🔥 "Hacking Tracking Pix & Macro Stomping Tricks"
📺 pscp.tv/FireEye/1djGXQ…
On this 🆕 #StateOfTheHack, @cglyer👨🏼🦲 & I break down trendy tradecraft.
Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻🦱 CVE exploitation in the trenches (@_bromiley)
👇🏼Episode Recap Thread! 🧵
📺 pscp.tv/FireEye/1djGXQ…
On this 🆕 #StateOfTheHack, @cglyer👨🏼🦲 & I break down trendy tradecraft.
Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻🦱 CVE exploitation in the trenches (@_bromiley)
👇🏼Episode Recap Thread! 🧵
We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:
On the show, we chatted through what we've seen as defenders but also some cool victim behavior profiling methods from our offensive security friends, like those shared by @malcomvetter 🎇:
Ok, so why learn specific Office version used? ...
Ok, so why learn specific Office version used? ...
In addition to knowing where they are and whether they'd click, if you know your potential victim's Office version, you can deliver:
1⃣version-specific exploits (e.g., #RULER home page) or
2⃣version-specific payload evasions
👉🏼 (around 8 minutes in)
1⃣version-specific exploits (e.g., #RULER home page) or
2⃣version-specific payload evasions
👉🏼 (around 8 minutes in)
Example evasion affecting static & dynamic analysis: VBA macro stomping 📄🦶🏼 *
For this, @a_tweeter_user stepped in to break down the method & new blog fireeye.com/blog/threat-re… about #UNC1870's use of p-Code compilation & PROJECT stream manipulation (& rap)
*Credit @JohnLaTwC...
For this, @a_tweeter_user stepped in to break down the method & new blog fireeye.com/blog/threat-re… about #UNC1870's use of p-Code compilation & PROJECT stream manipulation (& rap)
*Credit @JohnLaTwC...
...Credit: @JohnLaTwC for both the emoji representation of VBA macro stomping, but also his fantastic 🆕🔥 thread on examples & methods to find it:
@JohnLaTwC Next - a second guest ‼️
pscp.tv/FireEye/1djGXQ… [~20 minutes in]
Matt Bromiley (@_bromiley) drops by to talk through industry efforts to respond to the critical Citrix vulnerability, CVE-2019-19781, some UNC groups abusing it, and "squatter's rights" [for exploits-as-a-service?]
pscp.tv/FireEye/1djGXQ… [~20 minutes in]
Matt Bromiley (@_bromiley) drops by to talk through industry efforts to respond to the critical Citrix vulnerability, CVE-2019-19781, some UNC groups abusing it, and "squatter's rights" [for exploits-as-a-service?]
@JohnLaTwC @_bromiley We covered our 3 technical blogs detailing exploit evasions and several distinct, uncategorized clusters of activity using the Citrix vulnerability for coin-mining (sic semper coinminus, btw), #NOTROBIN, and real 👀 attempted #ETERNALBLUE-laced ransomware.
fireeye.com/blog/threat-re…
fireeye.com/blog/threat-re…
@JohnLaTwC @_bromiley .@cglyer & @_bromiley also talked about some of the follow-up activity they've seen from the UNC group that deployed #NOTROBIN
If you haven't, def read @williballenthin & @MadeleyJosh's blog – or at least the /r/netsec complaints about their blog title 🙃
reddit.com/r/netsec/comme…
If you haven't, def read @williballenthin & @MadeleyJosh's blog – or at least the /r/netsec complaints about their blog title 🙃
reddit.com/r/netsec/comme…
@JohnLaTwC @_bromiley @cglyer @williballenthin @MadeleyJosh That's it for this #StateOfTheHack recap.
pscp.tv/FireEye/1djGXQ…
🙏🏽Thanks again to guests @a_tweeter_user & @_bromiley as well as the industry collaboration on VBA stomping & Citrix ADC CVE response 💪
Until I get one on @FireEye's official blog, @threadreaderapp unroll this 🧵
pscp.tv/FireEye/1djGXQ…
🙏🏽Thanks again to guests @a_tweeter_user & @_bromiley as well as the industry collaboration on VBA stomping & Citrix ADC CVE response 💪
Until I get one on @FireEye's official blog, @threadreaderapp unroll this 🧵
The audio-only episode is now available for your morning commute. Detailed show notes match this thread: feye.io/soh
