🆕 🔥 Research on PDB Paths from @stvemillertime: fireeye.com/blog/threat-re… #DFIR primer & exploration of these wonderful artifacts.
Followed by a survey of malware PDB conventions, PDB anomalies, attacker mistakes. All with attribution, including Western gov.
THREAD (1/n)
Includes considerations for #threatintel shops, red teams/operators, and weaknesses in PDB paths.
Blog also has: the most malware code families and threat groups we've ever published, some spicy groups, and some light swearing (malware devs are potty mouths) #SwearEngine
2/n
I love that @stvemillertime surfaced a bunch of strange PDB path anomalies and dug in with @mikesiko's #FLARE team to get to ground truth & replicate the artifact. fireeye.com/blog/threat-re…
Where my #DFIR followers at?
❓ Curious if you've found other anomalies not listed? 3/n
"Our adversaries are human. They err. And when they do, we can catch them."
ConventionEngine yara rules covering 300 mal fams, 39 APT & FIN groups, and 200+ UNC (uncategorized) groups: fireeye.com/content/dam/fi…
I snuck some in too!
Usage:
The value of our (+@cglyer) real-time attacker technique collaboration with absolute beasts in the industry @doughsec 😶🌫️, @penninajx + @srunnels 💻 cannot be overstated bringing together puzzle pieces for the RE wizards on each side
From the new @WIRED article: wired.com/story/the-unto…
———
While Mandia conferred with the government, Charles Carmakal, the CTO of Mandiant Consulting, contacted some old friends. Many of the hackers’ tactics were unfamiliar, and he wanted to see whether two former Mandiant… twitter.com/i/web/status/1…
We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs: microsoft.com/security/blog/…
#MSTIC and Defender threat intel collab
➕#DART 👻 incident response team experience from the trenches [1/3]
The blog highlights varied initial access vectors and a slew of [inconsistent?] end goals: data theft, extortion, chaos...
One way to interpret "this actor's TTPs and infrastructure are constantly changing" is that they are loosely-organized (see:
DEV-0537 / Lapsus$ shows that 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳𝘴 can be creative opportunists and still be successful.
Luckily, the same goes for 𝘥𝘦𝘧𝘦𝘯𝘥𝘦𝘳𝘴.
Use this opportunity to strengthen your security controls to protect far beyond this threat actor [3/3] microsoft.com/security/blog/…
But then what?? Let’s talk about some post-compromise techniques...
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...
We just published more details on what we’ve been finding post-compromise: blogs.microsoft.com/on-the-issues/…
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).
You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
As shipped, it's looking over the past 30 days. But if you have #AzureSentinel, I recommend pasting that same KQL in & searchings logs w/ expanded timeframe.
The # authAttempts can stay where it's at ... #STRONTIUM activity is approx 100 attempts per IP per account