Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Nick Carr Profile picture
Nick Carr
@ItsReallyNick
Tech Director / Threat Intelligence at Microsoft. Previously, Director of Incident Response & Intel Research at Mandiant. Former Chief Technical Analyst at CISA

Jan 14, 2020, 6 tweets

๐Ÿšจ New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
โ€ข ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ ๐Ÿ‘€
โ€ข @snort ๐Ÿท #detection tricks (negative distance, exploitation flowbits)
๐Ÿ‘‰๐Ÿ”— fireeye.com/blog/products-โ€ฆ
โ€ข #DFIR tips โคต๏ธ

@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-โ€ฆ

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'

@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 ๐Ÿ˜…

As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 ๐Ÿ™‡๐Ÿฝโ€โ™‚๏ธ

@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant @craigtweets @TripwireInc @HackingDave @x1sec @a_tweeter_user @nluedtke1 Making pull requests on #UNC1194 tools feels spicier than it really is: github.com/trustedsec/cveโ€ฆ ๐ŸŒถ๏ธ
The proposed for any scanner (cc @x1sec) is a purposeful evasion - taking observed attacker tricks a bit further to think ahead. Also for a scanner you can see if IPS is dropping it

@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant @craigtweets @TripwireInc @HackingDave @x1sec @a_tweeter_user @nluedtke1 Here are the CVE-2019-19781 #PCAP files: github.com/itsreallynick/โ€ฆ ๐Ÿ”Œ๐Ÿฆˆ
โ€ข GET request for checking .conf file for a 200 OK response
โ€ข POST request exploiting the vulnerability using a publicly-available tool

We'll get the blog links updated!
Would love to see some creative rules

Quick note: perfected scan logic now in our open source tool https://t.co/BFeQ8xqHiy

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling