Share this page!

Stephan Berger Profile picture
Twitter logo
Jun 29 β€’ 8 tweets β€’ 3 min read
1/ Another day, another Sin.

Today's #3: Ignoring or misinterpreting AV alerts.

If I had received a dime for every time I mentioned Florian's cheat sheet, I wouldn't have to work anymore. πŸ˜‚

🧡 #CyberSecurity Image
2/ Seriously: The cheat sheet is excellent, especially the part with the "Highly Relevant" keywords.

Newest version here:
nextron-systems.com/2022/02/06/ant…
3/ For example, the following text in the picture below was sent from an external SOC to a customer. According to Windows Defender, among other things, Mimikatz was detected.

On a DC.

But Defender can handle it on its own.

Please run a full scan. Image
4/ OK.
5/ If the alert occurs on a server (or DC!) under a path that is also relevant (according to the cheat sheet), I tell my customers not to think twice and call an IR company for a deeper analysis (if they don't have the in-house resources).
6/ Another example: These alerts stem from a client - but the client was restaged without a forensic investigation. Image
7/ But if CS is detected on a computer, at least in my opinion, a deeper analysis is necessary to see if a lateral movement originating from this computer has already taken place, if credentials or other data have been stolen, collect further IOCs and check them in the network...
8/ The quick re-installation of a computer destroys significant traces that are enormously important for forensics or hunting in the network.

AV alarms, in particular, can be a warning sign that a TA is active inside the network, as we repeatedly see in our IR cases.

πŸ€

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Jul 1
1/ Sin #5: No in-depth analysis after a (security) incident

Time and again, we see that security incidents are not dealt with in sufficient depth, which can lead to further security problems, even more serious ones. 🧡

#CyberSecurity
2/ A good example I always mention is the leak of the Fortinet VPN credentials.

Although many companies knew they were vulnerable at the time of this breach and patched their systems, many neglected to change the passwords. Image
3/ Even this year, we had IR cases where we found the user's credentials for the initial entry into the network in the leaked VPN passwords.
This is a classic example where a security incident was not dealt with sufficiently, and the critical password change was not carried out.
Read 10 tweets
Stephan Berger Profile picture
Jun 30
/1 Sin #4: Insufficient AD Hardening

Of course, there are many AD attack paths, misconfigurations, and ways to get DA credentials.

But still, companies should try to set the bar as high as possible to force attackers to make mistakes we might detect.

🧡 #CyberSecurity
2/ Passwords in the GPO

My first "Real-World #PingCastle Finding" talks exactly about this issue:
Image
3/ Service accounts are DA

Service accounts should never be part of the Domain Admins group.

Check and clean the DA group regularly because a TA could try to "Kerberoast" the service account, which is primarily a problem if the service account use a weak password (next point). Image
Read 9 tweets
Stephan Berger Profile picture
Jun 28
1/ We continue our path down the seven sins. Today's sin #2: Lack of MFA.

The slide below is almost an evergreen, and I sometimes joke during presentations that I should print it out and hand it out to clients.

But the importance of this point cannot be overemphasized.

🧡
2/ Among other things, we also investigate many BEC cases, which according to the FBI's Internet Crime Report, cause billions of dollars of damage yearly.

Nevertheless, in our IR cases, we repeatedly find OWA and Exchange Online accesses that are single-factor protected.
3/ Especially with Exchange Online, the legacy protocols must be switched off, as they cannot be protected with MFA. Attackers often use this "trick" to use the phished credentials despite MFA.
Read 5 tweets
Stephan Berger Profile picture
Jun 27
1/ For a presentation, I have compiled the "7 sins" - mistakes and misconfigurations we repeatedly see in our IR cases.

Over the next seven days, I will tweet one "sin" at a time - (no particular order or prioritization, all are important).

🧡 #CyberSecurity
2/ Let's start with sin #1: Lack of patch management.

Lack of patch management is bad enough on internal systems (i.e., unpatched DCs), but on systems accessible from the Internet, not applying (security) patches can become an easy gateway into the internal network.
3/ The screenshot of the mailbox left is from a real IR case, taken in February this year (2022).

Creating these draft emails is a typical step in the ProxyShell exploitation, where a module for Metasploit alone was released on 18 August 2021!
Read 9 tweets
Stephan Berger Profile picture
Jun 16
1/ Visibility is key for eradication πŸ₯·

In a recent IR case, the TA created persistences with #QakBot on almost every system in the network.

If only individual systems in the network were forensically examined, one or more infected systems would undoubtedly be missed.

🧡
2/ By examing the network connections made by the clients & servers with a forensic agent, it is apparent that QakBot has made a process injection into the following two processes:

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\mobsync.exe
3/ The analysis of the network connections gives us active C2 addresses that we can use for additional hunting inside the network (and in the FW logs).
Read 10 tweets
Stephan Berger Profile picture
Jun 7
1/ Linux #Hardening and #ThreatHunting

The screenshot below is from Microsoft [1] - using XorDdos as an example, we can learn a lot about Linux forensics and hardening. 🧡

#CyberSecurity
2/ XorDdos bruteforces (root) access via SSH.

Learning: Prevent logging in via SSH with passwords (use priv/pub keys instead).

Within the SSH config (/etc/ssh/sshd_config), modify at least the following two lines:

PermitRootLogin no
PasswordAuthentication no
3/ SSH can, of course, be secured in much more detail.

DigitalOcean has put together an excellent guide on this topic:

digitalocean.com/community/tuto…
Read 25 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(