Profile picture
Christopher Glyer @cglyer
, 5 tweets, 3 min read Read on Twitter
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit
It's not often that you see ACI Shims used for persistence

#FireEyeSummit
How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look

#FireEyeSummit
Ever heard of a Microsoft Exchange transport agent? Neither had I prior to this case

Actor monitored email for list of accounts & stored encrypted copy on disk

My favorite part is you can get remote command execution by emailing a specific account w/ a command

#FireEyeSummit
Unique things about "Platinum"
ACI Shim persistence
WMI persistence (back in 2010)
Port knocking
AMT Serial Over LAN for C2
Bootkits
Exchange transport agent
Undetected for 9 years
Actor learned @Mandiant was engaged & stopped ops 2 days prior to investigation

#FireEyeSummit
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Christopher Glyer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#SignsThisProbablyIsntAScriptKiddie #FireEyeSummit

More from @cglyer see all

Profile picture
Long rumored @TheJusticeDept indictment of #APT10 is out. sc.cnbcfm.com/applications/c…
Here are my observations/highlights from reading the indictment (channeling my inner @pwnallthethings):
-the indictment indicates #APT10 operations started in 2006 and went through 2018. The 2006 activity was likely focused on US Government, Military, and defense contractors

1/n
Interestingly the indictment calls out multiple government organizations by name that were victims including:
@NASAGoddard, @NASAJPL, @LLNL, and the @USNavy

2/n
Read 24 tweets
Profile picture
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
Read 10 tweets
Profile picture
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-re

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
Read 7 tweets

Related threads

Profile picture
happy almost magfest day!!! i have gotten 4 total hours of sleep in the pas t48 hours and im on a train for awhile so im gonna livetweet LISTENING TO @ChiptunesWIN VOL.7 for the first time THATS RIGHT! FIRST!! SAVED IT FOR THE SPECIAL OCCASION i am so tired someone pls hear my c
up first we got PROTO FLOAM this better be good i have Hella Expectations from this dude

AAAAAAA THESE FUCKIN SAMPLES

SO GOOD

THE ORCHESTRA HIT YOSHI-Y THING TOP NOTCH MMMM
jesus what thr fuck

what thr fuck even

nonstop barrage of harmonies and wild fuckin bass and pitchy chippy shit

this is blwoin my fuckin mind and also probably other parts of me if u know wjat i mena
Read 150 tweets
Profile picture
Right out of the gate today. 3 from Davenport.

@drawandstrike @catesduane @rising_serpent @almostjingo @tracybeanz @TheChiIIum @Quodverum_ @headsnipe01
Davenport Man Sentenced to 200 Months in Prison for Drug Offense

justice.gov/usao-sdia/pr/d…
Davenport Man Sentenced to 210 Months in Prison for Federal Firearms Offense

justice.gov/usao-sdia/pr/d…
Read 4 tweets
Profile picture
This is going to be another long thread (I'm sorry), but in light of some recent projects and conversations with friends, I kind of want to muse a little bit about the background behind my perspective as a Vocaloid producer in the West and what it's like making amateur music...
For a sense of background, right now I identify, to the end, as a "hobbyist" musician; I have no intention of going into this professionally as a career, or to even remotely pursue it, and despite the difficulty of finding free time, still prefer to do it for personal enjoyment
I do not expect I will ever be as good as a professional and although that's frustrating in its own way, I've made my peace with it, because in the end my end goal is to just have fun with my work and make cool things as it comes, whenever I have that kind of time
Read 40 tweets
Profile picture
[TAEKOOK AU]

HANAHAKI DISEASE • FAKE RELATIONSHIP

Taehyung and Jungkook are bestfriends who entered a fake relationship. Taehyung didn't know he has hanahaki disease not until he fell in love for the first time with Jungkook, A rich guy who doesn't love him as what he wanted.
Hanahaki disease [in this story]
°An illness from one sided love, where the person cough up flower petals with blood when they suffer from unrequited love. The person could die from the illness if the feelings is not returned.
The disease can also be cured through a surgery but the cause will be the person's memory of his love will be vanished.
Read 301 tweets
Profile picture
Almost all of the Road Runner cartoons are available via the @BoomerangToons app.

I subscribed for $5 & decided I'm gonna watch & tweet about 'em all in chronological order, even the later, terrible ones, for which I have an irrational affection.

Here we go.
#BeepBeep
#MeepMeep
Boomerang lists them alphabetically not chronologically so Chuck Jones masterpieces sit side-by-side with 1960s atrocities (& later 'revival' attempts.)

I am going to start at the beginning. I will also be including Wile E. Coyote/Bugs Bunny & Ralph Wolf/Sam Sheepdog shorts, FYI
September 17, 1949: "Fast And Furry-ous"

Chuck Jones intended this short to be a parody of cat & mouse "chase" cartoons. Instead, he accidentally created the definitive chase cartoon series of all time.
Read 1189 tweets
Profile picture
It's time for me to talk about something that's been on my mind for a while now.
With the fallout of Justice League's release, I think it's time to talk about DCEU fandom, and how it developed alongside the unraveling of WB's ambition for DC films.
Full disclaimer upfront: I am NOT talking about people who enjoy DC films, fans of DC characters, or anything like that. I'm friends on here with many people who like these movies. I'm talking specifically about the toxic folks who have ruined the reputation of DC fans.
You know the ones. The ones who sent critics death threats after bad reviews came in, who have harassed others for not sharing their opinions, who have formed conspiracy theories about Disney paying critics, who claim that people who don't like BVS "don't understand it".
Read 91 tweets

Trending hashtags

#FairPlay4Women #MickeyTrueOriginal #terribleminds #squash #MerryXmas #VelocityConf #PopCAANZ18 #StopKavanaugh #Mickeys90thCelebration #Taqiya #BeepBeep #2018MMM #OnAssignment #Israel #ROGD #SREcon #Right #Justice4Marc #SaoirseRonan #DirectorsCut #Corbyn #Mickey90 #Iran #LostHighway #Alfie

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!