Discover and read the best of Twitter Threads about #t1480

Most recents (3)

Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards – #Guardies 🏆
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices 🦅 Adversary Methods team where we "reverse engineer" attacker techniques... ImageImage
Why a lightning talk on Execution Guardrails (#T1480)?
• We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
• Smart people suggest that guardrails are correlated with adversary sophistication
• 💂🛤️ are fun! ... ImageImageImage
Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/

The unique combination of behaviors that define guardrailing – and their order – can be used to detect it.

Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing... ImageImageImage
Read 7 tweets
#GuardrailsOfTheGalaxy
A lightweight domain check in this malicious spreadsheet references the following protected cells:

A101 = ms
A102 = build
A103 = exe
A104 = C:\Users\Public\ptedcod.xml

A100 = MSBuild payload

Shellcode calls back to RFC1918
http://10.200.23.122/dcb3
XLS upload fired on my #GuardrailsOfTheGalaxy VT hunting rules (23/58): virustotal.com/gui/file/23d13…
Note the ⏱️ guardrail
I agree with @buffaloverflow's previous comments that these are very basic implementations of #T1480 Guardrails (that expose your targets).
@buffaloverflow @MITREattack Let me connect the dots:
@JohnLaTwC shared a sample "leav_blackboard_training.xlsm" in June 2018
• Document metadata aligns in both (Company=United States Army 😉) with different authors
• Syntax, builder (@infosecn1nja), and MSBuild payload overlaps
Read 4 tweets
#GuardrailsOfTheGalaxy

Here is a fun sample uploaded to VT yesterday - combining some adversary guardrails¹ with light obfuscation²

VT (17/58): virustotal.com/gui/file/bc85e…
¹ active directory domain check
² string splits & integer Unicode code point encoding

@MITREattack #T1480 ImageImageImageImage
@MITREattack @virustotal @HackingDave I'll try to share more of these techniques/styles on Twitter - with the plan to pull together a cohesive #GuardrailsOfTheGalaxy blog exploring execution guardrails in-the-wild from a defender's perspective.

Here was another previously shared:
@stvemillertime @MITREattack @virustotal @HackingDave Another one, uploaded 15 minutes ago from same 🇪🇸 submitter. Looks like a few changes to the loader.
VT (16/57): virustotal.com/gui/file/53558…
I understand that this is likely a red team exercise.
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!