SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims
In this video we talk about three aspects of RECON with respect to SUNBURST #malware.
1. We look in more detail at the recon the malware does on the underlying victim host.
2. We look at the OSINT recon we can do on the C2 domain to gather PassiveDNS data
3. We examine how the structure of those DNS requests and how they can be reverse-engineered to identify potential victims.
There are some super-smart people analysing this malware and I'm grateful for their contributions to the wider community, so please check out the following links, write-ups and tools:
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0
DGA Write-Ups
=============
https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
PDNS Data
=========
https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt
https://github.com/bambenek/research/blob/main/sunburst/Important-Notes.md
TOOLS
=====
https://github.com/dnSpy/dnSpy
https://github.com/de4dot/de4dot
https://github.com/Robert-McGinley/de4dot-Installer
https://docs.umbrella.com/investigate-api/docs
https://community.riskiq.com/search/20.140.0.1
https://github.com/2igosha/sunburst_dga
https://github.com/RedDrip7/SunBurst_DGA_Decode
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
#sunburst #solarwinds
Видео SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims канала Colin Hardy
1. We look in more detail at the recon the malware does on the underlying victim host.
2. We look at the OSINT recon we can do on the C2 domain to gather PassiveDNS data
3. We examine how the structure of those DNS requests and how they can be reverse-engineered to identify potential victims.
There are some super-smart people analysing this malware and I'm grateful for their contributions to the wider community, so please check out the following links, write-ups and tools:
LINKS
=====
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/edit#gid=0
DGA Write-Ups
=============
https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
PDNS Data
=========
https://github.com/bambenek/research/blob/main/sunburst/uniq-hostnames.txt
https://github.com/bambenek/research/blob/main/sunburst/Important-Notes.md
TOOLS
=====
https://github.com/dnSpy/dnSpy
https://github.com/de4dot/de4dot
https://github.com/Robert-McGinley/de4dot-Installer
https://docs.umbrella.com/investigate-api/docs
https://community.riskiq.com/search/20.140.0.1
https://github.com/2igosha/sunburst_dga
https://github.com/RedDrip7/SunBurst_DGA_Decode
SAMPLE
=======
https://app.any.run/tasks/4fc6b555-4f9b-4346-8df2-b59e5796eb88/
FOLLOW
======
You can join in the conversation by following me at https://twitter.com/cybercdh
THANKS
=======
If you LIKED this video, please hit the THUMBS UP. If you LOVED it, please SUBSCRIBE!
Many thanks for watching, it means a lot. Peace out.
@cybercdh
#sunburst #solarwinds
Видео SUNBURST SolarWinds RECON - Malware Reverse Engineering, OSINT and Identifying Victims канала Colin Hardy
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
SUNBURST SolarWinds Malware - Tools, Tactics and Methods to get you started with Reverse Engineering
SolarWinds breach: Insights from the trenches | Live incident response demo | Cyber Work Podcast
SolarWinds: What It Means & What’s Next
Coding Expectations for Malware & Pentesting
How the SolarWinds Hack Could Change Data Security Forever
The threats arising from the massive SolarWinds hack
Ghidra - Journey from Classified NSA Tool to Open Source
SolarWinds, The Biggest Case of Cyber-Espionage Yet
Finding SolarWinds / SUNBURST backdoors with Zeek, Suricata, & Corelight
Threat Hunting with Inquest Labs
SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack
27c3: Reverse Engineering the MOS 6502 CPU (en)
Threat Hunt Deep Dives Ep. 3 - SolarWinds' Supply-Chain Compromise (Solorigate / SUNBURST Backdoor)
SUPERNOVA - Everything you need to know to Reverse Engineer an APT WebShell
The SolarWinds Hack Explained | Cybersecurity Advice
Olympic Destroyer - Quick behavioural Analysis of this Wiper Malware
Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra
Updates on the SolarWinds Sunburst Supply Chain Attack | FireEye Hack
SolarWinds Sunburst Hack: What you need to know