Share this page!

Katie Nickels Profile picture
Twitter logo
18 Dec, 14 tweets, 5 min read
A threat of thoughts + actionable detection ideas from the latest Microsoft #Solorigate post...microsoft.com/security/blog/… ... this is a sweet diagram and hopefully helps make clear the different ways you could be impacted. Not every victim makes it past initial C2.
I think a lot of this we already knew, but lmk if there are nuggets in here that popped out.
Another super helpful explanation of the DGA C2 domains. I love the MS graphics people.
THIS IS THE MEATY STUFF. HANDS ON KEYBOARD ATTACK. Fewer victims got this far from public reporting. Renamed adfind could be a good hunt/detection opportunity. Hunt for/detect on adfind anyway because of ransomware operators.
ICYMI in the other posts, this is actionable for hunting and detection
This is also super-actionable for detection and hunting. Encoded PowerShell and rundll32 are excellent opportunities. As always (and with everything in this blog post and everything in general), it might need tuning.
Several good ideas here on what MS detects. Could be noisy, but worth looking into in your environment. They give you a nice screenshot to provide a process tree to help, too. This list tells us hunting/detecting in ADFS is important.
Moar hashes. Yeah, go search for them. Some of these have been in previous reports too, some might be new. Not all are in VT from my searches.
These are nifty hunting and detection ideas too. Remember, just because MS gives these in their language doesn't mean you can't convert the concepts to whatever you use.
I think we've seen this domain a zillion times by now, but maybe these queries would help you refine searches a bit.
Based on the file name, pretty sure this is describing what FireEye calls SUPERNOVA. (fireeye.com/blog/threat-re…)
I hope my brain dump helped you try to make sense of this Friday evening info. A little new, but most this has been seen in reporting earlier this week from my perspective. If you see new nuggets and actionable detection/hunting ideas, please reply!
Important thing a friend pointed out - it appears MS is assessing that this persistence backdoor is LIKELY unrelated to this compromise and used by a different threat actor. This is the FireEye source mentioning the same file name, labeled as SUPERNOVA (github.com/fireeye/sunbur…).
Hahaha. *Thread 😂😂 I just noticed.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Katie Nickels

Katie Nickels Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @likethecoins

Katie Nickels Profile picture
16 Dec
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Read 28 tweets
Katie Nickels Profile picture
28 Oct
I'll attempt to live tweet this awesome webcast from @Wanna_VanTa and @x04steve on Ryuk and UNCs behind them! Roughly 1/5 ransomware intrusions have been related to Ryuk. @Mandiant @sansforensics
Tracking Time to RYUK! This is a good metric to track as much as you can.
So what's an UNC? UNC = "uncategorized" - a way to cluster unique activity that is fundamentally related. They're "labels" or "buckets". UNCs might become FINs or APTs someday, but that requires time.
Read 19 tweets
Katie Nickels Profile picture
11 Mar
I hope everyone considers mental health as well as physical health right now - take account of how you're feeling as well those around you. I realized earlier this week I was feeling a little down, so here are a few things I've done to help me cope...what has helped you?
Limiting my exposure to coronavirus news. I've muted keywords on Twitter and asked Slacks to limit discussion to a single channel. I watch the news every evening so figure I will get significant news there, or I look at the latest news when I feel mentally up to it.
Identifying things I'm gaining, not just losing. I'm pretty down because I didn't get to go to Zurich or Chicago this month. But I AM establishing healthy sleep habits, eating better, exercising regularly, and spending more time with my husband. I also have time to dig in at work
Read 8 tweets
Katie Nickels Profile picture
21 Dec 18
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.)
(1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
(2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)
(3) November 2017 Boyusec (justice.gov/opa/pr/us-char…) (3/n)
Read 19 tweets
Katie Nickels Profile picture
21 Dec 18
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @likethecoins has new unrolls!

Check out other threads from @likethecoins!

Read all threads by @likethecoins