1/ #Hardening: More and more attackers in ransomware cases are attacking the ESXi and vCenter infrastructure to encrypt a large part of the systems in a company within a short time.
2/ Once an attacker has gained access to a network, the captured credentials are used for logging into the vCenter infrastructure.
Removing ESXi and vCenter from Active Directory prevents compromised Active Directory accounts from being used to authenticate directly to the
3/ virtualization infrastructure. Authentication would need to happen directly on the relevant systems, and administrators must have dedicated accounts for logging in. These measures cannot prevent compromise but at least make it more
4/ difficult for an attacker. The more time an attacker has to spend in a network (and also has to start more tools etc.), the higher the chances that he will be discovered (through AV events, high CPU load, or EDR detections).
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ #Azure#Hardening Tip #5: Legacy authentication to bypass MFA in Azure AD
"One of the most common methods used by attackers to gain access to Azure tenants is credential theft or password spraying with legacy authentication protocols. Legacy authentication protocols
2/ do not support MFA and (if enabled) can be used to gain access to hosted data and resources via Azure AD."
☝️Quote from the M-Trends 2022 Report.
A few weeks ago, I created a presentation titled "Attack target Azure", where these two points are also outlined as the most
3/ common methods (used by attackers) into Azure Tenants.
To better secure Azure Tenants, I recommend creating an evaluation of the applications that still use legacy authentication protocols. The use of these protocols should be prevented with Conditional Access Policies (CAP).
1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell
1/ Finding web vulnerabilities at scale: As part of a security team in a previous role, my job was, among other things, to find vulnerabilities in web applications. The environment had hundreds of (externally accessible) web applications, many of which had not yet been pentested.
2/ The goal was to quickly find as many low-hanging fruits, including SQLi and command injections, to prevent at least a beachhead by an attacker into the internal network.
We had the advantage of breaking up all the internet traffic and routing all the requests through a proxy.
3/ All URLs from the web applications we wanted to assess with all parameters were available within the proxy logs. This gave us in-depth coverage of the different applications with all paths and parameters (from the GET method).
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory. 1/8
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD. 3/8
On a hacked GitLab server, we found a command in a cron job that was downloading code from @pastebin every 3 minutes and executing it (wget, curl.. | sh).
Interestingly, in the paste where we would have expected to find more code, there was only the shebang line present.
🧵(1/4)
At first, we thought the attackers made a mistake in the paste, which was "incomplete" (?). But the access numbers of the paste are high (over 200K) - and when we observed the access numbers over time, we found out that about 30 (hacked?) systems regularly download the paste.
2/4
After reporting the paste to @pastebin, the paste was removed - but was there any investigation of the accesses to identify hacked systems, from which IP ranges the paste was downloaded, to inform the companies or ISPs?
(3/4)
Many customers log process starts and executed programs in a SIEM, or have an EDR in use. Nevertheless, the question often arises: which product could one still buy? None at all! Best build-up detections with the existing logs. An example (🧵):
The file we use to bypass UAC is "Akagi64.exe" - either compile it yourself from the UACME repository or download it (at your own risk) from a public source. Use the upload task from #Covenant to upload the binary to the target host (given ofc that we already have a shell).