Publications

Legitimate RATs: a comprehensive forensic analysis of the usual suspects

20/10/2022 Legitimate remote access tools are more and more part of threat actors toolbox: in order to gain remote access on targets, keep persistence, deploy malicious payload as well as leveraging trusted connections between an IT provider and its customers. Therefore, detection and incident response teams must have a good grasp on traces left by those tools on the system. In this context, this article aims to collect host forensic evidence of four famous legitimate remote access tools.

Traces of Windows remote command execution

13/09/2022 A real ninja leaves no traces. However, in the Windows context, a lot of information are disseminated when performing actions and can be leveraged by DFIR analysts. Focusing on remote command execution techniques used by attackers and red-teamers, this article aims to get a collection of artifacts that can collected by analysts.

CCleaner forensics

20/06/2022 During a ransomware attack, right after the ransomware was launched, we noticed the use of CCleaner as an anti-forensic tool to cover the attacker’s action. The following article aims to explore some key features of this tool from a forensic perspective. We will see how to identify the items that have been deleted and how they could be recovered. We focused on the free desktop version v6.00.9727.

Ready For IT 2022: Back to attacks on new digital uses

08/06/2022 Thanks to Ready for IT organizers so we can shared a feedback regarding our incident response services (CSIRT Synacktiv) and red team activities. Below is a summary of the intervention.

Unransomware

31/01/2022 During a ransomware incident, CSIRT Synacktiv noticed that the bitlocker mechanism was used to encrypt company and user files. This blogpost does not intend to retrace the whole incident response process. The idea is to illustrate how we managed (or not) to recover encryption keys and save a few workstations from their terrible fate. The incident took place few months ago.

Yet another BEC investigation on M365

22/11/2021 Several materials already describe this type of attack, this document is an operational feedback from the CSIRT Synacktiv on several BEC incidents based on Microsoft 365 service. This is the part one of this publication.