Mindblown: a blog about DFIR.
-
CloudMe Sync CVE-2018-6892
CloudMe Sync before version 1.11.0 is affected by CVE-2018-6892[1]. This vulnerability allows an unauthenticated remote attacker to exploit the “CloudMe Sync” client application, which listens on port 8888[1]. By sending a malicious payload, the attacker can trigger a buffer overflow vulnerability in the application[1]. Successful exploitation of this vulnerability allows the attacker to gain control…
-
Bypassing modern anti-exploit mechanisms
Modern operating systems employ a variety of anti-exploit mechanisms known as exploit mitigation techniques to prevent and limit the success of malicious activities on a system. Yet, skilled attackers and malware creators continually develop methods to bypass these defenses. Here are several modern anti-exploit mechanisms and ways they might be circumvented: As a malware analyst,…
-
MOVEit Transfer Attack
MOVEit Transfer Attack TTP for Malware Analyst Overview MOVEit Transfer is a secure file transfer solution organizations use to exchange sensitive data. While the product is designed to be secure, attackers may still target the users, infrastructure, or underlying systems to compromise the transferred data. The TTP (Tactics, Techniques, and Procedures) for a MOVEit Transfer…
-
AS-REP Roasting
AS-REP Roasting is a technique that targets the Kerberos authentication protocol by exploiting user accounts with Kerberos pre-authentication disabled. When pre-authentication is enabled, a user who needs access to a resource initiates the Kerberos authentication process by sending an Authentication Server (AS) request. However, if pre-authentication is disabled, attackers may obtain the password hashes of…
-
Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm established by the U.S. National Institute of Standards and Technology (NIST) in 2001. It was developed by Belgian cryptographers Joan Daemen and Vincent Rijmen, who submitted their Rijndael block cipher during the AES selection process. AES has a fixed block size of 128 bits and…
-
Salsa20
Salsa20 is a stream cipher developed by Daniel J. Bernstein in 2005, with a closely related variant called ChaCha introduced in 2008. Both ciphers are based on a pseudorandom function that uses add-rotate-XOR (ARX) operations, which include 32-bit addition, bitwise addition (XOR), and rotation operations. The core function maps a 256-bit key, a 64-bit nonce,…
-
Windows API functions
Microsoft CryptoAPI, also known as CryptoAPI, Microsoft Cryptography API, MS-CAPI, or simply CAPI, is an application programming interface (API) included with Microsoft Windows operating systems. It provides services to enable developers to secure Windows-based applications using cryptography. First introduced in Windows NT 4.0, CryptoAPI has been enhanced in subsequent versions. CryptoAPI supports both public-key and…
-
Malware Analysis Tools P1
Various tools are used to dissect, analyze, and reverse-engineer malware samples in malware analysis. These tools help analysts gain insights into the malware’s functionality, behavior, and potential impact on the infected system.
-
Building Home Lab
Building your own digital forensics lab at home is possible if you are interested in digital forensics. The home lab can be a great way to learn more about the field and develop your skills. Here are steps to help you get started: Step 1: Determine Your Goals and Budget Before building your lab, you…
-
Malware Analysis Methods API Part 1
Malware analysis, the techniques mentioned are related to various methods and APIs (Application Programming Interfaces) that malware may use to perform its malicious activities. Understanding these techniques helps analysts to identify, analyze, and reverse-engineer malware samples.