Share this page!

Maybe Scrolly?
Stephan Berger Profile picture
Twitter logo
Aug 14 19 tweets 7 min read
1/ #ThreatHunting

MeshCentral is another remote admin software installed by TAs we have seen in our IR cases [1].

Following is a brief introduction to the software and what forensic traces MeshCentral leaves on the network and the hosts. 🧵

#CyberSecurity
2/ For our tests, we use the hosted instance of MeshCentral.com, but the management software can also be run on a separate server, controlled by the TA.

After logging into the panel, we can download an agent for different operating systems (Windows, Mac, Linux).
3/ Before the installation or execution of the agent, the server URL is displayed under "Connection Details".

In our example, the agent connects to meshcentral.com, but another domain can be configured when the management server is self-hosted.
4/ In an IR case, we found the MeshCentral config on a host where the Server URL was

wss://mesh.<redacted>.com:443/agent.ashx

a self-hosted instance of the management server.
5/ We could search for "agent.ashx" in the proxy logs for hunting MeshCentral network connections.

Even if the protocol used is WebSockets, an initial HTTP connection takes place, where the upgrade to the WSS connection is negotiated (which should log the URL). [3]
6/ When running the agent on our host, we see the configured command line parameters (--connect, --hideConsole).

Even if the executable is renamed, these parameters could be used to identify a MeshAgent installation if command logging is active.
7/ After starting the agent on our host, the computer immediately checks in with the Management server.
8/ MeshCentral offers many features, such as connecting to the computer via RDP.
9/ The use of a terminal.
10/ File browsing.
11/ And code execution.
12/ With the @velocidex Velociraptor Hunt DNSCache, we see that the host has resolved the meshcentral.com domain used within the configuration from the agent.
13/ Perhaps a better hunt for MeshCentral is within the firewall rules, which can be done quickly with Velociraptor's Hunt FirewallRules.
14/ Interesting is a file with the extension ".msh", which contains the agent configuration, and is placed in the same folder as the agent.
15/ Within the services on the system, the MeshAgent is also easy to recognize.
16/ Or within the event logs when we search for new service events (EventID 7045).
17/ Inside the registry, various configuration strings are stored, for example, the MeshServerUrl.
18/ MeshCentral should be relatively easy to find on the network with the artifacts and hunts presented above and could be signs of an active TA on the network.

Good luck 🍀

And btw, @IcsNick has tweeted a list of other remote admin tools [2], which you should check out ☝️
19/ References:
[1] meshcentral.com/info/
[2]
[3] todaysoftmag.com/article/491/ht…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Aug 8
1/ Playing around with #manjusaka, as reported by @TalosSecurity [1].

Following are some insights and potential #ThreatHuning tips and ideas. 🧵

#CyberSecurity @b3ard3dav3ng3r
2/ After starting the ELF binary (a reduced version is publicly available on GitHub [2]), the login credentials are printed out (username: manjusaka, PW: b3e..), and the port (3200) on which the panel is accessible.
3/ The password is different for each instance of manjusaka.

This mechanism prevents the use of default passwords in case scanners would find the login panel.
Read 19 tweets
Stephan Berger Profile picture
Aug 6
1/ #ThreatHunting for #AsyncRAT

We have various ways to find infected hosts with AsyncRAT:

1⃣ Usage of standard C2 ports
2⃣Hunting for persistence
3⃣Mutexes FTW
4⃣Last but not least, hunting for dropped DLLs

Let's go 🤠🧵

#CyberSecurity
2/ AsyncRAT is a popular Trojan executed at the end of an infection chain on target computers.

@hpsecurity ([2],[3]) and @Trellix ([4]) have both reported in recent reports that TAs have been deploying AsyncRAT.
3/ Since the source code of AsyncRAT is publicly available [1], we can obtain a copy to investigate and build detection capabilities for this RAT.
Read 25 tweets
Stephan Berger Profile picture
Aug 1
1/ @ZephrFish and @myexploit2600 presented "Paving The Way To DA" at this year's @Steel_Con.

A few thoughts on the topics mentioned in the talk 🧵:

1⃣MFA, Password Spraying, Common Passwords
2⃣RDP Shadowing
3⃣MFA spamming
4⃣Password in Shares
5⃣GPP
6⃣Sam the admin
2/ 1⃣ A popular initial vector they often use is Citrix without MFA.

This is also a classic from our IR cases, where either the password was found out with password spraying (the user used a weak password), or the user was phished beforehand.
3/ MFA is a MUST for any remote access.

If Azure AD is used, Azure Active Directory Password Protection could be used, which checks the password from the user against a global blocklist or a configurable blocklist [2] (this is done when the user changes the password).
Read 15 tweets
Stephan Berger Profile picture
Jul 27
1/ We analyzed a breached server and found the IP address and domain from which the TA downloaded additional tools onto the server.

The initial breach happened a few months ago, but the TA uses the same server till today. 🧵
2/ Because of an open-dir, we can see various tools and scripts placed (and replaced over time) on the server by the TA.

Following are some takeaways from the analysis of the arsenal of the TA:
3/ One hosted tool on the server is KrbRelayUp.exe (717fccf1e6081d012f06d24872563529), a compiled version from the GitHub repo of the same name. [1]

The binary is quite well known at VT with 38 AV detections [2], but that doesn't seem to bother the TA as there are also various
Read 18 tweets
Stephan Berger Profile picture
Jul 25
1/ In one ransomware case, the attackers started an EXE file that dropped the vulnerable GIGABYTE driver to C:\Windows\System\gdrv.sys.

The TA used the vulnerable driver to load a malicious driver as a kernel driver, who hunted and killed Symantec processes. 🧵

#CyberSecurity
2/ The same procedure was described in detail by @SophosLabs before [1]:
3/ "64-bit Windows computers have a mechanism called driver signature enforcement which means that Windows only allows drivers to be loaded that has been properly signed by both the manufacturer and Microsoft.
Read 20 tweets
Stephan Berger Profile picture
Jul 22
1/ "PDQ Deploy is a software deployment tool that allows system administrators to silently install almost any application or patch to multiple Windows computers simultaneously." [1]

We have investigated a ransomware case where the TA used PDQ to carry out the encryption. 🧵
2/ I guess we are late to the party 😂

@SecurityAura has already handled various cases involving PDQ Deploy in November 2021:
3/ PDQ Deploy comes with different license models, but with the free license, simple packages can be deployed, and the attacker can conveniently select the targets for deployment, including the entire AD.
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(