Jake Williams Profile picture
May 29 4 tweets 2 min read
The new #msdt 0-day can be mitigated by removing the protocol handler for ms-msdt (reg delete hkcr\ms-msdt /f).

Disclaimer: I haven't checked for impacts in a large production environment, but seems better than being exploited. MSDT is just a diagnostic tool, so likely safe.
When I say "haven't tested" I mean for second order impacts. I've tested that this is 100% effective as a mitigation.
FYSA. I haven't seen this on my test system yet, but in any case I'm still okay recommending removing the handler until I have another mitigation. Considering there will likely be a patch for this released long before relicensing is required.
For reference, the test system is Windows 10 with a domain login (not AAD joined), Office via M365. I am signed into the Microsoft account on the VM though, so that might have something to do with it.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

May 29
Okay, so playing the #msdt 0-day a bit and here's what's happening:
1. The maldoc contains a linked HTML document
2. Word automatically retrieves the linked HTML document, which contains JS to reset the location to an ms-msdt protocol handler, which is present by default 1/
3. The protocol handler launches msdt, which launches a command using the IT_BrowseForFile parameter. The maldoc that triggered this whole event invokes this code (newlines and comments added). The doc was likely distributed with a .rar file. 2/
4. I don't have the ".rar" file, but we can still tell what it's doing. The findstr command is looking for "TVNDRgAAAA" which means it's looking for a base64 encoded string beginning with "MSCF" which is the file header for a .cab file.
5. The expand command unpacks the .cab 3/
Read 10 tweets
May 5
I've had a chance, or let's say many catalysts, to think about friendship and what it really means.

True friends:
* Take that call even when it's not convenient
* Don't judge, because let's be real - we've all been there
* Try to make you laugh even when you'd rather not 1/
* Don't view things as transactional (e.g., what am I getting out of this?)
* Just listen if you need to vent
* Tell you the hard truth you honestly don't want to hear, even when they know speaking truth can harm the relationship
* Exemplifies empathy

I could go on, but... 2/
I've certainly failed at many of these points over the years.

Going forward, I'll be trying to do all these things in my friendships. If I've failed you specifically, I'm deeply sorry. If you've been there for me, I'm eternally grateful. 3/
Read 5 tweets
May 4
In security, we talk a lot about CIA (confidentiality, integrity, and availability). Most of us also recognize the vast majority of the industry only cares about availability. When I call people on this, they always protest. This morning a great retort for this hit me. 1/
How often does IT refuse to update a security control (e.g. EDR agent) without testing because it might cause a compatibility issue (availability) and break something? Happens ALL THE TIME. "Can't upgrade until we test in every business unit for issues." 2/
But once the software is upgraded, how often do you see teams say "okay, now that we've updated, let's validate it's still catching everything we expect it to?" Almost never. We delay upgrades/updates, often increasing risk of a compromise to maximize availability. 3/
Read 7 tweets
Apr 15
PSA 🧵 A threat actor "preparing for destructive cyberattacks" looks identical to "gaining access for intelligence operations." Like 100% identical. So much so that you *cannot* tell the difference. Be wary of anyone claiming they "know" a destructive attack is being prepared. 1/
Be similarly skeptical of anyone who claims they're sure a destructive attack *isn't* coming in a given situation.

I heard one such argument because "we saw them exfiltrating data, it's intelligence collection." If they're burning the network down, of course they'd exfil. 2/
In fact, it's intuitive to think that bulk intelligence collection could even accelerate before a destructive attack. They won't likely regain access to these networks in the immediate future and there's no incentive to be low and slow at this point in most cases. 3/
Read 9 tweets
Apr 7
Quick 🧵on yesterday's FBI partial takedown of #CyclopsBlink.
1. Even for privacy types who fear government overreach (like me) this was a net positive. We should seek to degrade nation-state threat actor capabilities where it is possible to do so without collateral impact. 1/
2. The fact that WatchGuard assisted in the operation is critical. Obviously they have a vested interest in helping, but that's beside the point. It provides a level of private sector oversight that's often lacking in government operations. 2/
Now I'm mot an idiot. I know the FBI gets the final say in anything being done. But if they were abusing this access in any way during the op, there's a 1000% chance that will eventually leak given the private sector involvement. 3/
Read 10 tweets
Apr 2
If you were starting a CTI program from the ground up at a new organization, what's the first thing you'd do?
I wasn't poisoning the well with an answer yesterday, but here we go:
1. Identify the *real* stakeholders (often harder than it seems) - who is my executive sponsor? What do *they* care about?
2. Ask what types of products they will find valuable. 1/
3. Create a formal charter documenting what my left and right limits of fire are (scoping the project)
4. Get the executive sponsor to agree to the charter (or adjust it until they do)
5. Work with stakeholders to determine PIRs
6. Document all PIRs 2/
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(