Stephan Berger

1 day ago

People who have been following me long enough should know by now how much I love these nitty-gritty details of forensics, the little breadcrumbs that give you critical clues about your ongoing case. My colleagues Andreas Klaus and Bruno Koehle recently worked on a misconduct case involving an employee suspected of installing a residential proxy on a workstation. There were little traces left, as the relevant software had been purged before the investigation. However, there was one critical hint, an XML task file inside the folder: C:\Windows\System32\Tasks_Migrated. You read that right. The Tasks_Migrated folder is a system-generated backup and staging directory. It is not a default folder in a clean, fresh Windows installation. Instead, it is created automatically by the Windows upgrade engine (Setup/Migration routines) during a major OS upgrade, such as moving from Windows 10 to Windows 11, or applying a major Windows Feature Update. Its primary purpose is to safely back up existing Windows Task Scheduler jobs before the OS modifies the system state, ensuring that user-defined and third-party software tasks are not permanently lost if the migration fails or the tasks become incompatible with the new build. I guess the upgrade process goes something like this: 1) The migration engine duplicates the contents of the live \Tasks folder into \Tasks_Migrated. 2) The engine then attempts to register and import these tasks into the new operating system environment. 3) If a task successfully migrates, it is placed back into the active \Tasks folder and properly linked in the TaskCache registry hive. 4) The Tasks_Migrated folder is left behind. It effectively becomes an inert graveyard of historical scheduled tasks as they existed at the exact moment the upgrade was initiated. This is purely speculative; I haven't tested it out in a lab. However, isn't it super interesting how many places you can find artifacts that could help you solve your case? That's why I love digital forensics so much :)

3 days ago

On a recent Linux-based Incident Response case, we found a dropped GSocket binary as a persistence mechanism [1]. The threat actor planted the dropped binaries under user-space directories to blend in, specifically masquerading as legitimate system processes: ./.config/dbus/php-fpm ./.config/htop/defunct Persistence was established via standard execution vectors, either triggered through cron entries or embedded within profile startup scripts (.bashrc / .profile). The "echo large-base64-blob piped to bash" is not really hard to miss (see image), but I had to laugh about the first line: DO NOT REMOVE THIS LINE. SEED PRNG. :) As this was an older compromise, I took the secret from another file planted next to php-fpm (called php-fpm.dat, holding the secret) and tested the reverse shell locally using gs-netcat -s <secret_from_the_dat_file> -i, which gave me shell access under the user who started gsocket in the first place. Global Socket is a pretty cool project, and the website goes to great lengths to explain the various scenarios. You might want to hunt for these binaries on your Linux fleet :) [1] https://t.co/azVVDmMTig

about 2 months ago

Here’s another IG Labs post. After my teammate Evgen published his research on ViperTunnel last week, my other teammate, @schnee_FLO_cke, published a blog post today on BravoX, a ransomware-as-a-service (RaaS) provider. Well done - such a great team! :) https://t.co/FpfBZtltkM

LetsDefend, now part of Hack The Box. Read more: https://t.co/jxMnGZ4Yne

about 2 months ago

My teammate Evgen has written a really interesting blog post about VIPERTUNNEL. He’s also presented his research at various BSides conferences this year. 💪 We have an opening on our Incident Response Team for anyone interested in working with such talented colleagues. Although our team is English-speaking, we are specifically looking for a German-speaking analyst for this position (C2 level is a must; the job is based in the DACH region). 📷

InfoGuard Labs

@InfoGuard_Labs

about 2 months ago

In this blog post, we share our research on the #VIPERTUNNEL Python backdoor found during a DragonForce Ransomware Incident. We'll examine infrastructure hunting, its code, and how its obfuscation has evolved (spoiler: it changed a lot). https://t.co/Adu0aeKnTG

13K

Who to follow

LetsDefend

@LetsDefendIO

Real Intrusions by Real Attackers, the Truth Behind the Intrusion

about 2 months ago

As today is the 10th of April, I'm giving away a 10% discount on my upcoming Anti-Forensics training in Belgium at the end of the month. We still have seats left (somebody booked in just yesterday). Personally, I think it will be awesome, but I might just be biased 🤓 Register with code FORENSICS10! Link: https://t.co/dpdsSLEgQL CC: @brucon

malmoeb's tweet photo. As today is the 10th of April, I'm giving away a 10% discount on my upcoming Anti-Forensics training in Belgium at the end of the month.

We still have seats left (somebody booked in just yesterday). Personally, I think it will be awesome, but I might just be biased 🤓

Register with code FORENSICS10!

Link:
https://t.co/dpdsSLEgQL

CC: @brucon

897

malmoeb retweeted

2 months ago

🎯#BruCON0x012 Spring Training (22-24 April) is almost here! Want to learn exploit development, evasion techniques for red teams or anti-forensics, check out the program 👇 💡Register before the end of March. Late registration kicks in three weeks before the event, so don’t miss your chance to save your seat and your budget. 👉 Check out the full training lineup and grab your ticket https://t.co/FYhUZXQuc6

brucon's tweet photo. 🎯#BruCON0x012 Spring Training (22-24 April) is almost here! Want to learn exploit development, evasion techniques for red teams or anti-forensics, check out the program 👇
💡Register before the end of March. Late registration kicks in three weeks before the event, so don’t miss your chance to save your seat and your budget.

👉 Check out the full training lineup and grab your ticket https://t.co/FYhUZXQuc6

946

3 months ago

Come join me for my fast-paced, two-day, hands-on training that takes a deep dive into anti-forensics techniques. The course is divided not only into operating systems but also into red/blue perspectives. On the one hand, we will learn how adversaries are trying to cover their tracks, which might also be of interest to red teamers. On the other hand, we will teach various methods to circumvent or work around these anti-forensics techniques.🤘 Due to various requests, I will also have a section on Linux Rootkits ready, depending on time and the class's interest. Or just be prepared for a late-night session on the second day 🙃 Looking forward to welcoming some of you in my classroom 🤓 PS: My DMs are open if anyone wants a sneak peek at the content and slides to help them decide whether to register for the training. More information and registration here: https://t.co/dpdsSLEgQL

malmoeb's tweet photo. Come join me for my fast-paced, two-day, hands-on training that takes a deep dive into anti-forensics techniques. The course is divided not only into operating systems but also into red/blue perspectives.

On the one hand, we will learn how adversaries are trying to cover their tracks, which might also be of interest to red teamers. On the other hand, we will teach various methods to circumvent or work around these anti-forensics techniques.🤘

Due to various requests, I will also have a section on Linux Rootkits ready, depending on time and the class's interest. Or just be prepared for a late-night session on the second day 🙃 Looking forward to welcoming some of you in my classroom 🤓

PS: My DMs are open if anyone wants a sneak peek at the content and slides to help them decide whether to register for the training.

More information and registration here: https://t.co/dpdsSLEgQL

3 months ago

A big shout-out to the @ToulouseHacking Review Committee. I submitted two talks, and one was accepted. Both talks were reviewed by three reviewers, and I received their comments along with the decision (Accepted/Rejected). This is so valuable! Even though one of the talks was accepted, I can read the concerns (too deep for the time, too little time for the introduction, etc.) and, above all, the feedback on the talk that was not accepted. The feedback helps me refine the abstract for another CFP round and improve the talk in general. This feedback will certainly also help less experienced speakers understand the review committee's decision. Hopefully, this will help mitigate some of the negative feelings that a rejection can trigger. So once again: very cool! Keep up the good work :)

914

4 months ago

What I learnt today: Mandatory User Profiles Praetorian named their blog "Persistence Through Forgotten Windows Internals", and true, at least I never heard of Mandatory User Profiles before reading this article. In enterprise environments, administrators sometimes want to enforce a specific user profile that resets on each login. To accomplish this, Windows supports a file called NTUSER[.]MAN (the .MAN standing for “mandatory”), which takes precedence over the usual NTUSER.DAT registry hive stored in %USERPROFILE% when a user logs in. Setting up persistence on a copy of NTUSER.DAT using the Offline Registry Library might evade some EDRs. The whole blog post is worth a read, but the TL;DR for defender is: Consider monitoring for NTUSER[.]MAN file creation in user profile directories, especially when it doesn’t come from an enterprise profile management system. Source: https://t.co/9gW16tHL5t

malmoeb retweeted

4 months ago

Are you an Incident Responders and want to learn about Anti-Forensics (and Anti-Anti-Forensics😀) ? Check out this hands-on course course, giving you a real-world deep dive into attacker's tradecraft across Windows & Linux. Learn how adversaries hide, and how to detect, recover, and counter them using modern forensic techniques and artifacts. More information and registration ➡️https://t.co/Bxchknjdjb

brucon's tweet photo. Are you an Incident Responders and want to learn about Anti-Forensics (and Anti-Anti-Forensics😀) ? Check out this hands-on course course, giving you a real-world deep dive into attacker's tradecraft across Windows & Linux. Learn how adversaries hide, and how to detect, recover, and counter them using modern forensic techniques and artifacts. More information and registration ➡️https://t.co/Bxchknjdjb

malmoeb retweeted

4 months ago

Still searching for the perfect Valentine’s gift? 😉 Show your love (for cybersecurity!) with our #BruCON0x12 Spring Training program — featuring Blue💙, Purple💜, and Red 💖Team courses. To celebrate the season, we’re extending our early-bird registration until Valentine’s Day! 💘 Don’t miss out — check out the full program and sign up ➡️ https://t.co/FYhUZXQuc6

4 months ago

📢 Hands-On Training: Anti-Forensics (and Anti-Anti-Forensics) Techniques for Incident Responders @ BruCON 2026 I’m excited to announce my upcoming hands-on training at BruCON 2026 in Mechelen. This in-depth technical course is designed for Incident Responders who want to understand and defeat modern anti-forensics techniques actively used by threat actors. The training progresses from foundational anti-forensic concepts to advanced techniques observed on Windows and Linux systems, with a strong focus on real-world detection and analysis. Key Learning Objectives: 🔹 Identify and analyze classic and modern anti-forensic techniques 🔹 Correlate specific anti-forensic techniques with telltale forensic artifacts, understanding what remains and what's altered 🔹 Learn real-world analytical methods to detect, reconstruct, and recover evidence affected by anti-forensic methods 📍 Location: Mechelen, Belgium (BruCON 2026) 📅 Training Dates: April 22–23, 2026 Register here: https://t.co/dpdsSLEgQL

malmoeb's tweet photo. 📢 Hands-On Training: Anti-Forensics (and Anti-Anti-Forensics) Techniques for Incident Responders @ BruCON 2026

I’m excited to announce my upcoming hands-on training at BruCON 2026 in Mechelen. This in-depth technical course is designed for Incident Responders who want to understand and defeat modern anti-forensics techniques actively used by threat actors.

The training progresses from foundational anti-forensic concepts to advanced techniques observed on Windows and Linux systems, with a strong focus on real-world detection and analysis.

Key Learning Objectives:

🔹 Identify and analyze classic and modern anti-forensic techniques
🔹 Correlate specific anti-forensic techniques with telltale forensic artifacts, understanding what remains and what's altered
🔹 Learn real-world analytical methods to detect, reconstruct, and recover evidence affected by anti-forensic methods

📍 Location: Mechelen, Belgium (BruCON 2026)
📅 Training Dates: April 22–23, 2026

Register here: https://t.co/dpdsSLEgQL

malmoeb retweeted

Asger.jpg @hackerkartellet

4 months ago

🚀 Ready to up your #cybersecurity game? Join the #BruCON0x12 Spring Training (Apr 22–24) — a powerful mix of 5 Red, Blue or Purple team courses taught by top experts. 💡 Early bird pricing until Feb 12 — grab your seat! 🔗 https://t.co/CDOIVF1q1x

malmoeb retweeted

4 months ago

I recently reviewed a PingCastle report from a customer and noticed the image below. The image indicates that "EVERYONE" has indirect control over most high-privilege groups. Do yourself a favour and run a PingCastle and/or BloodHound every now and then.

hackerkartellet's tweet photo. I recently reviewed a PingCastle report from a customer and noticed the image below. The image indicates that "EVERYONE" has indirect control over most high-privilege groups. Do yourself a favour and run a PingCastle and/or BloodHound every now and then. https://t.co/QpAffnSIar

11K

5 months ago

@ido_gat It was important to me to teach the course live at least once or twice to get feedback and hear students' questions. So I think it would be realistic to record the course by the end of the year, and then put it online.

5 months ago

"Reverse Evidence", Log clearing, Anti-Forensics. VoidLink – A Stealthy, Cloud-Native Linux Malware Framework discovered by Check Point this week - is equipped with techniques to delete or manipulate logs and traces, making it harder for Incident Response teams or security software to find forensic evidence. I will be teaching my new course, Anti-Forensics (and Anti-Anti-Forensics) Techniques for Incident Responders, in Belgium this April at the BruCON Training (Spring Training 22-23 April), presenting a wide range of anti-forensic techniques and how to analyze your way around them. Sign up to learn more about how to defeat modern threats 🤓 Here is the link to the training: https://t.co/dpdsSLEgQL

5 months ago

In the Metasploit Wrap-Up from last week, a new Python Site-Specific Hook Persistence module was released. [1] I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it. [1] https://t.co/GzmSpUuR5D [2] https://t.co/7YsAMvdHp9

malmoeb retweeted

5 months ago

Great news to kick off your Monday! 🎉 The #BruCON0x12 Spring Training program (22–24 April) is now open for registration. Whether you’re into red, blue, or purple teaming, there’s a spot for you in one of our 5 hands-on courses. 🚀 Secure your seat and grab the early-bird pricing by registering before February 13th. 👉 All details and registration here: https://t.co/xh72YKQVfe

brucon's tweet photo. Great news to kick off your Monday! 🎉 The #BruCON0x12 Spring Training program (22–24 April) is now open for registration.

Whether you’re into red, blue, or purple teaming, there’s a spot for you in one of our 5 hands-on courses. 🚀 Secure your seat and grab the early-bird pricing by registering before February 13th.

👉 All details and registration here: https://t.co/xh72YKQVfe