009. Anti-Forensics and China-nexus
Hello everyone! Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. The vulnerability impacts Ivanti Connect Secure VPN appliances, and successful exploitation could result in unauthenticated remote code execution. This activity was attributed to a China-nexus cluster.
Despite the fact threat actors used a zero-day to gain initial access, there are lots of detection and hunting opportunities for post exploitation!
Let's focus on anti-forensics techniques:
- The adversary leverages dmesg with -C parameter for removing entries from the debug logs: dmesg -C
- Used sed with -i parameter to remove various log application event log entries: sed -i '/segfault/d' debuglog
- Deleted state dumps and any core dumps using rm with -rf parameters: rm -rf /data/var/statedumps/*
As you can see, threat actors may make forensic examination a tough task. At the same time, anti-forensic methods often quite common and easy detectable if appropriate logs are collected.
Have you seen any interesting anti-forensic techniques recently? Share it in the comments section!
See you tomorrow!
Comments
Post a Comment