Hybrid Kill Chain & Attack Methodology

Report by Miguel Bigueur & Les Davis


Figure 1. Anatomy of a URL and Web Server Architecture.

The intent to manipulate URL inputs is a method of infiltration utilized by criminals as a means of legitimacy. The goal here is to masquerade as legitimate traffic in an effort to penetrate firewalls uninhibited, while bypassing all pre-established defense mechanisms. Once this is achieved, an attacker is afforded the opportunity to escalate privileges with an opportunity to engage in lateral movements.

A few tools that can be used to help discover vulnerabilities in web and mail servers include: Continue reading

Chinese APT Analysis “APT30”


APT30 is a Chinese based, well organized, state sanctioned Cyber Espionage operation. The group is most notably known for its decade long use of the same sets of tools and tactics. The group’s main objective is the acquisition of private government information relating to socio and geo-political influence as conducted through long duration cyber espionage campaigns. APT30’s targets predominantly consist of organizations that satisfy its own governmental requirements for intelligence gathering. Some of the earliest domain registrations and malware compilation times date as far back as 2004 with its associated use of C2 server domains dating back to 2005. Continue reading

Russian APT Analysis “APT29, aka, The Dukes”


APT29, The Dukes, a term coined by security researchers at Kaspersky Labs, are a well funded, highly resourceful and dedicated group of organized cyber espionage hackers that have been linked to the Russian Federation dating back as far as 2008. Their primary mission traditionally has been to perform intelligence gathering in an effort to support Russian foreign and security policies. The Dukes have access to a vast arsenal of malware toolsets, which have been identified as OnionDuke, CosmicDuke, MiniDuke, GeminiDuke, HammerDuke, PinchDuke, SeaDuke, and CloudDuke to name a few.

Continue reading

Methbot “Russian Cybercime”


The biggest names in U.S. media and brand name advertising are losing millions in advertising dollars on a dally basis due to a Russian underground of cyber criminals. This operation in particular targets video ads by producing massive volumes of fraudulent video ads through the misappropriation of various parts of critical Internet infrastructure then targeting premium-advertising space. As revealed by security experts, a new and very successful click fraud, as perpetrated by Russian cyber miscreants, has resulted in the loss of millions of dollars on a day-to-day basis. Continue reading

Malware Analysis & Reverse Engineering (Case Study)



Summary of Findings 

  • Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
  • Malware creation Date: 2017-04-24 01:53:22Z
  • Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using  SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll.  Continue reading

Malware Analysis (Yara Rules)



In an effort to help identify and classify malware samples, Yara rules have been specifically written to help identify if a computer or system is infected, and if so, uncover the location of potentially infected files.

The first Yara rule, as seen below, was written to identify any files and their location on disk that could potentially be infected with the Prosium Bot. The following strings have been optimized to help minimize false positives while providing the most effective file identification possible. Continue reading

Python Security Scripting


Introduction: (Problem description)

There are a large number of reasons why it’s a good idea to keep apprised of when, where, why, and how a computer is used on a frequent basis. There could be critical indicators of compromise “IOCs” and/or indicators of attacks “IOAs” that could possibly help network defenders protect against such activities or perform remediation them after the fact. The proper logging of all user and computer activities is crucial to any network defense program and should be carefully implemented in addition to password policy enforcement.

All scripts in this post can be found at:


Continue reading

Wireless Forensics



New directions in research have led to fundamental design changes in Wi-Fi technologies, networks, and services. These innovative advances have led to a prolific growth in wireless network computer crimes. As a result, forensic investigators are faced with future challenges associated with consumer’s hunger for high energy consumption, in addition to, issues regarding limited spectrum bandwidth. Continue reading

Computer Memory Forensics


Memory forensics is the science of analyzing computer memory, both volatile and non-volatile that reveals a vast array of analytical points in regards to the state of which the machine was in during memory image acquisition. Memory forensics is paramount to the analyses of volatile memory of a computer system, which contains numerous artifacts that may prove to be useful during a digital forensics investigation.

Continue reading

USB Forensics


The proliferation of USB devices not only is an added convenience to users but also a hindrance to network and information security and as a result can be used for nefarious purposes. This is why having the ability to examine USB device history and files are critical to digital forensic investigations. This assignment will walk through the basic forensic examination process of how to examine USB drive artifacts.   Continue reading