1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)

inversecos.com/2022/08/how-to…
2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)
3\ Review permissions requested in the scope field (I'll show you where else to find these permissions in the logs).

Take note of these:
- User.Read
- User.ReadWrite
- User.ReadWrite.All
- Mail.ReadWrite
- Calendars.ReadWrite
- Files.ReadWrite
- User.Export.All
4\ METHOD 2: Review Azure Audit Logs
Look for 3 log entries that will be created when a user authorises a malicious app. These are covered in the blog (too long to write into a tweet).

These logs will reveal:
> Malicious Object ID (important later)
> App name
> Permissions
5\ METHOD 3: Review Azure Sign-in Logs or UAL
These will show logons into a user account originating from the malicious application.

It's important you do Method 2 before Method 3 so you can get the application object ID and application name to make this high-fidelity ;)
happy hunting also i think i use way too many purple things.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with inversecos ᐡ ꒳ ᐡ

inversecos ᐡ ꒳ ᐡ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @inversecos

Aug 5
1\ #DFIR: How to detect Linux Timestomping

Analyse the entries in these two files:
> filesystem.db
> filesystem.db-wal

Most writeups focus on detecting the use of "touch". But you can timestomp without using "touch". 😈

Check out my blog below 👇
inversecos.com/2022/08/detect…
2\ The file "filesystem.db" (enabled by default) tracks:
> fileCreated time
> fileLastAccessed time

Look for discrepancies in the fileCreated time in this DB file vs the times that "stat" show on a file.

There's also a correlating WAL that contains uncommitted data :3
3\ As you can see, this has caught an instance of timestomping where you can observe the creation time is after the access time.

You can query the db using this command:
sqlite3 *filesystem.db .dump | grep <filename>
Read 5 tweets
Jun 22
1\ #ThreatHunting: How to detect Linux anti-forensics log tampering

Attackers can alter the utmp, wtmp, btmp files to hide malicious logon attempts by:

> Zeroing entries out in hex
> Overwriting the files with a malicious copy

BLOG POST BELOW 👇 UwU
inversecos.com/2022/06/detect…
2\ Method 1: Zeroing entries in hex

This leaves OBVIOUS AF traces. Look for entries with zeros, and datetime defaulting to 1970. You can also review timestamps (covered in thread 4).

I highlighted in purple where you zero out the data in hex.
3\ Method 2: Overwriting the file

Overwrite the entire entry with a "cleaned" version. In this example I removed all lines pertaining to "sansforensics" logging in. Timestamp detection is the best method to discover this technique.
Read 4 tweets
May 19
1\ #ThreatHunting: How to detect fileless Linux malware

Look for processes in /proc/<PID>/exe where the path shows "(deleted)"

Here are two examples👇
1. BPFDoor deleted binary
2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk.
2\ To recover/extract these binaries running in memory - you can copying them out from this location:

/proc/<PID>/exe

Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.
3\ You can also review what command line spawned the pid by reviewing:

/proc/<PID>/cmdline

This screenshot shows the cmdline used for the memdf_create() reverse shell. There are a lot of other interesting things you can also review in /proc/PID
Read 4 tweets
Apr 28
1\ How to detect file timestomping 👀

APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈

Did you also know it's possible to timestomp $FN time?

👇👇 BLOG & TL;DR BELOW 👇👇

bit.ly/3KsX1ua
2\ Most IR analysts are taught to detect timestomping using two methods:

> Compare $FI vs $SI times in the MFT
> Look for 0s in timestamp nanoseconds

These two detections are NOT foolproof - they will catch simple cases. Attackers can set nanoseconds and modify $FN time!
3\ Why should you care?

Most forensic courses teach these 2 detections without introducing more variables. A lot of analysts treat what they are taught as the "bible" without questioning it and when it comes to detecting these anomalies... critical evidence may be missed.
Read 6 tweets
Apr 6
1\ #DefenceEvasion Technique: Maliciously Modifying Registry Timestamps 👿👀

This technique doesn't log events in the Security.evtx and is almost trivial to perform as a defence evasion technique...

Read my blog for technique + detection:
bit.ly/3r7jfuO

TL;DR 👇👇 ImageImageImage
2\ Why should you care?

During an IR, registry timestamps are important evidence items for timelining & triaging an incident. They answer questions like...

> What files did the TAs open?
> When was a security tool disabled?
> What folders were the TAs looking at?
> etc...
3\ The native API "NtSetInformationKey" specifically allows a TA to overwrite a registry "Last Write" timestamp in an extremely trivial manner.

The param KEY_SET_INFORMATION_CLASS being passed the value KEY_WRITE_TIME_INFORMATION is what performs this.

undocumented.ntinternals.net/UserMode/Undoc… Image
Read 10 tweets
Mar 23
1\ Windows Event Log Evasion via Native APIs 👀🧠

Some native Windows API calls can be used to install services WITHOUT generating correlating entries in the event log. This was seen in Stuxnet.

This blog covers the technique + detection.

bit.ly/3D7KI4n

TL;DR 👇👇
2\ High level of how the technique works.....

Services are normally created through standard API calls to “CreateServiceA” using sc.exe/at.exe. This API is what EDR usually detects on.

Note that using svcscan.. Stuxnet isnt showing any of the malicious services ...why is that?
3\ The "svcscan" plugin detects services using two methods:

1. Walk the VAD tree reviewing process memory for indicators of running services

2. Identify service records with the tags 'sErv' and 'serH' which finds any services unlinked from the doubly / linked list.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(