004. Are You Forensicating Here or What?
Hello everyone! During incident response engagements we often use various forensic tools, right? For example, to dump memory. But do you know that adversaries may do the same with the same tools? Why? Because dumping LSASS is way too noisy nowadays. And yes, you can extract credentials from full memory dump as well.
We saw this approach in-the-wild for the first time responding to Gremlin Wolf (also known as OldGremlin and TinyScouts). This ransomware gang used WinPmem to dump compromised system memory and access available credentials.
It's not the only example of forensic tools abuse. For example, Lorenz ransomware gang leveraged Magnet RAM Capture to obtain a memory dump. In some cases threat actors even used another forensic tool - Volatility - to extract credentials from the memory dump directly on the compromised host.
As you can see, forensic tools, just like many other legitimate tools, may be used to by adversary to solve various problems.
There are even more examples! Do you know any of them? Share it in the comments!
And see you tomorrow!
Comments
Post a Comment