🧵on stealing TeamViewer credentials
Many organizations have systems with TeamViewer actively running; some know it and manage it correctly, other have no idea it is running or where. The latter probably have multiple versions #redteam #blueteam #purpleteam #ThreatThursday 1/10
Many organizations have systems with TeamViewer actively running; some know it and manage it correctly, other have no idea it is running or where. The latter probably have multiple versions #redteam #blueteam #purpleteam #ThreatThursday 1/10
I started looking deeper into TeamViewer when @snlyngaas reported that a Florida water facility had been breached. A malicious actor used TeamViewer to login and change the levels of sodium hydroxide. The plant operator say this and no damage was done cyberscoop.com/florida-water-… 2/10
For those that speak @MITREattack we are talking about T1078 Valid Accounts: attack.mitre.org/techniques/T10…
But how were these credentials obtained? We don't know but @brysonbort spoke with #RSAC about it if you want more on the Florida water plant breach: 3/10
But how were these credentials obtained? We don't know but @brysonbort spoke with #RSAC about it if you want more on the Florida water plant breach: 3/10
Back to TeamViewer and stealing credentials. As I researched this more, I learned that previous versions of TeamViewer exposed credentials in the registry. While the credentials are encrypted there is a known decryption key: whynotsecurity.com/blog/teamviewe… 4/10
There was also a vulnerability in 2020 that TeamViewer fixed in CVE-2020-13699 that forced a TeamViewer end user to send their NTLM credentials: nvd.nist.gov/vuln/detail/CV… 5/10
From the #redteam perspective, it comes down to identify if TeamViewer is on the system and what version. Based on that, you can steal credentials from registry or force the TeamViewer splash screen to the front and take a screen shot. 6/10
The queries fit in a Tweet along with the screenshot:
reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer
reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer\MachineFallback
reg query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
7/10
reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer
reg query HKEY_CURRENT_USER\SOFTWARE\TeamViewer\MachineFallback
reg query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
7/10
#BlueTeam not sure if you have TeamViewer?
- Scan all hosts for TeamViewer.exe process
- Check for the TeamViewer service
- Look for the registry keys mentioned in this post
- Observe network traffic to confirm TeamViewer is not being sent
8/10
- Scan all hosts for TeamViewer.exe process
- Check for the TeamViewer service
- Look for the registry keys mentioned in this post
- Observe network traffic to confirm TeamViewer is not being sent
8/10
Full post on @scythe_io #ThreatThursday blog post: scythe.io/library/florid…
#adversaryemulation plan shared on GitHub: github.com/scythe-io/comm… 9/10
#adversaryemulation plan shared on GitHub: github.com/scythe-io/comm… 9/10
If you want to see the entire attack chain, check out @dan_gunter and @Tom_VanNorman at #HacktheCapitol on May 4 or at #RSAC icsvillage.com/hack-the-capit…
We will update the blog after the conference embargo. @ICS_Village #cybersecurity #breach #ICS #cyberattack
10/10
We will update the blog after the conference embargo. @ICS_Village #cybersecurity #breach #ICS #cyberattack
10/10
• • •
Missing some Tweet in this thread? You can try to
force a refresh
