Share this page!

Stephan Berger Profile picture
Twitter logo
Jul 22 6 tweets 3 min read
1/ Although Windows logs the creation of new services in the SYSTEM event log (Event ID 7045 - New Service was installed), attackers often delete these logs.

But we can use the Windows Firewall event logs for #ThreatHunting new installations (of backdoors) 🧵

#CyberSecurity
2/ The screenshot above shows the 2004 Event ID (the creation of a new firewall rule).

The screenshot is from an actual case where the attacker installed Splashtop as a backdoor (among others) to get back into the network.
3/ Using @velocidex Velociraptor and the EvtxHunter Hunt, we can conveniently collect these event logs on all clients and servers in the network.
4/ Inside the Hunt, we could have specified an IOC (like Splashtop in our case).

Still, it's almost more convenient (at least for me) to collect all the data and filter inside the Velociraptor notebook (here, by the keyword Splashtop, but do not forget about Atera, TW, etc.).
5/ In the notebook, we are now presented with the selected fields. The installation paths, on which host, and when the new firewall rules were set up.

Even if attackers delete other event logs to cover their tracks, there are still enough logs where we can find traces. 🕵️🥳
6/ The following query was used in the example:

SELECT EventData.ApplicationPath,EventID,EventTime,Computer FROM source(artifact="Windows.EventLogs.EvtxHunter") where EventData.ApplicationPath =~ "Splashtop"

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Jul 22
1/ "PDQ Deploy is a software deployment tool that allows system administrators to silently install almost any application or patch to multiple Windows computers simultaneously." [1]

We have investigated a ransomware case where the TA used PDQ to carry out the encryption. 🧵 Image
2/ I guess we are late to the party 😂

@SecurityAura has already handled various cases involving PDQ Deploy in November 2021:
3/ PDQ Deploy comes with different license models, but with the free license, simple packages can be deployed, and the attacker can conveniently select the targets for deployment, including the entire AD. Image
Read 15 tweets
Stephan Berger Profile picture
Jul 17
1/ IR tip: During the first conversation with the affected customer, ask for their public IP range(s).

Next, check this IP range on @shodanhq (filter: "net:<ip>/<subnet>"). This has two advantages: 🧵

#CyberSecurity
2/ We might find vulnerable systems within the perimeter which may have been exploited and employed to enter the network.
3/ Secondly, Shodan may also show us the (various) VPN endpoints of the customer.

Especially in the case of active attackers who entered the network via VPN (with valid credentials obtained via phishing or an exploit),
Read 9 tweets
Stephan Berger Profile picture
Jul 15
1/ IR-Tip: If it is necessary to disconnect the customer's network from the Internet, one can use @velocidex Velociraptor to check which systems still can access the Internet.

We have experienced more than once that customers have only partially disconnected the network Image
2/ from the Internet or had a second outbreak, which led to the re-entry of the TA's.

The Hunt displays the public IP address fetched from a configurable site.

Very useful to ensure that the network is truly isolated to avoid surprises later on in the investigation. 🤗 Image
3/ Besides the above connectivity check, ensure that DNS requests no longer go to external DNS servers to make C2 via DNS impossible.
Read 4 tweets
Stephan Berger Profile picture
Jul 3
1/ The last and #7 sin: Lack of an EDR.

Yes, I am fully aware that EDR's can be circumvented and that there are very clever techniques of how EDR's can be fooled, BUT....
2/ It is a fact that networks can no longer be protected without modern monitoring methods. Monitoring every client and server on the network is a must, and the alerts (especially the critical ones) must be looked at 24/7.
3/ We have had IR cases where it took the attackers just one hour from the initial compromise to gain DA rights. A network can be encrypted within hours, which is why timely analysis of critical alerts is so important.
Read 5 tweets
Stephan Berger Profile picture
Jul 2
1/ Home stretch: Today, we already discuss the #6 sin: Direct access to the Internet

If the traffic to the Internet from the internal network is consistently routed through a proxy, we have some exciting (hunting) possibilities and can possibly slow down a TA. 🧵

#CyberSecurity Image
2/ If the whole traffic is forced trough a proxy, on one hand, we can evaluate on the FW which computers or devices tried to connect directly to the Internet and to which address.

This could be a sign of compromise or downloading of code that is not proxy-aware.
3/ On the other hand, we can analyze the proxy logs, e.g., with the domain categories from the vendor (malware, dynamic DNS, etc.).

It is worth doing a periodic analysis of these categories to detect potential downloading of malicious code.
Read 12 tweets
Stephan Berger Profile picture
Jul 1
1/ Sin #5: No in-depth analysis after a (security) incident

Time and again, we see that security incidents are not dealt with in sufficient depth, which can lead to further security problems, even more serious ones. 🧵

#CyberSecurity
2/ A good example I always mention is the leak of the Fortinet VPN credentials.

Although many companies knew they were vulnerable at the time of this breach and patched their systems, many neglected to change the passwords.
3/ Even this year, we had IR cases where we found the user's credentials for the initial entry into the network in the leaked VPN passwords.
This is a classic example where a security incident was not dealt with sufficiently, and the critical password change was not carried out.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(