Discover and read the best of Twitter Threads about #unc1194
Most recents (2)
๐จ New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
โข ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ ๐
โข @snort ๐ท #detection tricks (negative distance, exploitation flowbits)
๐๐ fireeye.com/blog/products-โฆ
โข #DFIR tips โคต๏ธ
โข ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ ๐
โข @snort ๐ท #detection tricks (negative distance, exploitation flowbits)
๐๐ fireeye.com/blog/products-โฆ
โข #DFIR tips โคต๏ธ
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-โฆ
Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 ๐
As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 ๐๐ฝโโ๏ธ
As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 ๐๐ฝโโ๏ธ
๐จA Tough Outlook for Home Page Attacks
๐fireeye.com/blog/threat-reโฆ
Blog has #APT33 ๐ฎ๐ท, #APT34 ๐ฎ๐ท, and #UNC1194 ๐ด๓ ต๓ ณ๓ ฏ๓ จ๓ ฟ๐ home page persistence & RCE.
๐We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
๐ฑCool TTPs (pictured) #GuardrailsOfTheGalaxy
๐fireeye.com/blog/threat-reโฆ
Blog has #APT33 ๐ฎ๐ท, #APT34 ๐ฎ๐ท, and #UNC1194 ๐ด๓ ต๓ ณ๓ ฏ๓ จ๓ ฟ๐ home page persistence & RCE.
๐We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
๐ฑCool TTPs (pictured) #GuardrailsOfTheGalaxy
Here is the #UNC1194 first stage (recon) payload stored in an attacker-controlled @Azure storage blob:
Pretty neat that the attacker (@TrustedSec) can conduct a full intrusion by just swapping the storage blob content for the next stage!
Pretty neat that the attacker (@TrustedSec) can conduct a full intrusion by just swapping the storage blob content for the next stage!
This was a fun one to write with McWhirt & @doughsec. We ended up with 3 registry settings to enforce with Group Policy for CVE-2017-11774 Outlook hardening:
fireeye.com/blog/threat-reโฆ
Final step is to enforce GPO reprocessing.
fireeye.com/blog/threat-reโฆ
Final step is to enforce GPO reprocessing.
