Discover and read the best of Twitter Threads about #unc1194

Most recents (2)

๐Ÿšจ New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
โ€ข ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ ๐Ÿ‘€
โ€ข @snort ๐Ÿท #detection tricks (negative distance, exploitation flowbits)
๐Ÿ‘‰๐Ÿ”— fireeye.com/blog/products-โ€ฆ
โ€ข #DFIR tips โคต๏ธ ImageImage
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-โ€ฆ

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 ๐Ÿ˜…

As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 ๐Ÿ™‡๐Ÿฝโ€โ™‚๏ธ
Read 6 tweets
๐Ÿ”จA Tough Outlook for Home Page Attacks
๐Ÿ”—fireeye.com/blog/threat-reโ€ฆ
Blog has #APT33 ๐Ÿ‡ฎ๐Ÿ‡ท, #APT34 ๐Ÿ‡ฎ๐Ÿ‡ท, and #UNC1194 ๐Ÿด๓ ต๓ ณ๓ ฏ๓ จ๓ ฟ๐Ÿ˜‰ home page persistence & RCE.
๐Ÿ”’We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
๐Ÿ˜ฑCool TTPs (pictured) #GuardrailsOfTheGalaxy UNC1194 macros and CVE-2017...Domain guardrail, Azure sto...
Here is the #UNC1194 first stage (recon) payload stored in an attacker-controlled @Azure storage blob:
Pretty neat that the attacker (@TrustedSec) can conduct a full intrusion by just swapping the storage blob content for the next stage!
This was a fun one to write with McWhirt & @doughsec. We ended up with 3 registry settings to enforce with Group Policy for CVE-2017-11774 Outlook hardening:
fireeye.com/blog/threat-reโ€ฆ
Final step is to enforce GPO reprocessing. Image
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!