Sign in

This post is Part 2 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.

On April 13, 2021, we learned what I believe will be a monumental event for cybersecurity in the United States. The U.S. Department of Justice announced a “Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities,” detailing an FBI operation to remove malicious files from public-facing email systems. This operation technically commenced on April 9, 2021, per the documents provided. …


This post is Part 1 of a two-part series examining the April 2021 FBI operation to remove malicious web shells from hundreds of systems per a court order.

On April 13, 2021, we learned what I believe will be a monumental event for cybersecurity in the United States. The U.S. Department of Justice announced a “Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities,” detailing an FBI operation to remove malicious files from public-facing email systems. This operation technically commenced on April 9, 2021, per the documents provided. …


This post has been co-authored with Aaron Soto

During the past week or so, some folks in the infosec community have been wrapped around the looming threat of weaponized #BlueKeep vulnerability. BlueKeep reportedly allows for unauthenticated remote code execution (RCE) via Microsoft’s Remote Desktop Protocol (RDP). (To be clear, neither Aaron or myself have seen a working PoC, but recommend checking out this blog post from McAfee).

Based on our understanding, if an attacker can craft the right parameters, that can lead to heap memory corruption and the aforementioned RCE. Thus, we had our starting point.

Sidebar: We’re both down on the Gold Coast of Australia getting ready…


I just released pollen version 1.1, codename Tsim Sha Tsui. I’m sure some of you know where in the world that is, which may gave you an idea where this code was written :)

This newer version has much cleaner code and I think significantly better analyst options as well. Here’s what’s included in version 1.1:

  • Command-line usage; no need for the shell all the time! Pollen now includes the --log and --logfile options, which allow the analyst to update task logs and upload supporting files _directly from the command line_. This is a HUGE feature, and is meant to…


I’ve been using TheHive on and off for a couple years now, and absolutely LOVE this tool. If you haven’t heard of TheHive yet, I suggest heading to their main page and checking it out. It’s a scalable, free and open source incident management platform that has become crucial in how I conduct investigations.

However, TheHive is largely browser-based and I do a lot of analysis on the command-line. This required me moving from terminal to browser quite frequently to store results/findings, which wasn’t always optimal and/or ideal. Especially if my session had timed out, etc. Thus, pollen was born.

pollen


Morning fellow forensicators!

While I could and should (and will?) put up an entire post just about TheHive itself, I’m skipping right to some scripting that I recently had to put together. But, to give a proper, albeit brief shoutout:

If you have not heard of TheHive yet, I’m going to highly recommend you zoom over here: https://thehive-project.org/.

TheHive is one of the best platforms I’ve ever seen/used for incident management. It’s definitely what some of us have been craving for years in Incident Response. Furthermore, it’s Python library (https://github.com/TheHive-Project/TheHive4py) makes for easy scripting as well. …


Well, hello there blog. Been a while :)

KAPE + SFTP Output

If you’ve been watching the DFIR space over the past month or so, you’ve undoubtedly witnessed the release of a true game-changing tool in KAPE released by the (of course), Mr. @EricRZimmerman. Here’s a recent post from Eric in case this is the first you’re hearing of it:

While there are a ton of posts that can come out of working with KAPE and designing modules, one thing that caught my attention was when Eric added in support for SFTP out:

Now we’re talking truly game-changing. By…


Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.

Today’s Morning Read has been making the rounds of various data breach sites, and is from a press release that came out two days ago, on March 20, 2017. Here’s the release from UNC Health Care:

You can find a couple of sample articles below:

Overview

On March 20, 2017, UNC Health Care released that it has begun notifying a select group of patients of a data breach…


For today’s post, I’d like to bring attention to the newly-announced Ken Johnson DFIR Scholarship. Created in partnership between SANS and KPMG LLP, the scholarship is to honor the memory of Ken Johnson. Ken was a fantastic father, husband, friend, and forensic investigator who left our community too early. I’m proud to work with SANS and KPMG to help remember Ken in the right way, by helping others grow and develop — just as he helped others.

Here is the SANS release about the scholarship:

I had the privilege of helping announce the scholarship at last year’s SANS DFIR Summit…


Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.

Today’s Morning Read has been cited in a few news outlets, but focuses on a bug disclosure from Jason Doyle, a security researcher. You can find a copy of Jason’s disclosure here:

Jason’s public disclosure was March 17, 2017, however updates are still being made to the README (18 hours ago as of this post).

Overview

As a huge fan — and user — of smart, connected home…

Matt B

Be selective with your battles.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store