Showing posts from May, 2022

How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History

  During a compromise, threat actors often copy-paste data to the clipboard – usually credentials, PowerShell commands or IPs. When it comes to malware, infostealers, RATs and keyloggers often monitor what is being stored in the clipboard (as it may contain cryptocurrency seed phrases, passwords, and interesting data).  Incident response analysts also rarely perform forensic examination of clipboard data due to the transient nature of the data residing in volatile memory and setting prerequisites. However, with the advent of the latest Windows updates, depending on how the system is configured – historical clipboard data may be stored on the system for analysis. This should be considered the next time an analyst is performing forensic analysis of a system.  Forensic considerations when analysing clipboard data: What time did the threat actor copy data to the clipboard? Where did the threat actor copy data to the clipboard from? Was the data ever pasted (on the same system) or just copi

Detection and Compromise: Azure Key Vaults & Secrets

  Azure Key Vaults are an attractive target for threat actors as it contains information that may allow a threat actor to gain access to sensitive keys / passwords and certificates that can further the attack chain – leading to persistence, lateral movement, and data collection. The Azure Key Vault is often used by developers for managing keys, certificates, and passwords (tokens, API keys and secrets).  The following three permissions below can be abused by a threat actor in this attack chain allowing them access to read secrets in cleartext and modify access policies (i.e. granting read permissions to another malicious account). I would recommend that during Azure audit assessments, that service principals / managed identities / users with access to these three permissions are properly audited: Microsoft.KeyVault/vaults/read  Microsoft.KeyVault/vaults/secrets/read  Microsoft.KeyVault/vaults/accessPolicies/write Attack Conditions  Abuse of Azure Key Vaults requires that an attacker ha