having fun

NSA Green Lambert for OS X rootkit investigation

Green Lambert is described as an “active implant” and “the only one where non-Windows variants have been found.”

“C2 jitter, secure erase / uninstall, SSL/TLS+extra crypto, size below 150K, encrypt logs and local collection, decrypt strings on the fly in mem… simply following these guidelines immediately makes the malware (“tools”) more interesting and, recognizable by a skilled analyst.”

https://objective-see.com/blog/blog_0x68.html (pdf)

Windows RDP bruteforce logging

Включаем аудит: secpol.msc -> Local Policy > Audit Policy and right click the Audit account logon events policy option and choose Properties
Смотрим журнал: eventvwr.msc -> Windows logs — Security

Решения: использовать адреслисты по превышению трафика/соединений, port-knocking, VPN, фильтр по ip