3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):
# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
4/ Or we can start Responder and show the customer the impact if outgoing SMB (TCP/445) is not blocked on the firewall.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
2/ Hunting for credentials in the PowerShell history is quickly done with @Velocidex Velociraptor.
We can get the file's entire content from the hosts or search specifically for keywords within the file.
3/ The content of this file (the PowerShell history), is not only interesting for searching stored credentials in it but also an excellent forensic artifact.
In the case of a CA, we can specifically search for (older) traces of TAs (Invoke-commands, downloading of tools/code..)
If the Windows App sideloading feature is enabled, users can also install APPX packages not originating not from the Microsoft Store, ideal for distributing malware with these packages 🤯[1],[2]
#QuasarRAT is another RAT we see from time to time in our IR cases and was also used against NATO facilities in March. [1]
We can hunt for
1⃣ The default port within the FW logs
2⃣Mutexes
3⃣User-Agent
4⃣Persistence mechanisms
🧵
2/ @qualys has published an excellent paper ("Stealthy Quasar Evolving to Lead the RAT Race") about Quasar, where the whole builder and much more are described in detail. [2]
3/ In the client builder (which creates an executable which is used for the infection), the default port is pre-configured to 4782.
2/ For our tests, we use the hosted instance of MeshCentral.com, but the management software can also be run on a separate server, controlled by the TA.
After logging into the panel, we can download an agent for different operating systems (Windows, Mac, Linux).
3/ Before the installation or execution of the agent, the server URL is displayed under "Connection Details".
In our example, the agent connects to meshcentral.com, but another domain can be configured when the management server is self-hosted.
2/ After starting the ELF binary (a reduced version is publicly available on GitHub [2]), the login credentials are printed out (username: manjusaka, PW: b3e..), and the port (3200) on which the panel is accessible.
3/ The password is different for each instance of manjusaka.
This mechanism prevents the use of default passwords in case scanners would find the login panel.