results:

- Process create time
- PID
- Name
- Mapping name
- Address range
- Protection
- SectionSize
- YARA match
- Process chain 🦾
- Section dump information

----

If we were confident we are looking at Cobalt Strike, we can use the 'Windows[.]Carving[.]CobaltStrike' artifact to extract its configuration.

https://docs.velociraptor.app/artifact_references/pages/windows.carving.cobaltstrike/

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the links below!

Cobalt Strike and MSBuild:
https://blog.talosintelligence.com/building-bypass-with-msbuild/

Matt Green's #DEATHCON 2022 Velociraptor Workshop:
https://mgreen27.github.io/projects/DEATHcon2022/

#CobaltStrike
#DFIR
#IncidentResponse
#Infosec
#ThreatHunting
#YARA