Share this page!

Stephan Berger Profile picture
Twitter logo
Oct 8 7 tweets 3 min read
1/ #ThreatHunting: @Avast has blogged how Roshtyak checks the VBAWarnings registry value.

If the value is 1 ("Enable all macros"), then the code will not be executed because it is assumed that this setting is only enabled in a sandbox (or by courageous users). 🧵 #CyberSecurity
2/ "Interestingly, this means that users, who for whatever reason have lowered their security this way, are immune to Roshtyak." [1]
3/ However, this "Enable all macros" value can also be explicitly set for Outlook

(Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook - Level = 1).

If this value is set to 1 in a user context, a nifty persistence within Outlook may have been set up by a TA.
4/ @MDSecLabs published a very readable article about an Outlook persistence technique almost two years ago. [2]

I could easily recreate this persistence in my lab, which still works up to this date. On the one hand, we could now hunt in our network if this registry key is set.
5/ Or we could check in which user directories the file VbaProject.OTM is present, which contains the macro code that would be executed when certain criteria are met (see MDSec's blog post [2])

Path on disk:
C:\Users\<user>\AppData\Roaming\Microsoft\Outlook\VbaProject.OTM).
6/ In our customer networks, we found very few VbaProject.OTM files in user directories, wich makes a manual analysis of the VBA code or monitoring for a creation of this file feasible.
7/ Reference:

[1] decoded.avast.io/janvojtesek/ra…
[2] mdsec.co.uk/2020/11/a-fres…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Oct 10
1/ @rootsecdev published a blog post where common misconfigurations inside the Conditional Access Policies in Azure are discussed.

In an Azure Tenant from a customer, the following CA policy was implemented: Require MFA for administrative users.

🧵 Image
2/ However, within the Directory roles checkbox, not all the roles were selected (see the picture below).

In Azure Assessments, I use, among others, the script Get-MsolRolesAndMembers.ps1 to find users which are part of such different roles. [2] Image
3/ The users or roles found with the mentioned script must be cross-checked with the CA (the checked roles from the menu above) to find possible users which could log in without MFA, resulting in a security gap. 🔎
Read 10 tweets
Stephan Berger Profile picture
Sep 28
/1 Repeat after me: AV scans and password change is not enough after a full AD compromise.

A company has already been encrypted twice and asked us for a second opinion. The responders did a password change with an AV scan of the machines...

What could possibly go wrong? 🧵
2/ @UK_Daniel_Card has compiled a good checklist that gives an insight into the many different tasks that are part of a proper IR engagement or clean-up (list not exhaustive):

pwndefend.com/2021/09/15/pos…
3/ Another point missing on the checklist is the hunting for "legitimate" remote desktop solutions installed by the TA, which could be used as a backdoor for re-entry (Atera, Splashot, AnyDesk..).
Read 4 tweets
Stephan Berger Profile picture
Sep 27
1/ While analyzing AutoRuns entries in a Compromise Assessment, my teammate @newtt42 found four executables with different names but with the same hash (in the C:\Windows directory).

The binaries were ran as services with the following names: JXds, vdEp, JXmM, PTLt. 🧵
2/ @Synacktiv has published a blog post recently where our observations are described:

"The SysInternals PsExec starts a service that is named PsExeSvc by default whereas Impacket's psexec.py tool spawns a process with a randomly generated 4-characters name." [1]
3/ We can hunt for such binary and service names using this sigma rule [2]:

ImagePath|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
Read 5 tweets
Stephan Berger Profile picture
Sep 25
1/ #ThreatHunting: Normal users (not developers) who have Python in their Music (!) directory? This screams TA 😅

In an investigation on a breached network, we discovered the following directory:

C:\Users\<user>\Music\WPy64-39100\python-3.9.10.amdMusic\WPy64-39100
2/ The funny thing is that the TA appended "Music" to the ordinary directory name "python-3.9.10.amd64" to make it look more legitimate?

In several directories, we found attack scripts (written in Python), including noPac.py

(github.com/Ridter/noPac)
3/ And the whole impacket suite.

(github.com/SecureAuthCorp…)

Monitoring or creating a baseline (which users are using Python) could be helpful here, or just monitoring from which paths Python is started (like in our example from the Music directory).
Read 5 tweets
Stephan Berger Profile picture
Sep 23
1/ #ThreatHunting:

In a compromised network, the TA used PCHunter on different systems to disable the local AV (or at least tried it).

In the web requests recorded on the firewall, we found traces of the download:
www.epoolsoft[.]com/pchunter/pchunter_free

🧵 #CyberSecurity
2/ @CrowdStrike also mentioned PCHUnter in the latest ThreatHunting report, along with GMER.

go.crowdstrike.com/rs/281-OBQ-266…
3/ I have tweeted about two of these tools (PCHunter / GMER) before, and we also see these two products regularly in our IR cases.

Read 4 tweets
Stephan Berger Profile picture
Sep 23
1/ #ThreatHunting:

In a compromised network, we saw the following request in the proxy logs:

www.advanced-ip-scanner[.]com/checkupdate.php?[..]

This scanner is trendy among ransomware groups and has been mentioned in reports by @TheDFIRReport, among others. [1] 🧵
2/ This HTTP request can now be used very well for an alert.

Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version).

An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(