🆕 Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4] Image
I uploaded both to @virusbay_io: beta.virusbay.io/sample/browse/…

and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…

Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4] Image
@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:

^plus background & links
VT detections aren't representative of security vendors' full detection posture.

But, because this had poor coverage (and only @cyb3rops had helpful context on the XOML's mem process write), I'm sharing my Aug 2018 #DailyWorkflow rules if they help: gist.github.com/itsreallynick/…
[4/4] Image
@cyb3rops 🆓 BONUS TWEET: #threatintel care of #AdvancedPractices 🦅 teammate @a_tweeter_user
NOTE: @anyrun_app you might be interested in improving execution optics for #TIBERIUS, linked 👆🏽 in the 2nd tweet 😉
@cyb3rops @a_tweeter_user @anyrun_app 🆓🆓 DOUBLE BONUS: here are resume-themed phishing documents dating back to February that load shellcode the same way - plus links to the original tweet shares:
Good example of the #threatintel you can extract from Twitter, if you know how to use it.
#blueteam take note:
• package.xml, pushed via ccm_deploy.xml 🤔 #ConfigMgr is a Workflow.Compiler payload containing a Base64-encoded executable
• the EXE is padded with a single null byte so regular b64(EXE file magic) doesn't work
• the solution? ...
...is for #detection engineers to account for all three possible Base64 encodings (with 0-2 pad bytes)
Python & PowerShell tools from @DavidPany @JohnLaTwC @Lee_Holmes @DissectMalware:
Try with default MS-DOS stub
"This program cannot be run in DOS mode"
@DavidPany @JohnLaTwC @Lee_Holmes @DissectMalware Here's a fresh one from the same intrusion operator:
👿#EGGHUNT & #BEACON backdoors
👨‍💻#UNC1739 (🟥 team)
^very worth your time to chase, they do cool stuff 🤩
I made a logo 😉🙃 Image
@DavidPany @JohnLaTwC @Lee_Holmes @DissectMalware Much newer #UNC1739 tradecraft: praetorian.com/blog/extending… 👀
Neat stuff - excited to see it in-the-wild!
I wonder how #FLOSS does against this new string obfuscation github.com/fireeye/flare-…
Putting this on my fridge https://t.co/UTRCfZzQia

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Nick Carr

Nick Carr Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ItsReallyNick

Mar 23, 2022
We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs: microsoft.com/security/blog/…

#MSTIC and Defender threat intel collab
#DART 👻 incident response team experience from the trenches [1/3]
The blog highlights varied initial access vectors and a slew of [inconsistent?] end goals: data theft, extortion, chaos...

One way to interpret "this actor's TTPs and infrastructure are constantly changing" is that they are loosely-organized (see: ) [2/3]
DEV-0537 / Lapsus$ shows that 𝘢𝘵𝘵𝘢𝘤𝘬𝘦𝘳𝘴 can be creative opportunists and still be successful.
Luckily, the same goes for 𝘥𝘦𝘧𝘦𝘯𝘥𝘦𝘳𝘴.
Use this opportunity to strengthen your security controls to protect far beyond this threat actor [3/3] microsoft.com/security/blog/…
Read 4 tweets
Dec 14, 2020
So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?

Start here: fireeye.com/blog/threat-re… 🤩

But then what?? Let’s talk about some post-compromise techniques...
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...

We just published more details on what we’ve been finding post-compromise: blogs.microsoft.com/on-the-issues/…
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Within the technical companion blog (msrc-blog.microsoft.com/2020/12/13/cus…) we provide some late stage killchain activity observed many places.

I want to highlight the additional detections pushed to cover these techniques in @MSAzureSentinel (but anyone can use on the UAL for #DFIR) ...
Read 9 tweets
Sep 10, 2020
Added #STRONTIUM election-related credential harvesting campaign "detection" to #AzureSentinel: github.com/Azure/Azure-Se…

Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).

You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
As shipped, it's looking over the past 30 days. But if you have #AzureSentinel, I recommend pasting that same KQL in & searchings logs w/ expanded timeframe.
The # authAttempts can stay where it's at ... #STRONTIUM activity is approx 100 attempts per IP per account
Read 4 tweets
Sep 10, 2020
Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?

Here's what to match: gist.githubusercontent.com/itsreallynick/…

Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊]
If you haven't done something like this before, here's a [crappy] bash one-liner to start:

sh -c 'pattern="your|regex"; echo 🎯 Pokémon:; curl -s gist.githubusercontent.com/itsreallynick/… | grep -ioE $pattern | wc -l; echo 🚯 Noise:; curl -s github.com/aloisdg/awesom… | grep -ioE $pattern | wc -l'
Oh, if it wasn't clear ... you put your regular expression in where it says "your|regex"

Because, as written, the results are pretty terrible 😄 [pictured]

This is similar to an interview question @TekDefense & I would ask @ Mandiant.
It's also an #APT32 hunting tweet. 😉🌶️ This is probably a terrible...
Read 7 tweets
Jul 31, 2020
I started playing Pokémon Go with my kids at the start of the COVID-19 pandemic.

I can’t believe how many #infosec Pokémon we’ve caught so far.

Here’s a quick thread – please add since I’m missing many.

First up: I definitely appreciate that they included #FIN7 in this game Image
That last one was much harder to capture than these Iranian TTP Pokémon. ImageImage
This #infosec Pokémon is an absolute thug. It’s fun every year & a new one is appearing soon #flareon7 Image
Read 8 tweets
Apr 3, 2020
🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
@MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
@msftsecresponse w/ the awesome @n0x08
@Lee_Holmes for everything Azure

¹if I say it here, it has to happen right?😉
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!