Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Nick Carr Profile picture
Nick Carr
@ItsReallyNick
Tech Director / Threat Intelligence at Microsoft. Previously, Director of Incident Response & Intel Research at Mandiant. Former Chief Technical Analyst at CISA

Oct 24, 2019, 12 tweets

πŸ†• Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4]

I uploaded both to @virusbay_io: beta.virusbay.io/sample/browse/…

and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…

STDOUT:
Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4]

@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:

^plus background & links
[3/4]

VT detections aren't representative of security vendors' full detection posture.

But, because this had poor coverage (and only @cyb3rops had helpful context on the XOML's mem process write), I'm sharing my Aug 2018 #DailyWorkflow rules if they help: gist.github.com/itsreallynick/…
[4/4]

@cyb3rops πŸ†“ BONUS TWEET: #threatintel care of #AdvancedPractices πŸ¦… teammate @a_tweeter_user
NOTE: @anyrun_app you might be interested in improving execution optics for #TIBERIUS, linked πŸ‘†πŸ½ in the 2nd tweet πŸ˜‰

@cyb3rops @a_tweeter_user @anyrun_app πŸ†“πŸ†“ DOUBLE BONUS: here are resume-themed phishing documents dating back to February that load shellcode the same way - plus links to the original tweet shares:
Good example of the #threatintel you can extract from Twitter, if you know how to use it.

#blueteam take note:
β€’ package.xml, pushed via ccm_deploy.xml πŸ€” #ConfigMgr is a Workflow.Compiler payload containing a Base64-encoded executable
β€’ the EXE is padded with a single null byte so regular b64(EXE file magic) doesn't work
β€’ the solution? ...

...is for #detection engineers to account for all three possible Base64 encodings (with 0-2 pad bytes)
Python & PowerShell tools from @DavidPany @JohnLaTwC @Lee_Holmes @DissectMalware:
Try with default MS-DOS stub
"This program cannot be run in DOS mode"

@DavidPany @JohnLaTwC @Lee_Holmes @DissectMalware Here's a fresh one from the same intrusion operator:
πŸ’Ύ"0X1F588277.doc"
#⃣957e8d6aa08af8c5d82cc3f5f23d86a5
πŸ”—virustotal.com/gui/file/750d1…
πŸ‘Ώ#EGGHUNT & #BEACON backdoors
πŸ”ƒ35.236.203.52/match
πŸ‘¨β€πŸ’»#UNC1739 (πŸŸ₯ team)
^very worth your time to chase, they do cool stuff 🀩
I made a logo πŸ˜‰πŸ™ƒ

@DavidPany @JohnLaTwC @Lee_Holmes @DissectMalware Much newer #UNC1739 tradecraft: praetorian.com/blog/extending… πŸ‘€
Neat stuff - excited to see it in-the-wild!

I wonder how #FLOSS does against this new string obfuscation github.com/fireeye/flare-…

Putting this on my fridge https://t.co/UTRCfZzQia

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling