AnyDesk
Splashtop
Atera
TeamViewer
SupRemo
ScreenConnect
Remote Utilities
After breaching a network, attackers install, besides the obvious backdoors, other (legitimate) remote desktop products that can be used to re-enter the network. 🧵
2/ The list above is not exhaustive, but defenders and incident responders must make sure that the installed remote desktop products were installed by the customer and not by an attacker.
3/ Especially in the case of an IR investigation, it is imperative to hunt for these products in the network.
But also proactively during a compromise assessment - the credentials for the remote solution could also have been leaked on a private PC (-> if possible, use MFA).
4/ Hunting for these installations can be done in various ways:
- AutoRuns analysis
- Investigating the network connections on the firewall or directly on the hosts
- Inside the event logs, e.g. for new service installations or in the Windows Firewall event logs (new rule)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ @CISAgov published the 2021 Top Routinely Exploited Vulnerabilities.
We also had another IR case not too long ago where the attackers connected via Forti-VPN where the credentials for that account were in the big credentials leak - in 2022! 🤯
The credentials were (potentially) obtained from systems that remained unpatched against CVE-2018-13379 at the time of the actor's scan. Even if the devices have since been patched, they remain vulnerable if the passwords are not reset. 🚨
3/ Actually, this should have been done a loooooong time ago, but companies should check (or have checked) whether credentials from their users are present in this leak.
And (or) change all users' passwords if necessary, together with a review of the VPN configuration.
2/ exiftool works very well to find out the path and command line arguments of the malicious LNK file:
3/ The analyzed sample from @Netskope calls PowerShell directly. However, in our sample, cmd.exe is called first, then PowerShell with a base64 encoded command argument.
2/ The TA deployed the C2 agent "on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs),
3/ subsequently leaving the underlying operating systems to vendors to manage."
The C2 agent on the compromised servers and systems uses DynDNS domains to communicate with the C2 server.
The use of an internal DNS server, which also logs the DNS queries over an extended
1/ #ThreatHunting: @SentinelOne blogged about a Chinese TA called Moshen Dragon that uses password filters to read plaintext passwords (when they are changed).
1/ #Linux#Forensics: pssst... I will now reveal my favorite interview question for candidates who want to work in our IR team ;) "In the process list, I see a (running) binary, but the binary is no longer present on disc. How can I restore the original binary? (screenshot 👇)"
2/ Many candidates (and other analysts) I have spoken to did not know the (simple?) answer.
Under /proc/[pid]/exe, a 1:1 copy of the executed binary is stored! As you can see in the screenshot, the hash sums of both binaries match precisely.
3/ According to the proc(5) manpage:
"You can even type /proc/[pid]/exe to run another copy of the same executable that is being run by process [pid]."