3/ The installer creates two scheduled tasks for the 32-bit and the 64-bit r77 service, according to the GitHub Readme.
After running the installer on our lab system, no new scheduled task is visible inside the Tasks folder.
4/ But if we use the MFT-Hunt of @velocidex and search for the keyword $77 in the MFT, we get two hits!
5/ Now that we have the MFT EntryNumber of the Scheduled Task created by the rootkit installer, we can export the task file with Velociraptor (NTFS.Recover).
6/ After exporting the scheduled task, we see that the job is running obfuscated PowerShell code.
So one technique to find this rootkit is to parse the MFT for keywords like "$77".
7/ The R77 test console shows that named pipes are used for communication (with the pipe name "$77control").
8/ We can now search specifically for this pipe name in memory (with the Velociraptor Hunt Yara.PhysicalMemory)
9/ This search also returns various hits indicating that the system is infected with R77.
10/ Although this rootkit hides its presence with various techniques, it is relatively easy to find out if a system is infected with R77, as the two examples with the MFT and the NamedPipes have shown. 😎
• • •
Missing some Tweet in this thread? You can try to
force a refresh
2/ exiftool works very well to find out the path and command line arguments of the malicious LNK file:
3/ The analyzed sample from @Netskope calls PowerShell directly. However, in our sample, cmd.exe is called first, then PowerShell with a base64 encoded command argument.
2/ The TA deployed the C2 agent "on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs),
3/ subsequently leaving the underlying operating systems to vendors to manage."
The C2 agent on the compromised servers and systems uses DynDNS domains to communicate with the C2 server.
The use of an internal DNS server, which also logs the DNS queries over an extended
1/ #ThreatHunting: @SentinelOne blogged about a Chinese TA called Moshen Dragon that uses password filters to read plaintext passwords (when they are changed).
1/ #Linux#Forensics: pssst... I will now reveal my favorite interview question for candidates who want to work in our IR team ;) "In the process list, I see a (running) binary, but the binary is no longer present on disc. How can I restore the original binary? (screenshot 👇)"
2/ Many candidates (and other analysts) I have spoken to did not know the (simple?) answer.
Under /proc/[pid]/exe, a 1:1 copy of the executed binary is stored! As you can see in the screenshot, the hash sums of both binaries match precisely.
3/ According to the proc(5) manpage:
"You can even type /proc/[pid]/exe to run another copy of the same executable that is being run by process [pid]."
1/ #Azure#Hardening Tip #5: Legacy authentication to bypass MFA in Azure AD
"One of the most common methods used by attackers to gain access to Azure tenants is credential theft or password spraying with legacy authentication protocols. Legacy authentication protocols
2/ do not support MFA and (if enabled) can be used to gain access to hosted data and resources via Azure AD."
☝️Quote from the M-Trends 2022 Report.
A few weeks ago, I created a presentation titled "Attack target Azure", where these two points are also outlined as the most
3/ common methods (used by attackers) into Azure Tenants.
To better secure Azure Tenants, I recommend creating an evaluation of the applications that still use legacy authentication protocols. The use of these protocols should be prevented with Conditional Access Policies (CAP).
1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell