<![CDATA[Eric’s Substack]]>https://blog.ecapuano.comhttps://substackcdn.com/image/fetch/$s_!lrkf!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72c9bc99-8815-431a-8473-21ce5748124c_400x400.jpegEric’s Substackhttps://blog.ecapuano.comSubstackThu, 16 Apr 2026 20:59:42 GMT<![CDATA[Hunting MongoBleed (CVE-2025-14847)]]>https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847Sat, 27 Dec 2025 03:41:01 GMTCVE-2025-14847 dropped recently and it’s a nasty one. Dubbed “MongoBleed” by the security community, it’s a memory disclosure vulnerability in MongoDB’s zlib decompression that allows attackers to extract sensitive data—credentials, session tokens, PII—directly from server memory. No authentication required. If you’re running MongoDB in production, you need to pay attention to this.

Patches are available, and you should apply them immediately if you haven’t already. But patching alone isn’t enough—you need to know if you were exploited before the patch. That’s where detection comes in.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

After reading Kevin Beaumont’s excellent writeup on the vulnerability, I got to work building detection capabilities. As far as I know, this is currently the only defensive signature for CVE-2025-14847 that exists (as of this post being published). The result is a Velociraptor artifact for live hunting, with KAPE Targets for triage forensic collection coming soon.

What will make this CVE particularly challenging for blue teams is that it seems to be only detectable in the MongoDB server logs which are extremely unlikely to be shipped to any SIEM, and it requires somewhat complex logic which could be tricky to port into most SIEM detection engines. Fortunately, Velociraptor was a quick fix to both of these challenges.

Let me walk you through the vulnerability, the detection logic, and how I validated it against real attack traffic.

What is MongoBleed?

MongoBleed exploits a flaw in how MongoDB handles zlib-compressed network messages. When compression is enabled (which it often is for performance), an attacker can craft connections that cause the server to leak chunks of its memory in responses. Think Heartbleed, but for MongoDB.

The affected versions span multiple major releases:

  • 8.2.x: 8.2.0 - 8.2.2 (fixed in 8.2.3)

  • 8.0.x: 8.0.0 - 8.0.16 (fixed in 8.0.17)

  • 7.0.x: 7.0.0 - 7.0.27 (fixed in 7.0.28)

  • 6.0.x: 6.0.0 - 6.0.26 (fixed in 6.0.27)

  • 5.0.x: 5.0.0 - 5.0.31 (fixed in 5.0.32)

  • 4.4.x: 4.4.0 - 4.4.29 (fixed in 4.4.30)

  • 4.2.x: 4.2.0 and later (no fix)

  • 4.0.x: 4.0.0 and later (no fix)

  • 3.6.x: 3.6.0 and later (no fix)

That’s a lot of potentially vulnerable MongoDB instances out there.

The Attack Pattern

Here’s where it gets interesting from a detection standpoint. The exploit works by establishing many rapid connections to the MongoDB server—we’re talking tens of thousands per minute. Each connection probes for memory leaks, and the attacker aggregates the leaked data to reconstruct sensitive information.

But here’s the key insight: the exploit never sends client metadata.

Every legitimate MongoDB driver—whether it’s PyMongo, the Node.js driver, mongosh, or any other—sends a “client metadata” message immediately after connecting. This metadata includes the driver name, version, operating system, and application name. MongoDB logs this as event ID 51800.

The MongoBleed exploit? It connects (event ID 22943), does its thing, and disconnects (event ID 22944). No metadata. Ever.

This gives us a reliable detection signal: a source IP with hundreds or thousands of connections but zero metadata events is almost certainly not legitimate traffic.

Note: The behavior I described above reflects the behavior of the current public proof-of-concept exploit. A motivated attacker could modify the exploit to send fake client metadata after connecting, making the traffic appear more legitimate. However, the extreme connection velocity (100,000+ connections/minute) would remain difficult to mask without significantly reducing exploitation speed—creating a trade-off between stealth and effectiveness. Defense in depth applies: patch vulnerable systems rather than relying solely on behavioral detection.

Building the Detection

The Velociraptor artifact I created—Linux.Detection.CVE202514847.MongoBleed—implements a multi-faceted detection approach:

  1. Parse MongoDB JSON logs for connection events (22943), metadata events (51800), and disconnection events (22944)

  2. Aggregate by source IP within a configurable time window

  3. Calculate the metadata rate—what percentage of connections sent metadata?

  4. Calculate connection velocity—how many connections per minute?

  5. Apply risk scoring based on the combination of factors

The risk levels break down like this:

  • HIGH: ≥100 connections AND <10% metadata rate AND ≥500 conn/min

  • MEDIUM: ≥100 connections AND <10% metadata rate (lower velocity)

  • LOW: ≥100 connections (normal metadata rate)

  • INFO: <100 connections

The velocity component is important. Without it, you might flag a misconfigured application that made 100 connections over several hours without proper driver initialization. With velocity factored in, we’re looking for the characteristic burst pattern of the exploit—100,000+ connections per minute.

Testing Against Real Attack Traffic

I wasn’t about to release a detection artifact without validating it against actual exploitation. So I set up a lab environment:

  1. Spun up a vulnerable MongoDB 8.2.2 container with zlib compression enabled

  2. Deployed a Velociraptor server and installed the Linux client inside the container

  3. Ran the mongobleed POC against it

  4. Collected the artifact and checked the results

Here’s what the exploit traffic looked like:

  • Connections: 499

  • Metadata Events: 0

  • Duration: 0.3 seconds

  • Velocity: 111,716 connections/min

  • Metadata Rate: 0.00%

  • Risk Level: HIGH - Likely MongoBleed Exploitation

Detection confirmed. The artifact correctly flagged the attack with HIGH confidence.

I repeated this across MongoDB 6.0, 7.0, 8.0, and 8.2 to ensure the log format was consistent and detection worked across all vulnerable versions. It did.

But What About False Positives?

Any detection is only as good as its false positive rate. To validate the thresholds, I analyzed several days of production MongoDB logs from real-world deployments. The results were reassuring:

Production (Legitimate Traffic):

  • Velocity: 0.2 - 3.2 conn/min

  • Metadata Rate: 99 - 100%

  • Daily Volume: 300 - 4,500 connections

Attack Traffic:

  • Velocity: 100,000+ conn/min

  • Metadata Rate: 0%

  • Volume: 499 connections in 0.3 seconds

The difference between legitimate and attack traffic is 3-5 orders of magnitude. That’s a comfortable margin. Legitimate applications consistently send metadata with every connection, and their velocity is measured in single-digit connections per minute, not hundreds of thousands.

A caveat: I only had access to a handful of production MongoDB log sets to validate against. Your environment may look different—high-throughput applications, connection pooling behavior, or unusual driver configurations could shift these patterns. The default thresholds should be a sane starting point, but don’t be afraid to tweak the parameters if you’re seeing unexpected results. That’s what they’re there for.

Using the Artifact

The artifact provides three data sources:

  • MongoDBLogAnalysis: Parses log files from disk at standard paths (/var/log/mongodb/*.log*, etc.)

  • DockerMongoDBLogs: Parses logs from Docker containers when you specify a container pattern

  • RawConnectionEvents: Returns individual connection events for detailed investigation

The Docker source is smart about not executing unnecessarily—if you don’t specify a container pattern or Docker isn’t running, it skips entirely. No wasted cycles.

Key parameters you might want to tune:

  • TimeRangeMinutes: How far back to look (default: 60 minutes)

  • ConnectionThreshold: Minimum connections to flag (default: 100)

  • VelocityThreshold: Minimum connections/minute for HIGH risk (default: 500)

  • DockerContainerPattern: Container name pattern if running MongoDB in Docker

Assumptions and Limitations

A few things to keep in mind:

  • JSON logging is required. MongoDB 4.4+ defaults to JSON-formatted logs, which is what this artifact parses. If you’re running an older version with legacy text logs, this won’t work out of the box.

  • Log retention matters. The artifact can only analyze logs that exist. If your MongoDB logs rotate aggressively or the attacker clears them, you’ll miss the evidence.

  • This is Linux-only. While MongoDB runs on Windows, the vast majority of production deployments are on Linux. The artifact has a precondition limiting it to Linux systems.

Get the Artifact

The artifact is published on the Velociraptor Artifact Exchange. You can import it directly into your Velociraptor deployment and start hunting immediately using the Server.Import.ArtifactExchange server artifact.

If you’re running MongoDB in your environment, here’s what I’d recommend:

  1. Patch now if you haven’t already. The fixed versions are 8.2.3, 8.0.17, 7.0.28, and 6.0.27.

  2. Run this artifact against your MongoDB servers to check for exploitation attempts—even if you’ve patched, attackers may have hit you before the fix was applied.

  3. Check your log retention. If you only keep a few hours of logs, you may have already lost evidence. Consider extending retention for security-critical systems.

This vulnerability is trivial to exploit and the POC is public. If your MongoDB instances were internet-exposed with compression enabled, assume you were scanned at minimum.

References

Happy hunting.

Want to learn to wield Velociraptor like a pro? Check out our on-demand training: Threat Hunting & Incident Response with Velociraptor

Threat Hunting & Incident Response with Velociraptor logo

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[DFIR Artifact: PowerShell Transcripts]]>https://blog.ecapuano.com/p/dfir-artifact-powershell-transcriptshttps://blog.ecapuano.com/p/dfir-artifact-powershell-transcriptsThu, 14 Aug 2025 17:44:05 GMTYou are probably familiar with the concept of the “black box” or “flight data recorder” that is onboard all commercial airliners. This is the piece of the aircraft most critically sought after in a crash investigation as it contains detailed recordings of everything happening onboard the aircraft up until the accident.

PowerShell (version 5+) has a similar feature! In a previous post, I wrote about PowerShell ConsoleHost_History, but PowerShell transcripts are even better (when they are properly enabled!)

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

What are PowerShell Transcripts?

PowerShell transcripts are plain‑text logs that capture everything typed in an interactive PowerShell session and all text written back to the console (inputs and outputs). You can start/stop them manually with Start-Transcript / Stop-Transcript, or turn them on automatically across machines via Group Policy / Intune. When enabled, each session writes a file named like PowerShell_transcript.<COMPUTER>.<random>.<timestamp>.txt (by default into the user’s Documents folder). Enabling the invocation header adds a per‑command timestamp line to the log—gold for timelines. Read more: Microsoft Learn

TL;DR: Transcripts = “what the user did and what PowerShell showed,” with host/process metadata and (optionally) per‑command timestamps. They’re easy to enable and easy to collect at scale.

Why Responders Should Care

  • Rich context: Header includes username, “RunAs” user, computer name, host application (e.g., powershell.exe, ISE), process ID, PowerShell version, and start/stop times—handy for tying activity to processes and accounts.

  • Actual outputs: Unlike ConsoleHost_history.txt/PSReadLine history, transcripts preserve outputs, not just commands—useful when attackers enumerate, dump configs, or test connectivity.

  • Fleet‑wide coverage: Enabling the Turn on PowerShell Transcription policy is functionally the same as running Start-Transcript for every session. You can also force Include invocation headers to get per‑command timestamps.

  • Cross‑version story: PowerShell 7 (“PowerShell Core”) also supports these policies via its own Administrative Templates (“PowerShell Core”).

Where They Live (and How They’re Named)

It’s imperative to know the various locations Transcripts may exist in your environment so that you’re prepared to acquire them in an incident. Tools like KAPE and Velociraptor have solid insights into the most common locations of Transcripts and many other forensic artifacts.

Default (manual Start-Transcript):

$HOME\Documents\PowerShell_transcript.<COMPUTER>.<random>.<timestamp>.txt

You may also find them in other locations for various reasons. For instance, I have observed that when SYSTEM runs PowerShell (whether for legitimate or illegitimate reasons), it sometimes generates a transcript in C:\Windows\System32.

Policy‑controlled output directory (recommended):
Set a central, write‑only path (e.g., \\logshare\psx\) so logs persist if the endpoint is wiped. Mandiant recommends a restricted, write‑only share to reduce tampering and lateral visibility.

Find the configured drop‑off path (Windows PowerShell 5.1):

# HKLM takes precedence over HKCU 
$paths = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription',
         'HKCU:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription'
$cfg = foreach($p in $paths){ if(Test-Path $p){ Get-ItemProperty $p } }
$cfg | Select-Object PSPath, OutputDirectory, EnableTranscripting, EnableInvocationHeader

PowerShell 7+:

In PS7+, policies live under ...Microsoft\PowerShellCore\Transcription.

Key names you’ll see: EnableTranscripting, EnableInvocationHeader, OutputDirectory (also present in PowerShell’s JSON config model).

Enable It Right (GPO / Intune / Registry)

Group Policy path (Windows PowerShell):
Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on PowerShell Transcription
Enabling this is equivalent to starting a transcript for every session. Set Include invocation headers and a central Output directory.

PowerShell 7 (“PowerShell Core”):
Install/use the PowerShell Core ADMX templates and configure the same setting under the PowerShell Core nodes.

One‑liner to verify via registry (WinPS 5.1):

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' ` -ErrorAction SilentlyContinue | Select EnableTranscripting, EnableInvocationHeader, OutputDirectory

Intune: Configure “Turn on PowerShell Transcription” and set Include invocation headers + Transcript output directory in the profile. Read more about this approach here.

Field Collection & Triage

Quick hunt for local transcripts (note, expects unchanged default paths):

# Assumes default locations
Get-ChildItem -Path C:\Users -Filter 'PowerShell_transcript*.txt' -Recurse -ErrorAction SilentlyContinue |
  Select-Object FullName, Length, LastWriteTime | Sort-Object LastWriteTime -Desc

For an even more robust version, see this example.

Reading the Header (What You Get for Free)

Each transcript begins with a header like:

**********************
Windows PowerShell transcript start
Start time: 20250814113458
Username: ERIC-PC\eric
RunAs User: ERIC-PC\eric
Configuration Name: 
Machine: ERIC-PC (Microsoft Windows NT 10.0.26100.0)
Host Application: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 58464
PSVersion: 5.1.26100.4768
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.26100.4768
BuildVersion: 10.0.26100.4768
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
<actual commands will follow>

One of my favorite datapoints in the header is the Host Application field which identifies the process that launched the PowerShell session. While in most cases this will be powershell.exe or pwsh.exe, unusual values—like rundll32.exe, mshta.exe, or a line-of-business app executable—can be a goldmine for investigators.

Spotting a suspicious or unexpected host process can reveal cases where PowerShell was spawned as part of a malicious execution chain (for example, malware using rundll32.exe to run inline PowerShell code). This insight is valuable because it can:

  • Expose defense evasion — Attackers often hide PowerShell inside non-obvious parent processes to blend in with legitimate activity.

  • Provide lead evidence for lateral movement or persistence — An odd host process could indicate exploitation of an application vulnerability or abuse of a scheduled task/service.

  • Help correlate with other telemetry — Matching the host process name and PID to EDR or Sysmon logs can quickly expand the picture of how and when the PowerShell session was launched.

Pro Tip!

If wsmprovhost.exe appears as the Host Application, it means the PowerShell session was started via WinRM (PowerShell Remoting). This process hosts remote shells on the target and runs under the connecting user’s context. It’s normal for admin tasks and automation, but suspicious if seen at odd times, from unusual IPs, or tied to accounts that don’t typically perform remote management—often a sign of lateral movement.

Reading the Transcript

The standard expected output of the transcript itself will be every command that was executed and the output of that command.

# <header removed for brevity>
PS C:\Users\jdoe> Get-Date
Thursday, August 14, 2025 2:02:36 PM

PS C:\Users\jdoe> Get-Process | Select-Object -First 3

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    563      36    14692      32120       1.92   1056   1 chrome
    427      24    10240      22144       0.33   3420   1 explorer
    308      20     8232      17896       0.05   8124   1 powershell

PS C:\Users\jdoe> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : contoso.local
   IPv4 Address. . . . . . . . . . . : 10.1.2.55
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.2.1

PS C:\Users\jdoe> exit
**********************
Windows PowerShell transcript end
End time: 2025-08-14 14:03:10
**********************

If invocation headers are enabled, you’ll also see per‑command timestamp lines before each command—perfect for minute‑by‑minute timelines.

# <header removed for brevity>
**********************
Command start time: 20250814140236
**********************
PS C:\Users\jdoe> Get-Date
Thursday, August 14, 2025 2:02:36 PM

**********************
Command start time: 20250814140242
**********************
PS C:\Users\jdoe> Get-Process | Select-Object -First 3

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    563      36    14692      32120       1.92   1056   1 chrome
    427      24    10240      22144       0.33   3420   1 explorer
    308      20     8232      17896       0.05   8124   1 powershell

**********************
Command start time: 20250814140252
**********************
PS C:\Users\jdoe> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : contoso.local
   IPv4 Address. . . . . . . . . . . : 10.1.2.55
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.2.1

**********************
Command start time: 20250814140308
**********************
PS C:\Users\jdoe> exit
**********************
Windows PowerShell transcript end
End time: 2025-08-14 14:03:10
**********************

Example: Reconstructing an Intrusion from a Transcript

Look for telltale sequences such as:

  • Recon: Get-ADUser, Get-LocalGroupMember, whoami /all

  • Payload fetch/exec: IEX (New-Object Net.WebClient).DownloadString(...)

  • Defense evasion: Set-MpPreference -DisableRealtimeMonitoring $true, adding AV exclusions

  • Persistence: schtasks /create ... or New-ItemProperty ... Run keys

  • Exfil test: Invoke-WebRequest to attacker infra

Tie the per‑command timestamps to 4104/4103 events and process trees (EDR) to validate.

Limitations & Gotchas (Know Before You Lean on It)

  • Order & completeness: Some host‑written text (e.g., Write-Host) can appear out of order relative to pipeline output. Edge cases can miss output if a script stops transcription mid‑formatting; Microsoft documents these limitations and a workaround (wrap in a script block and pipe to Out-Default). Don’t panic—just correlate with event logs.

  • Tamper‑able files: Transcripts are plaintext owned by the user that generated them. Use a write‑only central share and ship copies to your SIEM.

  • Scope: Transcripts record text in the PowerShell host. If a tool writes to a separate GUI or network socket without emitting console text, you won’t see it here.

  • Unmanaged or in-process PowerShell — Attackers can bypass transcription by loading the PowerShell engine via .NET (e.g., custom runspaces) or using portable/renamed binaries outside your managed installation. These sessions don’t honor Group Policy/registry logging settings and may evade both transcription and Script Block Logging. Read more about this here.

  • Version split: Historical nuance—Windows PowerShell vs PowerShell 7 policies live in different registry hives/nodes; ensure you configure both where PS7 is deployed.

  • Ops impact: If you force logging to an unavailable network share, some automation may hang or fail; test carefully before broad rollout. (If centralizing, ensure service accounts can write and you have offline buffering.)

Detection Notes (Hardening & Evasion)

  • Watch for logging disablement: Alert on changes to transcription/script‑block logging registry keys (Enable/Disable flips) under user or machine policy hives—classic defense‑evasion. Sigma rules exist specifically for this pattern, good example detection here.

  • Pair with Script Block Logging: Script block logs (4104) capture the de‑obfuscated code that executed. Even if an attacker obfuscates or uses -EncodedCommand, you still get the decoded content in many cases. Read more about this here.

  • Correlate transcripts with Script Block Logging for stealthy techniques — When paired with Event ID 4104 (decoded script blocks), transcripts can expose both the original cradle command (e.g., IEX (New-Object Net.WebClient).DownloadString(...)) and the attacker’s obfuscated payload. This combined view gives analysts a before/after look that’s far harder for adversaries to fully hide, even when using the infamous “PowerShell Download Cradle”. Read about this technique here.

Enablement Cheat‑Sheet

Manual (ad‑hoc, only for current session):

Start-Transcript -OutputDirectory 'C:\Transcripts' -IncludeInvocationHeader
# ...do work...
Stop-Transcript

Manual (permanent, machine-wide):

New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' -Name EnableTranscripting -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' -Name EnableInvocationHeader -Value 1 -PropertyType DWord -Force

Fleet (policy):

  • Turn on PowerShell Transcription (+ include invocation headers) and point Output Directory at a central, write‑only share. (Windows PowerShell and PowerShell Core templates.)

Verify it’s working (PS 5.1 & PS 7):

$roots = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription',
         'HKLM:\SOFTWARE\Policies\Microsoft\PowerShellCore\Transcription'
$roots | ?{ Test-Path $_ } | %{
  [pscustomobject](Get-ItemProperty $_ | 
    Select EnableTranscripting, EnableInvocationHeader, OutputDirectory, PSPath)
}

Summary

Treat PowerShell transcripts as your shell’s flight recorder: enable them everywhere, include invocation headers, point output to a restricted, write‑only path, and alert on attempts to disable logging. In return you get per‑session, per‑command truth that stitches cleanly to 4103/4104 and EDR process trees, survives history clearing, and spotlights the telltale flags, Defender‑tamper switches, and LOLBIN abuse. They’re plaintext and not tamper‑proof—so hash, preserve, and corroborate—but for the cost of a single GPO/Intune setting they deliver incredible visibility. If you change one thing after reading this, make PowerShell transcription your default; future‑you (and your incident timeline) will thank you.

Want to get hands-on experience with this sort of analysis? Check out my hands-on courses which leverage these and many other artifacts for intrusion analysis in live-fire IR simulations.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Introduction to YARA]]>https://blog.ecapuano.com/p/introduction-to-yarahttps://blog.ecapuano.com/p/introduction-to-yaraTue, 11 Mar 2025 21:27:45 GMTIf you've spent any time in malware analysis, threat hunting, or incident response, you've likely heard of YARA. YARA is an essential tool for security professionals looking to identify and classify malware samples based on textual or binary patterns. But what makes YARA so powerful, and how can you start leveraging it in your security workflows? Let's dive in.

What is YARA?

YARA is an open-source tool created by Victor M. Alvarez to help malware researchers and analysts define and search for malware families based on customized signatures. Instead of relying on traditional hash-based detection (which is easily bypassed with minor file modifications), YARA enables analysts to create flexible and reusable rules that describe known malware behaviors.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

At its core, YARA rules consist of pattern-matching conditions that are applied to files, memory dumps, or network traffic to detect malicious activity. These rules help analysts identify similar malware samples, even when attackers make modifications to evade detection.

Why YARA is a Game-changer for Threat Hunting

Unlike traditional antivirus signatures that rely on exact file hashes, YARA allows for:

  • Pattern-based detection: Define text or binary sequences to identify malware, even if its hash changes.

  • Behavior-based identification: Detect threats based on characteristics rather than exact matches.

  • Memory scanning: Analyze live processes for suspicious patterns.

  • Automated threat hunting: Integrate with SIEMs, EDRs, and other security tools for real-time detection.

  • Cross-platform support: YARA can be used on Windows, Linux, and macOS, making it versatile for different environments.

Writing Your First YARA Rule

A simple YARA rule looks like this:

rule Example_Malware_Detection {
    meta:
        author = "Your Name"
        description = "Detects a sample malware family"
        date = "2025-03-11"
    strings:
        $malicious_string1 = "bad_code_here"
        $malicious_string2 = { E8 00 00 00 00 5D C3 }
    condition:
        any of them // matches any of the strings provided
}

Breakdown of this rule:

  • Meta section: Includes metadata about the rule.

  • Strings section: Defines text or byte patterns to look for.

  • Condition section: Specifies when to trigger a match (e.g., if any of the defined strings appear in a file).

Let’s Try It!

Let’s write a simple rule to detect the cmd.exe executable using conditions that are met within this binary.

  1. Download the YARA engine here:

    1. https://github.com/VirusTotal/yara/releases

  2. Download the Sysinternals Strings utility here:

    1. https://learn.microsoft.com/en-us/sysinternals/downloads/strings

  3. Run strings against cmd.exe to see what type of human-readable strings we can match with our pattern

    strings64.exe -accepteula C:\Windows\System32\cmd.exe

    1. We’ll select a string which is unique to this executable, at least for the sake of this exercise.

    2. We can use this string to craft a YARA rule.

      1. Save this to detect_cmd.yar and place it in the directory you unzipped the YARA engine

        rule detect_cmd
{
    meta:
        description = "Simple example rule to detect cmd.exe"
        author = "blog.ecapuano.com"
    
    strings:
        $mz = { 4D 5A }  // MZ header for portable executable files
        $cmd_processor = "Windows Command Processor" ascii
    
    condition:
        $mz at 0 and $cmd_processor
}

        1. Notice, I’ve added a condition called $mz that looks for the well-known header of a portable executable being at location 0 or the start of the file, which is a good way to ensure we only trigger a detection on an executable.

    3. Now, with your rule file saved, test it by scanning your own cmd.exe (on a Windows system of course)

      yara64.exe -s detect_cmd.yar C:\Windows\system32\cmd.exe

Where to Find High-quality YARA Rules

Creating your own YARA rules is powerful, but leveraging community-driven rules can give you a head start. Some great sources include:

Automating YARA Scanning

To maximize YARA’s potential, integrate it with automation tools like:

  • Velociraptor – Conducts live memory and file system analysis using YARA.

  • THOR Scanner - Nextron’s own scanner using their private and public rulesets.

  • LimaCharlie – Automates YARA-based detections across an enterprise.

Final Thoughts

YARA is an indispensable tool in any security professional’s toolkit. Whether you're analyzing malware, conducting threat hunting, or building advanced detection capabilities, YARA provides the flexibility and power needed to stay ahead of adversaries. Start experimenting with YARA today, and soon enough, you'll be writing powerful rules that can spot malware before it becomes a problem.

Want to try this in a real threat detection scenario?

Check out the hands-on lab in So You Want to be a SOC Analyst? to use YARA to find actual malware in a live environment!

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[The Role of Fuzzy Hashes in Security Operations]]>https://blog.ecapuano.com/p/the-role-of-fuzzy-hashes-in-securityhttps://blog.ecapuano.com/p/the-role-of-fuzzy-hashes-in-securityThu, 19 Dec 2024 02:35:55 GMTBonus Content! Hands-on Lab at the bottom :)

Security Operations daily routines can feel like a game of whack-a-mole—because often teams are using IOCs (indicators of compromise) that have a very short shelf life. For instance, an IT person might detect suspicious activity to/from a certain IP address, and decide to simply block that IP address and move on. The problem with that approach is that IP addresses are disposable and easy to change. The same is true with malware hashes.

A traditional approach to identifying malware is to catalog its static hash (such as SHA1, SHA256, MD5) into a list of known malicious files. This is how traditional antivirus software operated—it compared files on your system against this list of known-bad hashes. However, this method has a significant weakness: static hashes are extremely fragile. Even the tiniest modification to a file completely changes its hash, allowing a previously identified "bad" file to appear "good" again.

Here are some common techniques malware authors use to evade static hash detection:

  • Byte manipulation: Adding, removing, or modifying single bytes in the malware code

  • Payload repackaging: Compressing or encrypting the malicious code differently each time

  • Polymorphic code: Automatically modifying the malware's code structure while maintaining functionality

  • Padding insertion: Adding random data between code sections to change the file's hash

  • Code reordering: Changing the sequence of code blocks without affecting the program's behavior

These simple modifications completely change the malware's static hash while preserving its malicious functionality, making traditional hash-based detection ineffective.

That’s where fuzzy hashes come in. Unlike traditional hashes, which are great for spotting exact matches, fuzzy hashes focus on finding “close enough” similarities. This makes them incredibly useful for detecting malware that’s been slightly modified or identifying patterns in large sets of data. In this post, we’ll break down the different types of hashes, how fuzzy hashes work, and why they’re a key part of malware identification.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Static Hashes

Traditional static hashing algorithms like MD5, SHA1, and SHA256 work by processing a file's data in a deterministic way to produce a fixed-length output (the hash). Here's how they generally work:

  1. The file is read as a stream of bytes

  2. The data is processed in fixed-size blocks through a mathematical function

  3. Each block's result is combined with the previous results in a way that any change, no matter how small, cascades through the entire calculation

  4. The final output is a fixed-length string of characters that uniquely represents the input data

This is why changing even a single bit in a file results in a completely different hash value — the cascading nature of the algorithm ensures that the entire hash changes. While this property makes static hashes excellent for verifying file integrity and detecting exact matches, it makes them ineffective for detecting similar or slightly modified files.

Fuzzy Hashes

Fuzzy hashes work differently from static hashes by breaking down files into smaller chunks and creating signatures that can survive minor modifications. Here's how they typically work:

  1. Files are divided into variable-sized blocks based on content patterns rather than fixed sizes

  2. Each block is hashed separately, creating a sequence of smaller hashes rather than one large hash

  3. The sequence of block hashes is combined to create a "fuzzy hash signature" that represents the file's structure

  4. When comparing files, their fuzzy hash signatures are analyzed for similarity, producing a match percentage rather than a binary match/no-match result

This approach offers several key advantages for security analysts:

  • Can identify variants of known malware even after minor code modifications

  • Maintains effectiveness against common malware obfuscation techniques

  • Provides similarity scores that help analysts correlate separate investigations

  • Works well for identifying malware families or code reuse

Below, we’ll break down a few of the most common fuzzy hashing techniques.

SSDEEP

SSDEEP is one of the most widely used fuzzy hashing tools in cybersecurity. It implements context triggered piecewise hashing (CTPH), which was originally developed for spam detection but found great utility in malware analysis.

Here's how SSDEEP specifically works:

  1. It divides the input file into blocks based on content patterns rather than fixed sizes

  2. Uses a rolling hash function to identify trigger points in the data that determine block boundaries

  3. Generates a hash for each block using a traditional hashing function

  4. Combines these block hashes into a single signature that represents the file's structure

Key advantages of SSDEEP include:

  • Ability to detect files that are similar but not identical

  • Resistance to simple obfuscation techniques commonly used by malware authors

  • Generation of compact signatures that are easy to store and compare

  • Fast comparison operations making it practical for large-scale analysis

SSDEEP outputs similarity scores from 0 to 100, where 100 indicates the highest similarity between two files. Security analysts typically consider scores above 50 as significant enough to warrant further investigation.

Read more about SSDEEP

IMPHASH (Import Hash)

IMPHASH, originally developed by Mandiant in 2014, is another fuzzy hashing technique specifically designed for Windows Portable Executable (PE) files. Unlike ssdeep which analyzes the entire file content, IMPHASH focuses on the Import Address Table (IAT) of executable files.

Here's how IMPHASH works:

  1. It extracts the Import Address Table from a PE file

  2. Combines the DLL names and their imported function names in a specific order

  3. Creates a hash of this combined string using MD5

IMPHASH is particularly useful because:

  • Malware variants often maintain similar import patterns even when the rest of the code changes

  • It can identify malware families that use the same codebase or development patterns

  • It's effective at detecting packed or obfuscated malware that share similar unpacking routines

  • The calculation is relatively fast compared to other fuzzy hashing methods

  • It’s natively supported in popular monitoring tools like Sysmon

However, IMPHASH does have limitations:

  • Only works with Windows PE files

  • Can be defeated if malware authors deliberately modify their import patterns

  • May produce false positives with legitimate applications that share common import patterns (happens more often than you’d think)

Read more about IMPHASH

TLSH (Trend Micro Locality Sensitive Hash)

TLSH is another fuzzy hashing algorithm that was developed by Trend Micro and released as open source. It's particularly effective at identifying similarities between files, even when they've undergone significant modifications.

Here's how TLSH works:

  1. The file is split into sliding windows

  2. These windows are used to populate a counting bloom filter

  3. The bloom filter data is processed to generate a digest

  4. Final hash includes file metadata like length and quartile points

Key advantages of TLSH include:

  • More robust against certain types of file modifications compared to SSDEEP

  • Better performance when comparing large sets of files

  • Provides distance scores that are more consistent across different file sizes

  • Works well with both small and large files (recommended minimum 50 bytes)

TLSH has some unique characteristics that make it particularly valuable for malware analysis:

  • The distance scoring is symmetrical, meaning comparing A to B gives the same result as B to A

  • It's less sensitive to file size differences than other fuzzy hashing algorithms

  • The algorithm is designed to be robust against adversarial modifications

  • Can effectively cluster similar files in large datasets

Like other fuzzy hashing methods, TLSH should be used as part of a comprehensive malware analysis strategy, often in combination with SSDEEP and IMPHASH for the most effective results.

Read more about TLSH

Want to try it yourself?

I've created a hands-on lab so you can get practical experience with this concept.

The lab consists of a single PowerShell script which does the following;

  1. Downloads and unzips SSDEEP to the working directory.

  2. Copies itself 9 times, adding a slight modification (random GUID) to each copy.

  3. Captures static and fuzzy hashes of the original and each copy.

  4. Interactively compares the hash techniques.

Lab Instructions

While you can fire up a VM for this one, it’s not necessary. Simply delete the folder when you’re done.

  1. Create a folder anywhere on your system, like your Desktop or a temporary folder.

  2. Download this script to a file called HashMorpher.ps1 in the newly created folder.

  3. Inspect the script! It’s very straight-forward and well commented.

    1. If you’re feeling paranoid, feed it to ChatGPT!

  4. Run the script in PowerShell.

    .\HashMorpher.ps1

  5. Follow the prompts, learn cool stuff.

  6. Repeat as many times as you wish.

  7. Delete the folder when you’re done.

Thanks for reading Eric’s Substack! This post is public so feel free to share it.

Share

]]><![CDATA[Atomic & Stateful Detection Rules]]>https://blog.ecapuano.com/p/atomic-and-stateful-detection-ruleshttps://blog.ecapuano.com/p/atomic-and-stateful-detection-rulesMon, 14 Oct 2024 19:20:55 GMTHello, readers! I had a topic in mind that I felt might make a good post for those breaking into the defensive side of information security: atomic and stateful detections.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

What are they?

In detection engineering, effective detection strategies hinge on understanding the two primary types of detection rules: atomic and stateful. Both serve crucial purposes, and neither is inherently better than the other, as each has specific strengths depending on the goal.

Atomic detections focus on single, isolated events or activities that can be identified as malicious or benign without further context. These are quick and precise but limited in scope.

Stateful detections, often called correlation rules, rely on analyzing multiple events over time to build context and detect patterns of malicious behavior. They offer more depth but come with added complexity.

Simply put, atomic detections focus on identifying a single event as potentially harmful, while stateful rules analyze multiple events to reveal behaviors that might indicate a larger issue.

Example of an Atomic Detection

Let’s first look at a simple example for an atomic detection. Sigma is an open-source standard for writing detection rules in a platform-agnostic format, making it easier to share and apply detection logic across different systems and SIEMs. Below is an example of an atomic Sigma rule which looks for execution of whoami.exe with an unusually high privileged context for this process.

title: Whoami.EXE Execution From Privileged Process
id: 79ce34ca-af29-4d0e-b832-fc1b377020db
related:
    - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
      type: obsolete
status: test
description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
date: 2022-01-28
modified: 2023-12-04
tags:
    - attack.privilege-escalation
    - attack.discovery
    - attack.t1033
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'whoami.exe'
        - Image|endswith: '\whoami.exe'
    selection_user:
        User|contains:
            - 'AUTHORI'
            - 'AUTORI'
            - 'TrustedInstaller'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

This rule only needs a single process creation event to find this criteria, therefore, it is atomic.

Example of a Stateful Detection

While Sigma is an extremely popular collection of open source detection rules, it has historically been limited to only atomic rules. However, recent advancements in the Sigma project have introduced support for stateful rules for some conversion backends.

One of the simplest and most popular examples of a stateful rule is looking for brute force activity. The approach is often “look for X number of failed logons over Y amount of time.” The logic is simple enough, but cannot be accomplished with atomic rules because the rule must observe multiple events over a time period. It gets even trickier when you add “X number of logons, by the same username OR from the same source IP, over Y amount of time.”

Here is an atomic detection looking for a single failed logon. (source)

title: Windows Failed Logon Event
name: failed_logon # Rule Reference
description: Detects failed logon events on Windows systems.
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4625
    condition: selection

This would be an incredibly noisy rule as failed logons happen all of the time.

If we want to detect only an unusually high number of failed logons in a short period of time, we’d need a stateful rule.

title: Multiple failed logons for a single user (possible brute force attack)
correlation:
    type: event_count
    rules:
        - failed_logon # Referenced here
    group-by:
        - TargetUserName
        - TargetDomainName
    timespan: 5m
    condition:
        gte: 10

Notice that we can define a timespan, condition, and even group-by values to fine-tune the behavior of our stateful rule. With this logic, our rule will only fire when 10 or more failed logons occur within 5 minutes, where the same username is observed across all events.

Now, it’s important to state that there are other types of stateful rules beyond a simple “X count over Y amount of time”… You can also track more complex things such as event ancestry. For instance, you might want to detect on a very particular process chain such as winword.execmd.exewscript.exemshta.exe. This would be nearly impossible in an atomic rule, because often only the parent process information is available in the context of a process creation event. This means an atomic rule can only know one level above any given process event.

In the first example, if we only need to know when winword.exe directly launches mshta.exe, we could accomplish this by observing a single Event 4688 (or Sysmon Event 1) and find both the Image and Parent Image fields containing the required detection data.

In the second example, winword.exe still launches mshta.exe, but not directly. Multiple other processes are chained together before mshta.exe is ultimately executed. The only way to know that mshta.exe was a grandchild of winword.exe is with a stateful rule engine that can keep track of the entire chain.

Summary

In conclusion, both atomic and stateful detection rules play critical roles in detection engineering, each excelling in different scenarios. Atomic rules are fast, straightforward, and effective for simple, well-defined threats like detecting the execution of a specific malicious file, such as mimikatz.exe. In such cases, only a single event or piece of telemetry needs to be observed to trigger an alert, making atomic rules ideal for pinpointing specific behaviors quickly.

On the other hand, when dealing with more complex attack patterns that unfold over time or across multiple data points, stateful detection becomes invaluable. For instance, detecting a series of 12 failed login attempts by a user like john.doe within a 5-minute window requires correlating several events across a timeline to identify suspicious behavior. In this case, stateful rules are crucial for building context and uncovering more advanced or stealthy threats that might otherwise go unnoticed.

To build a robust detection strategy, it’s essential to leverage both atomic and stateful rules in your environment. Start by using atomic rules for known, high-confidence threats, while stateful rules can help uncover stealthy or advanced attacks that unfold over time.

To enhance your understanding and dive deeper into stateful and atomic detections, I recommend exploring the following resources:

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Prefetch Analysis Lab]]>https://blog.ecapuano.com/p/prefetch-analysis-labhttps://blog.ecapuano.com/p/prefetch-analysis-labMon, 29 Apr 2024 17:16:09 GMTWhat is Prefetch?

In the world of digital forensics, Windows Prefetch files are a goldmine of information for investigators looking to understand program execution behavior. Prefetch files, automatically generated by Windows, are designed to speed up the application launch process. However, they also serve a critical secondary function by logging essential data about program execution. As this forensic artifact is covered in great detail in many other places, I will not recap it heavily here. I encourage you to do your own research to better understand the finer points of Prefetch. A fantastic resource to better understand the intricacies of prefetch is Microsoft’s own Guidance for Incident Responders. I’ve captured the relevant pieces in the screenshot below and I strongly encourage you to read all points.

In this post, we’ll explore the practical aspects of Prefetch file analysis, guiding you through a hands-on lab designed to equip you with the skills needed to extract, interpret, and utilize this information effectively. The lab utilizes prefetch files collected from a system involved in a simulated data breach attack.

Attack Scenario

We are investigating an intrusion involving a workstation owned by Bill Lumbergh of the Initech Software company. Bill is currently an IT technician hoping to break into the exciting cybersecurity career field.

Recently, Bill was looking for free resources for testing his skills in web app penetration testing and used Reddit to try to find a cracked version of a popular software called Burpsuite Pro. Unfortunately, an unsavory Redditor may have sent Bill some malware.

We have acquired key forensic artifacts from Bill’s system to better understand what happened once he ran the malware. This lab focuses exclusively on the Prefetch files obtained from Bill’s system. You might be surprised at just how much this one artifact will reveal about this attack.

Lab Guide

I have learned that Notion is much better for delivering lab guides than Substack, so the actual hands-on portion of this guide is covered here.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[So you want to be a SOC Analyst? 2.0]]>https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-20https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-20Fri, 03 Nov 2023 02:36:04 GMT

What’s this about?

For those familiar with my free series, So You Want to be a SOC Analyst? — this is version 2.0 which follows the same path as the original but features fully cloud-hosted VMs which have been preconfigured for this lab. This saves a lot of time on setup, and removes any requirement for running VMs locally which is difficult or impossible for some users.

How does it work?

Simply register for the pay-what-you-can course, and everything you need will be accessible in your web browser.

Register for the Course

What will I need to have in order to do this lab?

A web browser, that’s it!

How is this different than the original, free SYWTBSA?

The primary difference is that the original series required you to download and setup two virtual machines. This is becoming more difficult for participants without powerful systems for running VMs, or those on ARM-type CPUs (Mac M1/M2). Now, you don’t have to download anything, and can connect to a cloud-hosted VM.

The other difference is that I have modified and improved several steps of the original labs to add some interesting new techniques… So there will be slight differences in the lab content itself.

Why is this a paid course when the original series was free?

Primarily because 2.0 requires use of VMs running in the cloud which incur real costs for me. Also, it takes real time to continue supporting students working through the series and keeping the labs up to date. I try to make most of my beginner content free.

I want to give it a try!

Great! Click the button below to register.

Register for SYWTBSA Course

]]><![CDATA[Threat Hunting with Velociraptor - Long Tail Analysis Lab]]>https://blog.ecapuano.com/p/threat-hunting-with-velociraptorhttps://blog.ecapuano.com/p/threat-hunting-with-velociraptorSat, 28 Oct 2023 03:38:43 GMT Read more

]]><![CDATA[VMware Memory Analysis with MemProcFS]]>https://blog.ecapuano.com/p/vmware-memory-analysis-with-memprocfshttps://blog.ecapuano.com/p/vmware-memory-analysis-with-memprocfsSat, 27 May 2023 22:24:51 GMTLet’s get hands-on with one my favorite memory analysis tools, MemProcFS by Ulf Frisk.

I highly recommend watching this video demo by Ulf Frisk which outlines a lot of what we’re about to do and will give you a solid primer on the capabilities of the tool.

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

In this guide, we’ll make a little noise on a Windows VM running in VMware Workstation, and use MemProcFS to analyze the memory image of the compromised running VM.

Prepare the lab environment

To get started, you’ll need the lab environment (both VMs) I outline in this post, but feel free to skip the LimaCharlie step as we won’t be using it for this guide. No harm in doing it as it only adds to the fun to be able to see EDR telemetry of what we’ll do next.

If you are using the same Windows VM you deployed from a previous lab some time ago, it may be expired at this point and you need to pull down a new one or else it will shut itself down periodically.

Once your lab environment is setup, complete only the following steps of this post:

At this point, you should have an active Sliver implant on your Windows VM. Leave it running, now let’s prep our host system to use MemProcFS.

Install MemProcFS on your host

For the purpose of this guide, I am assuming your host system is Windows. If you are using a different host OS, you’ll need to adapt these steps for your host. This needs to be accomplished on the host so that MemProcFS has direct access to VMware running on the host.

  1. On your host system (not within a VM), download MemProcFS 5.6.5 from GitHub with the link below. I am hardcoding the version we use for the purpose of the guide, but latest releases can be found here.

    1. https://github.com/ufrisk/MemProcFS/releases/download/v5.6/MemProcFS_files_and_binaries_v5.6.5-win_x64-20230525.zip

    2. Unzip it to a location you can easily find later.

  2. Download and install Python 3.11

    1. https://www.python.org/ftp/python/3.11.3/python-3.11.3-amd64.exe

  3. Download and install Dokany, a dependency that MemProcFS uses to mount memory images as file systems.

    1. https://github.com/dokan-dev/dokany/releases/download/v2.0.6.1000/DokanSetup.exe

Do Evil Things on your Windows VM

With the Sliver session we should have open from previous steps, let’s interact with the session and do something that will look interesting in memory.

Currently, our C2 implant is running as it’s own process with the name of whatever Sliver generated when you created your payload. Not only is this suspicious if someone else were to look at running processes, but it’s volatile as someone may terminate that process.

  1. Let’s get some information about the privileges our C2 session currently has on the victim

    getuid
    whoami

    1. Notice, we’re running as the “User” account on the machine. While this account has admin rights, a more powerful user context to run under would be “System” — one easy way to achieve this is to inject into a process that is already running as system.

  2. Examine the process tree on the victim, and see what process you are running as by running the following command in Sliver within your C2 session.

    ps -T

  3. Let’s be extra shady, and inject another C2 implant into the security tool we see running on the system “Sysmon64.exe” — there is a very good chance this process is running with higher privileges than we currently have.

    1. Take note of the Process ID your instance of Sysmon64 is running as, in my case it is 7148

  4. Let’s “migrate” our C2 payload into the running sysmon process

    migrate <sysmon_pid>

  5. If your migrate command succeeds, a new C2 session will open from the victim, now running inside of the Sysmon64 process.

  6. Switch into the new C2 session

    use <new_session_id>

  7. Now let’s check our privileges again

    getuid
    whoami

    1. Notice we are now running in the System user context, which is the most powerful account on a single machine.

  8. To add some interesting activity for analysis, let’s drop to an interactive shell in our new C2 session running inside of Sysmon64

    shell

    1. Type Y and hit enter to confirm

    2. We are now in a PowerShell session on the victim

    whoami
    Get-Process

  9. While there are many things we could do from here, we likely have enough to make our memory analysis interesting. So let’s switch back to our host and begin the process of mounting and analyzing the Windows VM’s memory.

Analyze Memory with MemProcFS

Switch back to your Windows host system and let’s launch MemProcFS.

  1. In an administrative PowerShell prompt, change to the location you unzipped MemProcFS.

    cd C:\path\to\MemProcFS_directory

  2. Inspect the help output 

    .\MemProcFS.exe -h

    1. Take specific note of the entries at the end which describe the usefulness of the -forensic and -forensic-yara-rules options as we’ll be using both.

  3. Let’s download a Yara rule that specifically looks for Sliver C2 implants. Run the following command in your PowerShell console

    IWR -Uri https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/gen_gcti_sliver.yar -Outfile gen_gcti_sliver.yar

  4. Now that our Yara rule is staged, we’re ready to run MemProcFS to mount the memory image of our running Windows VM victim

    .\MemProcFS.exe -device vmware -forensic 1 -forensic-yara-rules ".\gen_gcti_sliver.yar"

  5. MemProcFS will prompt you to decide which VM you want to mount memory from. We want to choose the VM-ID that is associated with our Windows VM. In my case, it’s fairly simple since I know the Linux VM has 2GB of RAM and the Windows VM has 8GB.

    1. Enter your VM-ID and press ENTER

    2. The following output means that our memory is now mounted at drive letter M:\ on our host system

Analyze Memory

  1. On your host system, browse to the newly mounted M: drive.

  2. There are many awesome things available to you here, as you have essentially mounted memory of a running machine as if it was a basic file system. Start by looking at basic information such as the running processes on the system

    1. Browse to M:\sys\proc and open proc.txt

      1. Search for your interesting process names such as your Sliver EXE or the process we migrated into: Sysmon64

    2. Browse to M:\sys\net and open netstat.txt

      1. Two easy search terms here: suspicious processes (implant or sysmon) or simply the IP address of the suspected C2 server

      2. Notice many CLOSED and a couple ESTABLISHED connections to our C2 IP address from the Sliver generated EXE as well as from Sysmon64. This is highly unusual as Sysmon should rarely, if ever, be communicating on the network.

  3. Now let’s get to the good part… Remember how we asked MemProcFS to run a Yara scan for Sliver C2? Let’s see if it found any hits.

    1. Browse to M:\forensic\yara and open match-count.txt — this simply tells us if there were any matches for our signature. In my case, there were 4 matches.

    2. To get a closer look at the matches, let’s open M:\forensic\yara\result.txt

      1. Notice how easily we were able to find this C2 implant with a simple yara scan.

  4. Now let’s better try to understand why Sysmon64 is triggering detections for Sliver by looking for code injection. This is another feature of the -forensic option we enabled, which automatically looks for suspicious activity like signs of possible injection which we accomplished with our migrate command.

    1. Browse to M:\forensic\findevil and open findevil.txt

    2. While this file is a bit challenging to interpret at first, it will often contain evidence of code injection due to the many behaviors we see when one process injects code into another. Unfortunately, its also a bit prone to false positives so it takes time to get comfortable with interpreting these results to quickly find evil. One solid universal tip is: “Start with things you already suspect are bad,” so let’s search for entries related to Sysmon64.

    3. In my output, I’ve filtered down to things I already suspect… While there are many indications of possible injection here, I’ve highlighted the lower false-positive prone detections looking for memory sections with unusual read-write-execute (RWX) or read-execute (RX) permissions. Read more about the detection types here.

  5. There are so many incredibly useful things you can further examine from this memory image. Here is some inspiration to consider furthering your knowledge

    1. Examine M:\forensic\timeline\timeline_all.txt searching for your known IOCs

    2. Examine M:\forensic\timeline\timeline_net.txt and understand the beacon behavior of your C2 implants

    3. Examine process objects by navigating to them by name under M:\name\<process_name>

      1. Try this with your Sliver EXE — you can pull the EXE right out of memory by browsing to M:\name\<process_name>\modules\<process_name>.exe\ and copying out the pefile.dll

      2. Warning, this is your actual C2 implant so be careful not to trigger antivirus on your host!

Congrats, you’ve analyzed a memory image!

I hope you enjoyed this very brief primer on MemProcFS. I strongly recommend pursuing additional knowledge with the resources listed on the project’s GitHub: https://github.com/ufrisk/MemProcFS#get-started

Happy hunting!

Eric’s Substack is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Capturing & Parsing Forensic Triage Acquisitions for Investigation Timelining]]>https://blog.ecapuano.com/p/capturing-and-parsing-forensic-triagehttps://blog.ecapuano.com/p/capturing-and-parsing-forensic-triageWed, 12 Apr 2023 04:09:58 GMT Read more

]]><![CDATA[Find Threats in Event Logs with Hayabusa]]>https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusahttps://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusaTue, 21 Mar 2023 02:29:16 GMT Read more

]]><![CDATA[A "Thank You" to Paid Subscribers]]>https://blog.ecapuano.com/p/a-thank-you-to-paid-subscribershttps://blog.ecapuano.com/p/a-thank-you-to-paid-subscribersMon, 20 Mar 2023 22:22:11 GMT Read more

]]><![CDATA[Mounting E01 Forensic Images in Linux]]>https://blog.ecapuano.com/p/mounting-e01-forensic-images-in-linuxhttps://blog.ecapuano.com/p/mounting-e01-forensic-images-in-linuxFri, 10 Mar 2023 11:45:56 GMTIf you have an Encase Expert Witness Format E01 image, and you’d like to mount it for examination, there is a free library for Linux that will assist.

E01 images are compressed, forensically sound containers for disk images acquired during an investigation. To work with them, we must utilize a tool that will stream decompress the image so that we can mount and work with the contents.

These tools and shortcuts are preinstalled on the Linux SIFT workstation.

  1. Install the ewf-tools library (already included on Linux SIFT workstation)

    sudo apt-get install ewf-tools

  2. Examine the metadata associated with the E01 by running ewfinfo

    ewfinfo your_image.e01

  3. Let’s create a mount point that we’ll use to mount the E01 as a raw device

    mkdir -p /mnt/ewf_mount

  4. Now, mount the E01 forensic image to a new raw device

    ewfmount your_image.e01 /mnt/ewf_mount

    1. A successful mount operation will provide a very minimal output such as “ewfmount 20140812”

    2. You will now have a stream-decompressed raw device at /mnt/ewf_mount/ewf1

      ls -alh /mnt/ewf_mount

  5. Create a new mount point for the logical mount we’re about to perform, and then mount the device to the new logical mount point.

    mkdir -p /mnt/logical_mount
    mount -o ro,show_sys_files,streams_interface=windows /mnt/ewf_mount/ewf1 /mnt/logical_mount

    1. Pro Tip: create a bash alias that simplifies this mount command for the future, allowing you to replace it with simply mountwin — you must reload bash for it to take effect.

      echo “alias mountwin='mount -o ro,show_sys_files,streams_interface=windows'“ » ~/.bash_aliases

  6. Now, change directory into the logical mount point, and examine the file system!

    cd /mnt/logical_mount
    ls -alh

    Subscribe now

]]><![CDATA[Live Incident Response with Velociraptor]]>https://blog.ecapuano.com/p/live-incident-response-with-velociraptorhttps://blog.ecapuano.com/p/live-incident-response-with-velociraptorFri, 03 Mar 2023 12:56:53 GMTThis is a video I posted some time ago, but I wanted a more permanent place to point to it and it’s supporting guides for anyone wanting more exposure to one of my favorite DFIR tools.

This walk-through was performed live in front of a group of students and practitioners in Denver, however, I wrote a hands-on guide that accompanies the talk to allow you to try your hand at many of the notebook activities I cover.

Subscribe now

Watch the demonstration here:

See the accompanying guide here:

Live Incident Response with Velociraptor - Handout

@eric_capuano || Recon InfoSec

Watch the recorded talk here: https://www.youtube.com/watch?v=Q1IoGX--814

This handout is meant to accompany the live talk, but contains many useful notebook examples for post-processing Velociraptor hunt results.

Hunting for phish victims

Objective: Using the name of a suspicious email attachment, we can quickly identify which users/systems may have been impacted.

Hunt Artifact: Windows.Search.FileFinder

Parameters:

  • SearchFilesGlob: C:\Users\**\Security_Protocol*

Notebook:

SELECT Fqdn,FullPath,BTime AS CreatedTime,MTime as ModifiedTime, Hash,
label(client_id=ClientId, labels="phish_victim", op="set") // label all systems with detections
FROM source()

Lateral Movement

Objective: When dealing with advanced adversaries, it is safe to assume the breach has expanded beyond the initial victims of the phish campaign... Let's launch a quick hunt to find possible lateral movement using the usernames of the phish victims

Hunt Artifact: Windows.EventLogs.RDPAuth

Notebook:

SELECT EventTime,Computer,Channel,EventID,UserName,LogonType,SourceIP,Description,Message,Fqdn FROM source()
WHERE ( // excluded logons of the user on their own system
(UserName =~ "Chad.Chan" AND NOT Computer =~ "ACC-01") 
OR (UserName =~ "Jean.Owen" AND NOT Computer =~ "ACC-05")
OR (UserName =~ "Albert.Willoughby" AND NOT Computer =~ "ACC-09")
OR (UserName =~ "Anna.Ward" AND NOT Computer =~ "ACC-04")
)
AND NOT EventID = 4634 // less interested in logoff events
AND NOT (Computer =~ "dc" OR Computer =~ "exchange" OR Computer =~ "fs1")
ORDER BY EventTime

Process Analysis

Objective: Find potentially compromised systems by baselining all running processes in the environment. This notebook returns processes marked as untrusted by Authenticode.

Hunt Artifact: Windows.System.Pslist

Notebook:

SELECT Name,Exe,CommandLine,Hash.SHA256 AS SHA256, Authenticode.Trusted, Username, Fqdn, count() AS Count FROM source()
WHERE Authenticode.Trusted = "untrusted" // unsigned binaries
// List of environment-specific processes to exclude
AND NOT Exe = "C:\\Program Files\\filebeat-rss\\filebeat.exe"
AND NOT Exe = "C:\\Program Files\\filebeat\\filebeat.exe"
AND NOT Exe = "C:\\Program Files\\winlogbeat-rss\\winlogbeat.exe"
AND NOT Exe = "C:\\Program Files\\winlogbeat\\winlogbeat.exe"
AND NOT Exe = "C:\\user-automation\\user.exe"
AND NOT Exe = "C:\\salt\\bin\\python.exe"
// Stack for prevalence analysis
GROUP BY Exe
// Sort results ascending
ORDER BY Count

Objective: Leverage VirusTotal to quickly check untrusted processes for detections. Be mindful that free VT API is limited to 4 lookups / min & 500 / day so we'll be as efficient as possible with what we query against VT.

Hunt Artifact: Windows.System.Pslist

Notebook:

// Get a free VT api key
LET VTKey <= "<your_api_key>"
// Build the list of untrusted processes first
Let Results = SELECT Name,CommandLine,Exe,Hash.SHA256 AS SHA256, count() AS Count FROM source()
WHERE Authenticode.Trusted = "untrusted"
AND SHA256 // only entries with the required SHA256
// List of environment-specific processes to exclude
AND NOT Exe = "C:\\user-automation\\user.exe"
GROUP BY Exe,SHA256
// Now combine the previous query with the Server Enrichment query
SELECT *, {SELECT VTRating FROM Artifact.Server.Enrichment.Virustotal(VirustotalKey=VTKey, Hash=SHA256) } AS VTResults FROM foreach(row=Results) WHERE Count < 10
ORDER BY VTResults DESC

Objective: Get process ancestry for known malware. Here we learn important details about how the malware was launched.

Hunt Artifact: Generic.System.Pstree with

Parameters:

  • Process Regex: .*(tkg|mshta|Security_Protocol).*

Notebook: none required

Persistence

Objective: Use a builtin artifact to hunt for potential persistence mechanisms.

Hunt Artifact: Windows.Sys.StartupItems

Notebook:

LET Results = SELECT count() AS Count, Fqdn, Name, FullPath, Command FROM source()
// filter common FPs
WHERE NOT FullPath =~ "bginfo.lnk"
AND NOT FullPath =~ "desktop.ini"
AND NOT FullPath =~ "Outlook.lnk"
AND NOT FullPath =~ "chrome.lnk"
AND NOT (Name =~ "OneDrive" AND FullPath =~ "OneDrive" AND Command =~ "OneDrive")
// end common FPs
GROUP BY Name, FullPath, Command // stack them
SELECT * FROM Results
WHERE Count < 10
ORDER BY Count // sorts ascending

Objective: Use a builtin artifact to hunt for potential persistence mechanisms.

Hunt Artifact: Windows.System.TaskScheduler

Notebook:

LET Results = SELECT FullPath,Command,Arguments,Fqdn, count() AS Count FROM source()
WHERE Command AND Arguments
AND NOT Command =~ "OneDriveStandaloneUpdater.exe"
AND NOT (Command = "C:\\Windows\\System32\\Essentials\\RunTask.exe" AND FullPath =~ "Essentials")
AND NOT Command =~ "MpCmdRun.exe"
AND NOT Arguments =~ "sildailycollector.vbs"
AND NOT Command = "C:\\Windows\\system32\\vssadmin.exe"
AND NOT FullPath =~ "BPA Scheduled Scan"
AND NOT Arguments =~ "CheckDatabaseRedundancy"
AND NOT Arguments =~ "silcollector.cmd"
GROUP BY FullPath,Command,Arguments
SELECT * FROM Results
WHERE Count < 5
ORDER BY Count // sorts ascending

Objective: Leverage Sysinternals Autorunsc to hunt for potential persistence mechanisms.

Hunt Artifact: Windows.Sysinternals.Autoruns

Notebook:

LET Results = SELECT count() AS Count, Fqdn, Entry,Category,Profile,Description,`Image Path` AS ImagePath,`Launch String` AS LaunchString,`SHA-256` AS SHA256 FROM source()
WHERE NOT Signer
AND Enabled = "enabled"
GROUP BY ImagePath,LaunchString
SELECT * FROM Results
WHERE Count < 5 // return entries present on fewer than 5 systems
ORDER BY Count

Scoping with known malware locations

Objective: Find all systems with suspected malware on disk

Hunt Artifact: Windows.Search.FileFinder

Parameters:

  • SearchFilesGlobTable:
    - C:\**\msxsl.exe
    - C:\**\*.hta
    - C:\**\drivers\svchost.exe
    - C:\**\tkg.exe
    - C:\**\Security_Protocol*
    - C:\**\XKnqbpzl.txt

Notebook:

SELECT Fqdn,FullPath,MTime AS ModifiedTime,BTime as CreationTime, Hash,
label(client_id=ClientId, labels="compromised", op="set") // label all systems with detections
FROM source()

Let's just find CobaltStrike already

Objective: Leveraging the power of Yara, let's just sweep all processes in memory for signatures matching the popular Cobalt Strike attack tool.

Hunt Artifact: Windows.Detection.Yara.Process

Parameters:

  • Default yara signature is Cobalt Strike

Notebook:

SELECT Fqdn, ProcessName, Pid, Rule,
label(client_id=ClientId, labels="cobaltstrike", op="set") // label all systems with detections
FROM source()

Remediation - Quarantine

Objective: Now that we have a solid grasp on the scope of the intrusion, lets quarantine all impacted systems to prevent further damage.

Hunt Artifact: Windows.Remediation.Quarantine (run against all systems labeled compromised)

Notebook: none required

Begin Forensics

Objective: Now that compromised systems are quarantined, lets pull back forensics data for deeper analysis

Hunt Artifact: Windows.KapeFiles.Targets (run against all systems labeled compromised)

Paramenters:

  • Kape targets: _SANS_Triage

Notebook: none required

view raw handout.md hosted with ❤ by GitHub
]]><![CDATA[So you want to be a SOC Analyst? Intro]]>https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-introhttps://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-introWed, 22 Feb 2023 03:54:33 GMTUPDATE - 3/11/2025

Since the original SYWTBSA series was published in February 2023, many changes have occurred, leading me to sunset this version in favor of SYWTBSA 2.0. Key reasons for this decision include:

  • VMware challenges following the Broadcom acquisition.

  • Ongoing issues with inconsistencies in student-built VM environments.

  • Microsoft discontinuing free developer VM downloads.

  • Extensive course updates required, making it impractical to maintain two versions.

The series is now offered as a “pay what you can” course, resolving all of these challenges. You can register here, which helps me continue developing and updating the content while providing support to the hundreds of learners who go through it each year.

Series Intro

Over the years, I’ve had the fortune of mentoring many up-and-comers trying to get a foothold in the information security space. One of the most common questions I am asked is, “What should I do to improve my chances of landing an entry-level SOC analyst job?”

My answer to that question has changed over the years as technology and methodology have evolved. Back in the earlier days, when we walked uphill both ways to the SOC, I would’ve recommended a complex (but very rewarding) process of spinning up a mid-size virtual machine environment complete with a small firewall, (pfSense), a router (vyos) one or two Windows hosts, an attack box (Kali, etc), network monitoring (Arkime/Suricata), and most importantly a log aggregation tool (Graylog or ELK/OpenSearch). Once those systems were up and running, then begins the adventure of deploying agents (Sysmon, Beats) to generate and ship telemetry to the logging tool. Only then does it make sense to start practicing basic attacks against the Windows hosts in order to observe the telemetry and begin “detecting” threats. Just the lab build alone was a many-hour endeavor—it’s a long road before you’re actually doing SOC analyst stuff.

I was (and still am) a big fan of this approach because not only is it how I got my own start (which eventually led to the creation of OpenSOC), but also because there is so much indirect learning that takes place while trying to deploy and configure these systems, routers, firewalls, as well as fun side-quests like troubleshooting log parsers, tuning Sysmon, configuring audit policies, etc. etc. For these reasons and more, I still recommend this approach to anyone lacking general IT knowledge because it will help you gain knowledge needed to be a good security practitioner. If this approach sounds like something that would be beneficial to you, there are plenty of resources across the web to help you setup a test lab for defensive research. A book I have heard great things about is “Building Virtual Machine Labs: A Hands-On Guide” by Tony Robinson and you should absolutely check out Jeff McJunkin’s guide on Building Your Own Kickass Home Lab.

That said, technology has evolved drastically since those days and my new approach to “quickly getting up to speed for SOC work” has evolved as well. This series will focus on the new approach I recommend to up-and-comers.

Let me also clarify that I am not saying “this is all you need” — a strong working knowledge of general IT and some strong entry-level training (such as Antisyphon, Applied Network Defense, or SANS1) is a huge plus as well. However, I will say as a hiring manager and infosec startup founder, the direct and indirect skills you will gain with this approach are the ones I am personally looking for in a candidate, above and beyond what letters you put after your name. If you want to know more about what I (and many others) are looking for in a SOC analyst candidate, check out this interview I did with Gerry Auger on his “Simply Cyber” webcast: “Everything Security Operations Analyst Entry Level.”

Online Course with Cloud-Hosted VMs

To get started, head over to So you want to be a SOC Analyst? 2.0 which features a fully cloud-hosted version of the VM, requiring only a remote desktop client to get through this lab series!

Lab Sections (1.0, deprecated)

  • Part 1 - Set up a small virtualization environment (2 small VMs)

  • Part 2 - Put on your adversary hat, it's time to make (and observe) some noise

  • Part 3 - Emulating an adversary for crafting detections

  • Part 4 - Blocking an attack

  • Part 5 - Tuning false positives

  • Part 6 - Trigger YARA scans with a detection rule

The very awesome Gerry Auger of SimplyCyber did a full video walk-through of this series. Now you can follow along each step of the series before trying it yourself. Watch the video below.

Update, again! Gerry and I did a joint video together where we go through his walk-through video, but with commentary.

Subscribe now

Share

1

I mention SANS because it is a solid option, however it is often outside the price range for someone just starting their career. Additional transparency disclaimer, I also teach for SANS.

]]><![CDATA[PowerShell Artifact - ConsoleHost_History.txt]]>https://blog.ecapuano.com/p/powershell-artifact-consolehost_historytxthttps://blog.ecapuano.com/p/powershell-artifact-consolehost_historytxtThu, 16 Feb 2023 16:47:52 GMTSince PowerShell 4/5+, we’ve had a wealth of fantastic detection and forensic artifacts around PowerShell activity, such as Script Block logging and transcripts, which I will expand on in subsequent posts. However, one of the lesser discussed yet still valuable artifacts is the ConsoleHost_History.txt file inside the Users directory containing up to 4096 of the last commands run in a PowerShell console. For my *nix users, it is very similar to the bash_history file.

While this artifact may seem less informative than Script Block logging and transcripts, you may occaisonally find situations where it is the best artifact you have around PowerShell activity because other more verbose artfacts may simply not be present at all. This is especially true when script block logs/transcripts are either not enabled (very common) or they are maliciously disabled by a threat actor.

Thanks for reading Eric’s Substack! Subscribe for free to receive new posts and support my work.

The default location for this file is %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.

It will generally contain up to 4096 commands run by the user that owns this profile, however it is possible to increase this command history with the following command: Set-PSReadlineOption -MaximumHistoryCount 10000.

One of the first things to consider is that anytime you perform a triage acquisition of a victim system, be sure to include this location. This isn’t a file you’d generally target for consumption into your SIEM, but you can certainly use it for post-compromise analysis as well as proactive threat hunting.

In a recent IR, we observed suspicious PowerShell activity that aimed to disable things like Micorosft Defender and Script Block logging. Unfortunately, the script blocks were of little use after that point but the commands used to disable Defender were captured by the ConsoleHost_History.txt file.

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorMonitoring $true -DisableArchiveScanning $true -DisableSc $truca-DisableIOAVProtection $true -MAPSReporting Disabled -SubmitSampletrue -MAPSReporting Disabled -SubmitSamplesConsent 2  
Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorue -DisableScriptScanning $tIOAVProtection $trce -MAPSReporting Disabled -SubmitSamplesCE _MAPSReporting Disabled -SubmitSamplesCE _MAPSReporting Disabled -SubmitSamplesConsent 2

This provided yara signature material to quickly assess any other systems with similar activity. With this signature we can now quickly scan every system for similar activity, regardless if they were shipping PowerShell logs to the SIEM or not. Now, with a simple yara scan such as one accomplished with Velociraptor, we can hunt for unusual PowerShell activity in this file across the fleet.

Now, it’s worth noting that ConsoleHost_History can be disabled as well, but this is less common in my experience. A simple command to accomplish this could be Set-PSReadlineOption -HistorySaveStyle SaveNothing. However, this example would only impact the session it was run in, and history would be re-enabled for subsequent sessions.

For additional reading, check out this great post: https://woshub.com/powershell-commands-history/

Thanks for reading Eric’s Substack! Subscribe for free to receive new posts and support my work.

]]><![CDATA[Automatically Revert ESXi VM Snapshot on a Schedule]]>https://blog.ecapuano.com/p/automatically-revert-esxi-vm-snapshothttps://blog.ecapuano.com/p/automatically-revert-esxi-vm-snapshotWed, 08 Feb 2023 18:44:18 GMT

Subscribe now

Why is this useful?

Let’s say you have a VM that you use for unsavory things like malware analysis and you would like to automatically revert it on a scheduled basis. There are many ways to go about this manually, but for my particular use-case, I wanted it done automatically everyday at 3AM.

While this can be accomplished a few different ways such as non-persistent disks, I found the snapshot revert method ideal for me because the machine stays up and on at all times except the brief moment the snapshot is being restored.

Great, just tell me how to do it!

In my example, I am using standalone ESXi 6.7 (no vCenter). There is a VM running that has a single snapshot called “Clean”. Of course, one could use the ESXi WebUI to revert the snapshot at will, but in order to get it to revert automatically on a schedule, I scripted up the following tasks in ESXi CLI and created a cronjob.

  1. Snapshot your VM in the WebUI

  2. SSH to the ESXi server and run the following commands:

    1. Get your target VM ID with this command:

      1. vim-cmd vmsvc/getallvms

    2. Learn the snapshot ID of your VM with this command:

      1. vim-cmd vmsvc/get.snapshotinfo [VM_id]

    3. Create a cronjob that reverts this VM everyday at 3AM (customize as neccesary)

      1. Backup existing crontab

        1. cp /var/spool/cron/crontabs/root /var/spool/cron/crontabs/root.old

      2. Edit running crontab

        1. vi /var/spool/cron/crontabs/root

      3. Add the new job on the last line, this job runs everyday at 3AM. The 0 at the end is to ensure the VM stays powered on after the snapshot is restored.

        1. * 3 * * * /bin/vim-cmd vmsvc/snapshot.revert [VM_id] [snapshot_id] 0

      4. Restart cron service (yes, this is a odd way of doing it, but ESXi is weird like that)

        1. PID=$(cat /var/run/crond.pid)

          echo "Old cron PID was $PID"

          kill $PID

          /usr/lib/vmware/busybox/bin/busybox crond
          PID=$(cat /var/run/crond.pid)

          echo "NEW cron PID is $PID"

      5. And you’re set! Your VM will now revert to the snapshot everyday at 3AM.

Ok so now your VM will revert to this snapshot everyday at 3AM, but what happens if you create a new snapshot and want the cron to use the new snapshot ID? Luckily, I crafted a little script that will ensure that your latest snapshot ID is always used by the cron.

NOTE: This script only works if there is ONE snapshot for the VM. Multiple snapshots will break it.

The script:

#/bin/bash
# NOTE: This script only works if there is ONE snapshot for the VM.
# Multiple snapshots will break it.

# BE SURE TO CHANGE VM_id TO YOUR VM's ID!
VM_id=33

# get snapshot ID for VM
SNAPSHOTID=$(vim-cmd vmsvc/get.snapshotinfo $VM_id | grep id | egrep -o '[0-9]+')

# edit cron to reflect new snapshot id

sed -ri "s/$VM_id [0-9]+ 0/$VM_id $SNAPSHOTID 0/" /var/spool/cron/crontabs/root

# restart crond
PID=$(cat /var/run/crond.pid)
echo "Old cron PID was $PID"
kill $PID
/usr/lib/vmware/busybox/bin/busybox crond
PID=$(cat /var/run/crond.pid)
echo "NEW cron PID is $PID"
echo "New crontab contents:"
cat /var/spool/cron/crontabs/root

Now that we have a script that can automatically update the crontab when a new snapshot ID exists, we can use another cronjob to make sure this happens before the snapshot revert happens.

  1. Edit running crontab

    1. vi /var/spool/cron/crontabs/root

  2. Add the new job on the last line, you want this job to run before the revert job runs. This job runs everyday at 2AM.

    1. * 2 * * * /path_to_above_script.sh

  3. Restart cron service

    1. PID=$(cat /var/run/crond.pid)

      echo "Old cron PID was $PID"

      kill $PID

      /usr/lib/vmware/busybox/bin/busybox crond
      PID=$(cat /var/run/crond.pid)

      echo "NEW cron PID is $PID"

  4. And you’re set! Your VM will now revert to the snapshot everyday at 3AM, even if you delete and recreate a new snapshot!

Thanks for reading Eric’s Substack! Subscribe for free to receive new posts and support my work.

]]>