Discover and read the best of Twitter Threads about #adversarymethods
Most recents (2)
My @FireEye friends @DavidPany and @deeemdee4 put out a badass blog on tunneled RDP. What is it? How is it used? What can you do to find it? Read more here: fireeye.com/blog/threat-re…
Tunneled RDP typically refers to an interactive RDP session that occurs over the same "channel" as another comms session. This is done in a variety of ways, but primarily established through either a backdoor implant or a utility with some sort of port forwarding setup.
On RDP tunneled over SSH with PLINK. We've seen the *standard* PLINK file used. We've also seen PLINK variants with hard-coded parameters and configs and whatnot.
One #DFIR / #INFOSEC thing that is useful to me that I wished I had learned sooner: the art of PDB path pivoting for #threatintel and mal analysis. This is pretty easy, but can be a crazy strong pivot for anyone studying large, tenured threat groups such as many espionage actors.
PDB Path Pivoting Primer
This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.
3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy
This is a tweet thing about malware PDB paths and their role in the disco, DFIR and/or #threatintel processes, using #KeyBoy as an example.
3/4) What are PDBs?
5) Where/why will I see PDB paths?
6/7) How can I use PDBs paths?
8-n) PDB paths and #KeyBoy
What are PDBs?
Program Data Base (PDB) files are used to store debugging info about a program when it is compiled. The PDB stores symbols, addresses, names of resources etc. Malware devs often have to debug their code and end up creating PDBs as a part of their dev process.
Program Data Base (PDB) files are used to store debugging info about a program when it is compiled. The PDB stores symbols, addresses, names of resources etc. Malware devs often have to debug their code and end up creating PDBs as a part of their dev process.
