As I'm about to present about Linux Rootkits at the 10th edition of EuskalHack (🎉), here’s a nifty trick to detect a userland rootkit that tries to hide its presence by blocking access to /etc/ld.so.preload.

We are mounting the filesystem with debugfs (an interactive file system debugger. It can be used to examine and change the state of an ext2, ext3, or ext4 file system), and suddenly we see the malicious entry in the /etc/ld.so.preload file 😎

I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.

However, as soon as I tried to copy the dump to my Kali machine, Defender jumped into action, prohibited access to the LSASS dump, and removed the file to the quarantine. And here is the catch.

I browsed to the following folder:
C:\ProgramData\Microsoft\Windows Defender\Quarantine

In the ResourceData folder, you will find different sub-folders (or not, if Defender never quarantined something on that host), each folder containing a quarantine file.

The files are encrypted with a static key that leaked years ago, and this 10-year-old code snippet is still sufficient to decrypt the files back to their original state. [2]

Long story short: I copied the encrypted file to my Kali machine, decrypted it using the Python code from [2], and extracted the credentials and hashes with pypykatz. [3]

Classic example of "No, it's not enough when your AV blocked or removed a threat". As you can see, an attacker can easily get the LSASS dump, even if Defender removed it from the disk ¯\_(ツ)_/¯

[1 ]https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
[2] https://raw.githubusercontent.com/malmoeb/DFIR/refs/heads/master/quarantine.py
[3] https://github.com/skelsec/pypykatz

The platform Mega, which is popular among attackers for data exfiltration ("Online privacy for everyone"), also provides software for file transfer to the platform. As one of our customers found out the hard way, the software does not use a high port for data transmission. Instead, it utilizes standard web ports (80, 443, 8080) for data transfer.

Therefore, simply blocking high ports on the firewall is not sufficient to prevent potential unwanted data leakage. If possible, content inspection should be enabled on the proxy or firewall to block categories such as online storage, or at least restrict access to certain user groups.

"But in Q1, we also saw a new social engineering lure where the attackers started using fake website cookie banners to spread malware.

A cookie banner, which is required for GDPR compliance, is a pop-up message displayed on a website to inform users about the use of cookies and other tracking technologies. Since GDPR came to effect in 2018, these cookie banners have become commonplace on websites and are now a familiar part of our browsing experience. Attackers are exploiting users’ habit of “clicking through” cookie banners to spread malware.

If the user clicks on the “Accept” button, a JavaScript file is downloaded. The cookie banner imitates a loading icon and instructs the user to click on the downloaded file to accept the cookies. Since most users simply want to visit the website and get rid of the banner as quickly as possible, this social engineering technique is highly effective, especially when combined with other tactics, such as using lures that exploit the target’s sense of urgency or curiosity.

If opened, the JavaScript file downloads two PowerShell scripts in the background and runs them."

Source: June 2025 edition of the HP Wolf Security Threat Insights Report

Link: https://threatresearch.ext.hp.com/wp-content/uploads/2025/06/HP_Wolf_Security_Threat_Insights_Report_June_2025.pdf

It doesn't always require a hacked mailbox, for example, to send invoices with a fraudulent International Bank Account Number (IBAN). The following (modified) example from a real investigation clearly demonstrates how internal staff must also be trained to defend against this type of attack.

In this case, the HR representative changed an employee’s bank details, even though the email requesting the change came from an external source, not from within the company.

The fraud was only discovered a week later when the affected employee had still not received their salary.

Phishing awareness is important, but key personnel in departments such as Finance or HR also need dedicated training, particularly when it comes to handling requests to update banking information.

While investigating a compromised network, we found suspicious PowerShell code that ran on a domain controller. The script downloaded a file called chrome_installer.exe and installed it.

We checked the file and found it was signed by Google, so it’s a genuine Chrome installer. We searched for snippets from the code online and found the exact same script on a website titled "Install Chrome on Windows Server."

So basically, an (domain) administrator copied some random PowerShell script from a random site on the Internet and ran it - on a domain controller!

What could possibly go wrong? 🤯

My team colleague, Florian Scheiber, investigated the compromise of a server that had exposed the Remote Desktop Services (RDS) to the Internet. The attackers were able to brute-force an administrator account and subsequently stole data from the server before encrypting it.

Perimeter security - as already mentioned several times - is an indispensable part of a security dispositive.

On the one hand, external port scans could show open ports; on the other hand, as in the screenshot, automated scripts can be used to show open ports in an Azure tenant: https://github.com/airtank20/PoSH/blob/master/CheckforOpenAzurePorts.ps1

The resulting visibility allows us to set up appropriate protective measures, multi-factor, strong passwords, targeted monitoring, or not expose the server or the ports to the Internet at all if it is a misconfiguration.

I'm currently working on a new blog post about Password Filter and Network Provider DLLs.

As part of my research, I've been digging into existing resources, and despite the common sentiment that "so much has already been written about this," we recently came across text files containing cleartext passwords, collected by NPPSpy (see image - all passwords and information, is of course, redacted).

Soooo... maybe we haven’t written enough about this after all. It’s 2025, and this technique is still very much alive and kicking.

An attacker installed UltraVNC as a backdoor on a domain controller during a recent incident response engagement. During our analysis, we found that the attacker logged in from an IP address belonging to M247 (see image).

Many of these RMM tools (and file transfer tools, too) are generating log files that we can leverage in our investigations. Here is the relevant log file for UltraVNC:
C:\ProgramData\Packages\uvnc bvba\UltraVNC\mslogon.log

JPCERT has published a very good and detailed presentation with more artifacts and information:
https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf

This week, I mentioned a renamed instance of MeshAgent (RMM). While reviewing some of our team's older incident reports yesterday, I came across another disguised MeshAgent that we had uncovered in a past case:

C:\Program Files (x86)\Windows NT\nvspbind\nvspbind.exe” --meshServiceName=“nvspbind”

It was masquerading as a legitimate virtualization-related binary.

Interestingly, Huntress published a blog post in November 2024 describing a very similar tactic [1]. In their case, not only was the MeshAgent binary disguised, but the attacker had also rebranded the server-side control panel to match the look and naming style of the virtualization software (see image).

Yet another clever trick to evade detection - and potentially fool an analyst or two. 🤓

[1] https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access