RisingSun: Decoding SUNBURST C2 to Identify Infected Hosts Without Network Telemetry

January 14, 2021

Nearly three weeks after news regarding the widespread compromise of SolarWinds Orion customers became public, TrustedSec continues to receive inquiries from clients seeking more granular detail about the nature of the compromise. In most cases, clients have received a list of command and control (C2) domains from a major vendor and require assistance in investigating…

Read

SolarWinds Backdoor (Sunburst) Incident Response Playbook

December 17, 2020

Over the last several days, TrustedSec has received queries on the best ways to contain, eradicate, and remediate the SolarWinds backdoor (aka #solarigate aka Sunburst). The TrustedSec Incident Response team has put together a playbook of recommended actions to provide some level of assurance that your organization is no longer affected by the backdoor. This…

Read

SolarWinds Orion and UNC2452 – Summary and Recommendations

December 14, 2020

In the wake of recent revelations regarding a supply chain compromise of the SolarWinds Orion platform by a nation-state actor, and subsequent targeting of private sector and government organizations by said actor, the TrustedSec Incident Response team is releasing the following summary and guidance. This guidance reflects information from industry counterparts as well as recommendations…

Read

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

October 27, 2020

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

Read

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2

October 27, 2020

This is a continuation of The Tale of the Lost, but not Forgotten, Undocumented NetSync (part 1) and in this section, we will look to answer: What are Some Early Indicators to Detect NetSync at the Host-based Level? What are Some Possible Controls to Deter NetSync? In an accompanying blog post, Are You Seeing What…

Read

SMS Phish – An Incident Walkthrough

September 3, 2020

Opener The goal of this blog post is to provide an approach to analyzing a text-based phish link. I will primarily focus on the initial steps to properly view the phish site from a non-mobile browser, provide OPSEC setup and browsing analysis recommendations, and conclude with defense measures to protect against such attacks. Analysis Background…

Read

Become The Malware Analyst Series: PowerShell Obfuscation Shellcode

August 20, 2020

In this second installment of the ‘Become a Malware Analyst Series,” Principal Incident Response & Research Consultant Scott Nusbaum focuses on PowerShell obfuscation by analyzing a PowerShell sample that was identified during an incident response. Scott will also touch on methods and tools to identify common Metasploit function hashes.

Read

Become The Malware Analyst Series: Malicious Code Extraction and Deobfuscation

July 7, 2020

In this video, Senior Incident Response & Research Consultant Scott Nusbaum demonstrates a method to extract and deobfuscate code from a malicious document. Upon rendering the code readable, Nusbaum works to gain an understanding of the goals the malware was attempting to accomplish and the processes by which it undertook that effort. This video is…

Read

Are You Looking for Ants or Termites?

July 1, 2020

Over the last several months, I’ve noticed something when discussing Incident Response (IR) with clients. There is often confusion between the expectation and reality concerning the end results of an IR investigation. My goal here is to clarify and set those expectations, and to show how Threat Hunting factors in. When TrustedSec gets called to…

Read

Adventures in Phishing Email Analysis

June 18, 2020

Opening Phishing attacks are a daily threat to all organizations and unfortunately, they are one of the hardest threats to protect against. No matter how many defensive layers an organization has put in place following best practice defense-in-depth design, it only takes one (1) user to click on that malicious link or open that weaponized…

Read
  • Browse by Category

  • Clear Form