Share this page!

Stephan Berger Profile picture
Twitter logo
Apr 23 7 tweets 3 min read
#ThreatHunting:

1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?

"powershell.exe" -windowstyle hidden

#CyberSecurity #dfir
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell
4/ execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet."
5/ The Scheduled Task was created as follows:

schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell.exe -windowstyle hidden“
6/ An adversary can easily achieve persistence combining a scheduled task and any payload (as long as it is called Get-Variable.exe and placed in the proper location).

🤯

Hunting for Get-Variable.exe in the WindowsApps folder may be your next hunting hypothesis 😅
7/ I guess the same technique would also work with other file names? 🤔

More details in the readworthy blog post from @Malwarebytes (thanks for sharing 🙏):
blog.malwarebytes.com/threat-intelli…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Apr 24
1/ #Azure #Hardening Tip #5: Legacy authentication to bypass MFA in Azure AD

"One of the most common methods used by attackers to gain access to Azure tenants is credential theft or password spraying with legacy authentication protocols. Legacy authentication protocols ImageImage
2/ do not support MFA and (if enabled) can be used to gain access to hosted data and resources via Azure AD."

☝️Quote from the M-Trends 2022 Report.

A few weeks ago, I created a presentation titled "Attack target Azure", where these two points are also outlined as the most
3/ common methods (used by attackers) into Azure Tenants.

To better secure Azure Tenants, I recommend creating an evaluation of the applications that still use legacy authentication protocols. The use of these protocols should be prevented with Conditional Access Policies (CAP). Image
Read 6 tweets
Stephan Berger Profile picture
Apr 22
1/ Finding web vulnerabilities at scale: As part of a security team in a previous role, my job was, among other things, to find vulnerabilities in web applications. The environment had hundreds of (externally accessible) web applications, many of which had not yet been pentested.
2/ The goal was to quickly find as many low-hanging fruits, including SQLi and command injections, to prevent at least a beachhead by an attacker into the internal network.

We had the advantage of breaking up all the internet traffic and routing all the requests through a proxy.
3/ All URLs from the web applications we wanted to assess with all parameters were available within the proxy logs. This gave us in-depth coverage of the different applications with all paths and parameters (from the GET method).
Read 8 tweets
Stephan Berger Profile picture
Apr 22
1/ #Hardening: More and more attackers in ransomware cases are attacking the ESXi and vCenter infrastructure to encrypt a large part of the systems in a company within a short time.
2/ Once an attacker has gained access to a network, the captured credentials are used for logging into the vCenter infrastructure.

Removing ESXi and vCenter from Active Directory prevents compromised Active Directory accounts from being used to authenticate directly to the
3/ virtualization infrastructure. Authentication would need to happen directly on the relevant systems, and administrators must have dedicated accounts for logging in. These measures cannot prevent compromise but at least make it more
Read 4 tweets
Stephan Berger Profile picture
Apr 6
Real-World #PingCastle Finding #8: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the #ActiveDirectory.
1/8
#CyberSecurity #dfir
The computer names are relatively unique, and one quickly finds a GitHub repository with corresponding exploit code.

The code tries to exploit the two vulnerabilities CVE-2021-42278 and CVE-2021-42287 (from an authenticated user directly to DA).
2/8
github.com/WazeHell/sam-t…
Inside the exploit code, a new computer name is generated following the pattern SAMTHEADMIN-(random number from 1 to 100), precisely the naming scheme we see in the client's AD.
3/8
Read 8 tweets
Stephan Berger Profile picture
Apr 5
On a hacked GitLab server, we found a command in a cron job that was downloading code from @pastebin every 3 minutes and executing it (wget, curl.. | sh).

Interestingly, in the paste where we would have expected to find more code, there was only the shebang line present.
🧵(1/4) Image
At first, we thought the attackers made a mistake in the paste, which was "incomplete" (?). But the access numbers of the paste are high (over 200K) - and when we observed the access numbers over time, we found out that about 30 (hacked?) systems regularly download the paste.
2/4
After reporting the paste to @pastebin, the paste was removed - but was there any investigation of the accesses to identify hacked systems, from which IP ranges the paste was downloaded, to inform the companies or ISPs?
(3/4) Image
Read 4 tweets
Stephan Berger Profile picture
Mar 8
Many customers log process starts and executed programs in a SIEM, or have an EDR in use. Nevertheless, the question often arises: which product could one still buy? None at all! Best build-up detections with the existing logs. An example (🧵):

#CyberSecurity
#UACME (github.com/hfiref0x/UACME) lists a large set of UAC bypass techniques. Here is a (recent) overview of which techniques currently work and which do not: medium.com/falconforce/fa…

@falconforceteam
The file we use to bypass UAC is "Akagi64.exe" - either compile it yourself from the UACME repository or download it (at your own risk) from a public source. Use the upload task from #Covenant to upload the binary to the target host (given ofc that we already have a shell).
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(