Share this page!

Steve Miller Profile picture
Twitter logo
14 Oct, 10 tweets, 9 min read
Students of #infosec: @Mandiant and @FireEye folks have put out tons of blogs over the years. Careful reading of these can help you build familiarity with threat actors, intrusion TTPs, and threat data. And sometimes they're just fun. Here's a thread with some of my favorites:
FIN7 related

LNKs
fireeye.com/blog/threat-re…

SDB persistence
fireeye.com/blog/threat-re…

RDFsniffer
fireeye.com/blog/threat-re…

CARBANAK
fireeye.com/blog/threat-re…
ICS/OT related...

TRITON
fireeye.com/blog/threat-re…

unc878
fireeye.com/blog/threat-re…

IT/OT strategies
fireeye.com/blog/threat-re…

Triton and TriStation
fireeye.com/blog/threat-re…
APT41 related

CVE for Citrix ADC
fireeye.com/blog/threat-re…

CVE for Confluence
fireeye.com/blog/threat-re…

MESSAGETAP!
fireeye.com/blog/threat-re…
Analysis related

Capa!
fireeye.com/blog/threat-re…

Clustering for attribution
fireeye.com/blog/threat-re…

Excel
fireeye.com/blog/threat-re…

fireeye.com/blog/threat-re…

Logon event anomalies
fireeye.com/blog/threat-re…
Artifact related

AppCompat
fireeye.com/blog/threat-re…

PDB paths
fireeye.com/blog/threat-re…

fireeye.com/blog/threat-re…

Powershell
fireeye.com/blog/threat-re…

LNK
fireeye.com/blog/threat-re…

WMI
fireeye.com/blog/threat-re…

fireeye.com/content/dam/fi…
TTP related

VBA stomping
fireeye.com/blog/threat-re…

RDP tunneling
fireeye.com/blog/threat-re…

Outlook homepage
fireeye.com/blog/threat-re…

Shellcode
fireeye.com/blog/threat-re…

DLL abuse
fireeye.com/blog/threat-re…
Mass exploitation related

fireeye.com/blog/products-…

fireeye.com/blog/threat-re…

fireeye.com/blog/threat-re…
Ransomware related

fireeye.com/blog/threat-re…

fireeye.com/content/dam/fi…
Iran

APT33
fireeye.com/blog/threat-re…

APT34
fireeye.com/blog/threat-re…

APT34 on LinkedIn lol
fireeye.com/blog/threat-re…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Steve Miller

Steve Miller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @stvemillertime

Steve Miller Profile picture
20 Mar
ExportEngine: Find Evil by PE Export DLL Names

(a #dailyyara thread)

PE files w/ exported functions often contain an image directory entry that we usually call something like "PE DLL name" or "export DLL name"

This string is "analytically rich" and is surfaced in many tools
Here in a sample of EVILTOSS (APT29) we see lots of valuable metadata in the IMAGE_EXPORT_DIRECTORY but it also contains the plain-as-day export DLL name "install_com_x32_as_dll.exe"
The export DLL name strings contains enough predictable developer conventions that you can use simple Yara rules to surface, cluster, detect/hunt for malicious activity that might otherwise be missed (similar to my prior research on ConventionEngine and PDB paths). Let's look...
Read 16 tweets
Steve Miller Profile picture
22 Feb
You may not think attribution matters, but I think attribution is also on the detection spectrum, or #DETECTRUM. I'm trying to think about it as layers of additive traps that enable us to hedge our bets for visibility, resilience in detection, sometimes to figure out who dun it.
I think the #DETECTRUM can be used to model both inputs and outputs of the detection engineering process - whether you're plotting "logic designed to find evil," alerts, the tech, or the or the data itself. The graphs might look a bit different, but same ideology might be useful
See also this thread and this thread:



and there's plenty of commentary on the #detectrum as well

Read 4 tweets
Steve Miller Profile picture
26 Feb 19
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
At least one single "fuck" is present in some samples of the following malware families: AGENTBTZ, ASCENTOR, ZXSHELL, SOGU, TRICKBOT, GHOST, VIPER, WANNACRY, WARP, NETWIRE, COREBOT, REMCOS, VIPER, ORCUSRAT, PONY, etc. I can't even name the coolest ones. There are hundreds.
Read 6 tweets
Steve Miller Profile picture
19 Feb 19
Hopefully the 2019 @CrowdStrike “heat map” and global prevalence of @MITREattack will set a precedent for how vendors publicly discuss TTPs, allowing defenders to prioritize detection efforts based on evidence rather than cool factor: crowdstrike.lookbookhq.com/web-global-thr…
The @CrowdStrike report does not discuss the biases nor provide real hard numbers on the TTPs, which I know from experience are hard to deduplicate on intrusions (some are over represented and some are under represented). Maybe @_devonkerr_ or someone can shed some light here.
I’d like for someone to explain how data was collected, where the gaps are, and how the global prevalence (GP) measurements vary w/r/t malware families, actor groups, fluctuating GP for TTPs over the last couple of years. What is rising and falling? What can’t @CrowdStrike see?
Read 5 tweets
Steve Miller Profile picture
12 Feb 19
Mal devs themselves introduce some of the funniest & hi-fi (although short lived) detection opportunities. Amongst several applicable HTTP methodologies, we see "Content-Type:application/octect-stream." Don't manually type out your HPTP headers for your C2 protocolols. #dailypcap
This network traffic comes from newish backdoor ExileRAT (compiled 2019-01-30T07:05:47Z) 606e943b93a2a450c971291e394745a6 that was hanging (with a multitude of other evil) on recently #opendir "http://27.126.188[.]212" There are ties to a humongous cluster of probs CN espionage.
The attackers from IP 27.126.188[.]212 are rollin' deep with kit. get_robin.py (1) looks to be some derivative of github.com/bhdresh python toolkit and also does some logging of connections. Sc.dat (2) is HTML that does JS get and creates a scheduled task for the exe.
Read 5 tweets
Steve Miller Profile picture
8 Feb 19
Another quick .NET triage/analysis of a related #PUBNUBRAT dropper/launcher (?) 1d155032232cd40c1788271546af36ec (U4.conf). This one we start immediately with extracting the 'app' resource using dnSpy to get 5bbe762b83e051776f1b5ea30ffc0050 (application/x-lzip).
5bbe762b83e051776f1b5ea30ffc0050 decompressed to the goliath ~8MB ca19c3c3c2ef656b33d7173a49186f5a (application/x-dosexec) which is also a .NET binary. Back in dnSpy, which nearly chokes on the size, we finally get to a main decryption routine.
We could take the next steps of this in a million ways, but this is easy to do in @GCHQ's #CyberChef. First From Base64 & To Hex the Key and IV for the crypto routine and save these in hex.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @stvemillertime