2\ EWS and other legacy auth is commonly abused by APT groups (when enabled).
Check MSExchange Management.evtx log for EWS abuse.
Look for cmdlets like (more cmdlets in blog)
> New-MailboxExportRequest
> Remove-MailboxExportRequest
> Search-Mailbox
> Set-Mailbox
3\ Hunt IIS logs in Exchange for:
> Exploitation of unpatched vuln
> Webshell/owa backdoors being used
> Exfil
I've noted across engagements this happens in chunks via several extensions 7Z, TAR, RAR, PST, OST, CAB, ZIP). APTs will use several diff file types on one engagement
4\ Webshells can be compiled into a DLL or have aspx / req extension. They can also be injected into existing files.
Compilation can create a .compiled file in:
\Windows\Microsoft.NET\Framework64\<ver>\Temporary ASP.NET Files\root\<vers>\<ver>\
In one case, the APT deleted 4k various logs including IIS, PowerShell http and other important things.
Webshell deletion/deletion of attack tools etc is all common practice.
Make sure you parse the $J for this.
9\ I will add more hunting areas you can look at to this blog, as I have thought of a few more things but I ran out of time T_T But I hope this helps <3
• • •
Missing some Tweet in this thread? You can try to
force a refresh
The capabilities of the leaked Chinese APT contractor "iOS Spyware" are accessing:
- basic mobile phone data
- GPS location
- Contacts
- Photos / multimedia files
- Recording sounds
If this sounds familiar, it should. These are settings accessible...Accessible ANY application requesting these permissions on a phone :)
This means, the delivery for the "spyware" would likely (my guess) be in the form of an application that the user installs on their device and must approve these permissions. If you've ever done mobile forensics, this is almost one of the first things you would check.
3\ The implantable devices are very similar in concept to the Hak5 devices.
This is not a new attack vector and NOT novel.
However, this should serve as a push for businesses to consider their threat models and playbooks for this kind of event.
Specifically the vendor's devices are disguised as:
- A power strip
- A power adapter
The way they work (as per the document) is: 1. Cracks WiFi password, sets up socks proxy 3. Cracks routing device 4. Self destruction to clear all system data
From an ops standpoint this targets a weak point of most businesses as most orgs do not have the best logging set up for their peripheral devices. It's why a lot nation states target edge devices for initial access (EDR blindspot / logging blindspot and difficulty of analysis for blue teamers).
However, once they pivot onto a vulnerable device or onto the network... the work of the detection team stays the same, it may just be difficult (in the absence of logs) to piece together what occurred.
This leaves OBVIOUS AF traces. Look for entries with zeros, and datetime defaulting to 1970. You can also review timestamps (covered in thread 4).
I highlighted in purple where you zero out the data in hex.
3\ Method 2: Overwriting the file
Overwrite the entire entry with a "cleaned" version. In this example I removed all lines pertaining to "sansforensics" logging in. Timestamp detection is the best method to discover this technique.