惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
N
News and Events Feed by Topic
T
Troy Hunt's Blog
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
M
MIT News - Artificial intelligence
G
Google Developers Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V2EX - 技术
V2EX - 技术
Y
Y Combinator Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
Cisco Talos Blog
Cisco Talos Blog
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
I
InfoQ
H
Hacker News: Front Page
D
Docker
Scott Helme
Scott Helme
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
博客园 - 【当耐特】
T
Tor Project blog
U
Unit 42
H
Heimdal Security Blog
Microsoft Azure Blog
Microsoft Azure Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
P
Privacy & Cybersecurity Law Blog
PCI Perspectives
PCI Perspectives
美团技术团队
O
OpenAI News
T
Tailwind CSS Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog
GbyAI
GbyAI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MyScale Blog
MyScale Blog

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
OSINT for Incident Response (Part 1)
Kassie Kimball · 2023-12-08 · via Black Hills Information Security, Inc.

Being a digital forensics and incident response consultant is largely about unanswered questions. When we engage with a client, they know something bad happened or is happening, but they are uncertain of the “how, when, where, and why.” A significant component of our job is to tease out the “known knowns,” the “known unknowns,” and effectively and efficiently help the client answer the following:

  1. Have we been compromised?
  2. If “yes,” then:
    • How long have we been compromised? (“dwell time”)
    • What accounts and systems have been impacted?What was the method of compromise? (“patient zero”)
    • What data was accessed and/or exfiltrated?

In several recent cases, open-source intelligence (OSINT) has been instrumental in helping to answer these questions.

A compromise usually occurs because something changed, from misconfigurations to zero-day exploits to end-user behaviors, and the avenue of attack is most frequently the internet. OSINT can quickly and easily give us visibility into what the internet knows about the client organization. If the internet knows, the threat actors know, and as incident responders, we need to know!

As a DFIR consultant, an engagement begins with client contact. Based solely on that initial contact, we have some critical data points: the name of the organization, their email domain, and a timeline from which to start. Given a few minutes warning, I’ll engage in OSINT before even joining that initial client call. The following stories are less about the technical “how-to” or the specific tools/portals than about making the point that, whether you are a consultant or an internal resource, OSINT for IR is valuable and should be part of your investigative process.

Case #1: “3 Days from Misconfiguration to Ransomware”

As usual, the call came late Friday afternoon. Ransomware notes spewing from all network-attached printers was a fair indicator that my weekend plans were ruined, but I’m getting ahead of myself! Based on the first touchpoint with the client, I knew their primary TLD (top-level domain) and jumped right into my “5-minute OSINT” routine. First (drum roll please!), my email enumeration secret weapon: “Name Server Lookup” (ba-dum-bum-ching!). Yep, good ‘ol “nslookup.” I just want to enumerate their mail server. Super quick and easy, from Linux or Windows, specify “MX” (Mail Exchanger) record type and a reliable public DNS source (Google DNS in the example below), and mash “Enter!” (about 15 seconds start to finish):

nslookup -type=mx companydomainname.com 8.8.8.8
nslookup Command Example

About 98% of the time (I made that statistic up), I’ll see something like companydomainname-com.protection.outlook.com, indicating they are using M365 for their email. Generally, I want to quickly rule out that they have self-hosted email or be prepared to talk to the client about potential impact to their M365/Azure environments, if indicated. In this specific engagement, the client appeared to have on-prem Microsoft Exchange. From an “attack surface” perspective, this is definitely worth noting! Super valuable? For the <15 seconds invested, worth a quick check, and I’ve gained one potentially valuable clue!

If I know the client engagement is a business email compromise (BEC) case, I might stop there. If not, I’ll cast a bit wider of a net by using their top-level-domain (TLD) to lookup IP address/ranges in use, pivoting to internet “attack surface” search engines. I like DNS Dumpster for this next step because it’s quick, easy to use, and easy to interpret. I’m most interested in “ISP-allocated” IP blocks, e.g. “COMCAST-1234” or “LOCALISP-AS-01,” as opposed to CLOUDFLARENET, MICROSOFT-CORP, etc. Not that I’ll ignore the latter, but self-hosted/on-prem infrastructure seems to be the likelier devil’s playground. And, of course, I’ll take copious notes, screenshots, etc., of everything I learn for future reference (spoiler alert… this is important to this case!): https://dnsdumpster.com

IP blocks of Interest from DNS Dumpster

If DNS Dumpster returns a long list of IP blocks, take a hint from the IP listed in the SPF portion of their TXT records for a place to start. If you’re playing along, you may also note that the MX record is listed here in case you want to skip using “nslookup” in the future and jump right to DNS Dumpster!

Next, I perused the Host (A) Records within the context of a local ISP, looking for standouts, e.g. “exchange.companydomainname.com” or “remote.companydomainname.com.” In lieu of a standout entry or two, I took a stab at the range of addresses in use by the client, e.g. “10.1.0.128/25” or “10.1.0.129-140” (that’s a private address range, I’m just using it as an example here) and headed to Shodan.io.

If you don’t have a Shodan.io account, then you can’t use search filters, which presents a bit of a challenge. But you can still search for an IP or TLD. Worst-case scenario, you can filter via an alternative, then re-visit Shodan.io with an IP of interest (see options below): https://shodan.io

Sample Shodan.io IP Range Search

I used a range, as above, or you can use a “net:10.1.0.128/25” filter. From there, I reviewed ‘TOP PORTS’ for standouts. Common ports like 80 and 443 aren’t very exciting and just go in my notes. I’m more interested in unusual ports or remote-access ports, like 445, 3389, or 22. In this case, I saw two that were noteworthy: 3389 (Remote Desktop Protocol) and what looked like a non-standard web-services port. Next, I clicked on port “3389” to see associated IP addresses, then clicked on an IP for details. It’s important that you check and document the “last seen” dates. Copious notes and screenshots are your friend!

Screenshot of “Open Port” 3389 including Date Last Seen

Screenshot of “Open Port” 3389 including Date Last Seen

Side note… Shodan.io is certainly not the only “attack surface” search engine option. Even if it is your go-to, I highly recommend having more than one solution (see Case Study #2). Censys and LeakIX are a couple options, both providing search capabilities without registering and a bit more functionality upon free registration:

Censys.io example: https://search.censys.io – ‘ip: [10.1.0.129 to 10.1.0.140]’ or ‘ip: 10.1.0.128/25’

Example IP Range Search on Censys

LeakIX.net example: https://leakix.net “Service” – ip:”10.1.0.128/25”

Example IP Subnet Search on Leakix

Remember, this is not deep-dive analysis. It should take longer to read this post than to perform the actual queries! I’m just doing a quick “attack surface” gut check. Anything glaring? Anything that might inform further investigation? Document everything for future reference!

Armed with some OSINT perspective, we kicked off the client engagement and were initially consumed with containment and eradication. A couple days into the incident, while doing some event-log analysis, I noted a significant number of “4625” events (indicating failed logon) from public IP sources. According to the client, this should not have been possible, as they had no publicly accessible authentication portals. Additionally, the date/times didn’t line up with what we knew about the current incident. Puzzling, until I revisited my OSINT notes, which indicated “Remote Desktop” was open to the internet on at least one public IP address associated with the client organization. After a quick check with the client network engineers regarding public IP to private IP firewall mapping, we had a specific host to investigate. We pulled a triage collection, noted remote-access software installation at 3:00 AM from an unauthorized account, unwound the timeline from there and found “patient zero” (the initial point of compromise).

As it turns out, a few days prior, the client swapped out their primary firewalls (remember the “something changed” axiom), migrating and modifying previous configurations. The old configuration allowed a single, non-standard port inbound from the internet to a web-application (remember our earlier Shodan.io observations). Somehow in the translation to the new firewalls, that single inbound port “allow” turned into a 1:1 NAT (network address translation) mapping, allowing all ports inbound, including “Remote Desktop” (as we noted via Shodan.io) and “SMB” to the web-application server. Unfortunately, these changes were made by a third party, and the client was not happy about the unintended exposure. They were keenly interested in how we discovered “patient zero,” and specifically about the dates and times that “the internet” became aware of this misconfiguration. Thankfully, I’d grabbed screenshots of my Shodan.io forays, which helped from an external validation perspective, showing “first seen” and “last seen” exposure. As you might imagine, this was instrumental in client-vendor discussions about causality and culpability for this incident!

Finding “patient zero” can be extremely challenging, especially in a large, distributed enterprise, but it is critical to informing the remediation and recovery phases of IR. In this case, given enough time, we would have eventually discovered “patient zero,” but the “5-minute OSINT” routine dramatically reduced time to discovery and provided invaluable context for misconfiguration timelines to the client.

Case #2: “Metadata and a New-Fashioned Bank Robbery”

In the next installment of “OSINT for IR,” we’ll dig a little deeper and unravel a targeted attack against a financial institution. Thanks for reading!



Enjoy what you read?

Then check out Patterson’s webcast released the day as this blog!

Rapid Windows Endpoint Investigations with Velociraptor & KAPE w/ Patterson