So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?

Start here: fireeye.com/blog/threat-re… 🤩

But then what?? Let’s talk about some post-compromise techniques...
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...

We just published more details on what we’ve been finding post-compromise: blogs.microsoft.com/on-the-issues/…
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Within the technical companion blog (msrc-blog.microsoft.com/2020/12/13/cus…) we provide some late stage killchain activity observed many places.

I want to highlight the additional detections pushed to cover these techniques in @MSAzureSentinel (but anyone can use on the UAL for #DFIR) ...
AAD PowerShell tomfoolery:
Logic to expose when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Microsoft Graph

➡️ github.com/Azure/Azure-Se…
Domain federation trust horseplay:

Logic to highlight when an Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain

➡️ github.com/Azure/Azure-Se…

Globally rare event. Always interesting.
OAuth App Credential Hijinks

Finds new credentials added to to an App/SP.
With sufficient privileges, an actor can add alternate authentication material for direct access to resources using this credential.

More from @_dirkjan dirkjanm.io/azure-ad-privi…

➡️ github.com/Azure/Azure-Se…
What an honor to work with such talented people who didn’t let setbacks (or sleep) get in the way of finding evil and cracking the case.
See those names throughout the blogs; and there are more.

Alright; so much work to be done now!
Don’t give up along the way. 🕵🏼‍♂️☀️🌬😉
Oh and I must say... I was in the same spot as @SwiftOnSecurity (and let’s be honest, most everyone else) on SAML security. How could anyone know all of this??
Of course @cglyer somehow knows it 😂 and helped me along.

Then #MSTIC brought in the big guns in Microsoft Identity 💪
The benefit of understanding & detecting/hunting the above techniques is they can help identify post-compromise activity, even if* it's a different threat actor or a different initial infection vector:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nick Carr

Nick Carr Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ItsReallyNick

10 Sep
Added #STRONTIUM election-related credential harvesting campaign "detection" to #AzureSentinel: github.com/Azure/Azure-Se…

Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).

You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
As shipped, it's looking over the past 30 days. But if you have #AzureSentinel, I recommend pasting that same KQL in & searchings logs w/ expanded timeframe.
The # authAttempts can stay where it's at ... #STRONTIUM activity is approx 100 attempts per IP per account
Read 4 tweets
10 Sep
Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?

Here's what to match: gist.githubusercontent.com/itsreallynick/…

Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊]
If you haven't done something like this before, here's a [crappy] bash one-liner to start:

sh -c 'pattern="your|regex"; echo 🎯 Pokémon:; curl -s gist.githubusercontent.com/itsreallynick/… | grep -ioE $pattern | wc -l; echo 🚯 Noise:; curl -s github.com/aloisdg/awesom… | grep -ioE $pattern | wc -l'
Oh, if it wasn't clear ... you put your regular expression in where it says "your|regex"

Because, as written, the results are pretty terrible 😄 [pictured]

This is similar to an interview question @TekDefense & I would ask @ Mandiant.
It's also an #APT32 hunting tweet. 😉🌶️ This is probably a terrible...
Read 7 tweets
31 Jul
I started playing Pokémon Go with my kids at the start of the COVID-19 pandemic.

I can’t believe how many #infosec Pokémon we’ve caught so far.

Here’s a quick thread – please add since I’m missing many.

First up: I definitely appreciate that they included #FIN7 in this game Image
That last one was much harder to capture than these Iranian TTP Pokémon. ImageImage
This #infosec Pokémon is an absolute thug. It’s fun every year & a new one is appearing soon #flareon7 Image
Read 8 tweets
3 Apr
🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

Also:
I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
@MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
@msftsecresponse w/ the awesome @n0x08
@Lee_Holmes for everything Azure

¹if I say it here, it has to happen right?😉
Read 4 tweets
2 Apr
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
1 Apr
🧾Stock Tax Tip
For years, I've seen teammates pay double taxes on stock grants. And *many* individuals & tax advisors prepare it incorrectly. ☹️

If you're fortunate enough to have sell-to-cover Restricted Stock Unit (RSU) grants – this probably needs adjusted.

Here's the fix:
There may be a tiny caveat in your broker's documentation suggesting you will be double taxed. I heard it was due to a rule change in 2014 (sfgate.com/business/netwo…).

Pictured: the single note in an eTrade PDF.

The impact can be several thousands of dollars overpaid each year...
So here's how you get the right info using Excel!

These steps are for eTrade, but can be adapted for another broker.

Step 1⃣: Download the tax year's full gains & losses as a CSV.
Stock Plan > My Account > Gains & Losses > [tiny] Download button
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!