Wednesday, May 23, 2018

How attacker alter the history in Linux:

During incident response and threat hunting activity, the analyst collects important artifacts, logs from the suspected system or victim machine. When the Linux environment as the infected device OS, then executed commands list by attackers will give you the detail of how infection flows into the system. In order to get that list 'History' is the command used to get the list.

Let's see how attacker modifies the history:

entering the first command

For instance, I try to print a sentence as "this is hacker" using echo command.

the command for printing the message done

Once print was done then check the history. It shows the echo command as the serial number 595.

History list

Now go back to the terminal and press upper arrow where we find the echo "this is hacker" statement. Just backspace that content and rewrite whatever you wish. In this case, I wrote, "this is not hacker". But don't enter that command, just push the down arrow and go for empty command. Hit the history and check the list.

 Currently, we unable to see the 595 serial number content as "this is hacker". Now it is showing 595* "this is not hacker". This is how the attacker will edit the history.

Reason for asterisk symbol in the Linux history:
The star or asterisk symbol in the serial number at the history, it is the indication of modified history.

Post made by

Monday, May 14, 2018

Usoclient.exe Command window popup

One of my juniors complained me that his system behaves weird today. He told me a command window popup mentioned as usoclient.exe from the system32 location (that is easily seen in the title bar). I convinced him this is a legitimate process only no need to worry about. In case if the same process run from some other location like temp folder, app data then it could be malicious. For a normal user, if a command window popped and closing will give the feel of malware is running in the system. If you also got the same usoclient.exe in the command window popup and closed, no need to worry about it. 

Administrative Tools

Open the administrative tools in the control panel, you can find the task scheduler file. I asked him to open that where he can find usoclient.exe under Microsoft->Windows->UpdateOrchestrator.

Task Scheduler

Schedule Scan - Usoclient.exe

Usoclient is a legitimate process if you see it in windows/system32 folder. If it is running in suspicious location then we can flag that process as malicious one. 

Post by

Sunday, May 6, 2018

EKFiddle team updated regex for drive by Mining via Drupal attack


Today, EKFiddle team updated their regex on drupal vulnerability used to drive by mining. Drupal Attack shocked the website administrators around the world with the latest vulnerability. 

When coin mining is happening behind the screen, the cpu usage spikes to the peak.

Post made by

Phishing campaign - Netflix

Security researcher spotted a phishing campaign which disguised in the form of Netflix. The researcher also shared the details in the pastebin site, please refer the following link:

Phishing mail

All the details about the mail, spam IP details please refer the pastebin link given above.

General Recommendation:
Teach your users regarding how to handle phishing emails. In that, they first need to understand how the phishing link looks like. 
Block the phishing IP address in your firewall that will help to combat this phishing attack.

Post made by

Bug Hunter's Notepad

Huntpad is the bug hunter's notepad. It had great features that are particularly useful to penetration testers and bug hunters - a collection of common injection string generators, hash generators, encoders and decoders, HTML and text manipulation functions, and so on, coupled with syntax highlighting for several programming languages.

The free download is available:

Post made by

Enhancing Embedded Device Security with MITRE EMB3D™

In today's interconnected world, the security of embedded devices has become crucial. Embedded devices, integral to various industries, ...