Having fun while learning about and pivoting into the world of DFIR.
by ogmini
Submitted a Tailscale artifact to the Velociraptor Artifact Exchange that decodes and parses the configuration file, shows the logs, and grabs/uploads any partial file transfers to the machine. Tailscale has been used in the past in various attacks by threat actors such as:
The configuration file surfaces information about the Tailscale accounts, connected Tailnets, and unattended mode/account. These could help identify malicious Tailnet connections. Looking at the logs can potentially identify other machines on the Tailnet. There is also the possibility to recover partial file transfers that didn’t complete. I still need to write up the blog post about that.
tags: #Tailscale #Velociraptor