Share this page!

Joe Stocker Profile picture
Twitter logo
21 Aug, 3 tweets, 2 min read
(1/2) TL;DR "DLL sideloading attack is the most successful
attack as most EDRs fail to detect, let alone block, it." A scholarly and unbiased examination of how top EDR detects APT threats by @MDPIOpenAccess mdpi.com/2624-800X/1/3/…
(2/2) Teams.exe is used by Cobalt Strike malleable C2 to beacon, undetected by most EDR.
It would be cool if EDR had network-based UEBA to detect these anomalous egress network connections. While some network gateways offer this, it would be more beneficial to have it detected at endpoint due to #WorkFromHome

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Joe Stocker

Joe Stocker Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ITguySoCal

Joe Stocker Profile picture
28 Aug
(1/x) M365 changes to be aware of
1) End-users can purchase PowerBI on their on personal credit cards to bypass IT
2) End-users can purchase Windows 365 Cloud PC VMs on their own personal credit cards to bypass IT
3) End-users can create security groups (even if you disabled it)
4) End-users were automatically enrolled into Bing Search Rewards which indexes corporate data into Bing Search
5) Bing Search now collects data in Microsoft Word for the "Reuse Files" feature
6) Teams Recordings now expire after 60 days
7) The only way to prevent account lockouts from brute force is to create an Authentication policy (globally in web interface) or for selected users with PowerShell new-AuthenticationPolicy
8) End to End encryption for Teams Calling is off by default
Read 10 tweets
Joe Stocker Profile picture
10 Jul
Forensic Investigations in o365 - a short thread on why it’s getting harder and not easier for investigators. 1) Historically the first thing we used to do was enable an EMS E5 trial license in the customer tenant, as that allowed us to have 6 months of MCAS logs. This is gone!
Now, when you enable an MCAS trial, you must manually enable audit logging against O365, so there is no retroactive logs that magically appear 😩… it gets worse tho.. let’s talk about Azure AD “free.” This is what “E1 or E3” gets you
You get 7 days of AAD sign-in and audit logs
Historically when you enabled an AAD P1 or P2 or EMSE5 trial, you could go back 30 days. Now? When you enable the trials, no retroactive logs magically appear. 😭
So at this point the only forensic logs available in O365 beyond 7 days is the Security and Compliance Center Log…
Read 7 tweets
Joe Stocker Profile picture
25 Dec 19
New phishing campaign successfully bypasses Microsoft ATP (Office ATP, Defender ATP, and Azure ATP). It also bypasses SmartScreen. Works by sending an .HTM attachment or .ZIP containing .HTM.
IOCs
instantrep.xyz
secured.com.awi-o.online
json.geoiplookup.io
The reason this attack is so effective at reaching inbox:
1. Originates from a compromised mailbox, so it passes SPF, DMARC and DKIM.
2. The .HTM is not malicious, so sandbox detonation is not a problem.
3. There is no remote URL attempted unless the user clicks their username.
I've received the same payload from two different compromised accounts at different companies. The body of the email is the same:
"Remittance advice required."
Firstname Lastname (of compromised user)
CFO
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ITguySoCal has new unrolls!

Check out other threads from @ITguySoCal!

Read all threads by @ITguySoCal

:(