Share this page!

Stephan Berger Profile picture
Twitter logo
Oct 22 5 tweets 2 min read
1/ In a recent compromise, we saw the same multi-layered infection chain that eventually led to AsyncRAT, as described by the ASEC team. [1]

AsyncRAT could not connect to the C2 because the destination port on the firewall was blocked. 🧵

#CyberSecurity
2/ As can be seen in the screenshot above, port 6666 was used, which can be chosen arbitrarily within the builder from AsyncRAT.

3/ Of course, connections within the firewall logs that connect to an IP address on a high port are interesting for #ThreatHunting.

And, even more, connections to a blocked high port.
4/ These blocked connections on the firewall (internal to external) can indicate a compromised system.

As an example: I analyzed the SystemBC Trojan IOC's on Threatfox:

curl -X POST threatfox-api.abuse.ch/api/v1/ -d '{ "query": "taginfo", "tag": "SystemBC", "limit": 1000 }'
5/ Just five submitted samples from SystemBC are using port 443 for the callback.

All other samples use a C2 IP address with a high port, after which we, Defenders, can hunt in our network. Good luck ☘️

Reference:

[1] asec.ahnlab.com/en/37954/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Oct 23
1/ Detect a compromise of a Fortinet firewall with the FortiAnalyzer Event Handler 🔎

A customer affected by CVE-2022-40684 ("may allow an unauthenticated attacker to perform operations on the administrative interface" [1]) received the email below. 🧵

#CyberSecurity Image
2/ The user fortigate-tech-support logged in from a suspicious IP address:

"Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices and to add a malicious super_admin account called "fortigate-tech-support". [1]
3/ Thanks to a configured mechanism by the client, an email was sent out with the details from the screenshot above when a user logs into the admin interface. [2]

This way, the compromise was detected quickly, a good early warning system. ⚠️
Read 4 tweets
Stephan Berger Profile picture
Oct 15
1/ "By using DoH, attackers can hide DNS queries from C&C domains.

If SSL/TLS traffic is not being inspected using man-in-the-middle (MitM) techniques, DNS queries to the C&C server will therefore go unnoticed."

[1] 🧵

#CyberSecurity
2/ I have been mentioning this topic in one of my presentations for quite some time (see slide above).

When DNS logs are recorded, analyzed, and evaluated, the use of DoH can lead to a blind spot. I assume that more TAs and malware authors will use this technique in the future.
3/ If possible, block the DoH resolvers on the proxy or firewall.

The curl GitHub repo provides a starter list of resolvers:
github.com/curl/curl/wiki…
Read 4 tweets
Stephan Berger Profile picture
Oct 11
1/ Perhaps a lesser known "feature" of Microsoft Authenticator, but the diagnostic data can be very helpful in investigating a compromised #Azure account where MFA is enabled but the user claims not to have confirmed the MFA Consent Prompt. 🧵
2/ You will find the diagnostic data here:

Authenticator App
▪️ Burger Menu
▪️ Send feedback
▪️ Having trouble?
▪️ View diagnostic data

Click "Copy all" and send the text via mail or other ways to your analysis device. Image
3/ When logging into an MFA protected (the second factor is the Consent Prompt) account, we see the following entries (abbreviated) in the Authenticator diagnostic data:
Read 10 tweets
Stephan Berger Profile picture
Oct 10
1/ @rootsecdev published a blog post where common misconfigurations inside the Conditional Access Policies in Azure are discussed.

In an Azure Tenant from a customer, the following CA policy was implemented: Require MFA for administrative users.

🧵
2/ However, within the Directory roles checkbox, not all the roles were selected (see the picture below).

In Azure Assessments, I use, among others, the script Get-MsolRolesAndMembers.ps1 to find users which are part of such different roles. [2]
3/ The users or roles found with the mentioned script must be cross-checked with the CA (the checked roles from the menu above) to find possible users which could log in without MFA, resulting in a security gap. 🔎
Read 10 tweets
Stephan Berger Profile picture
Oct 8
1/ #ThreatHunting: @Avast has blogged how Roshtyak checks the VBAWarnings registry value.

If the value is 1 ("Enable all macros"), then the code will not be executed because it is assumed that this setting is only enabled in a sandbox (or by courageous users). 🧵 #CyberSecurity
2/ "Interestingly, this means that users, who for whatever reason have lowered their security this way, are immune to Roshtyak." [1]
3/ However, this "Enable all macros" value can also be explicitly set for Outlook

(Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook - Level = 1).

If this value is set to 1 in a user context, a nifty persistence within Outlook may have been set up by a TA.
Read 7 tweets
Stephan Berger Profile picture
Sep 28
/1 Repeat after me: AV scans and password change is not enough after a full AD compromise.

A company has already been encrypted twice and asked us for a second opinion. The responders did a password change with an AV scan of the machines...

What could possibly go wrong? 🧵
2/ @UK_Daniel_Card has compiled a good checklist that gives an insight into the many different tasks that are part of a proper IR engagement or clean-up (list not exhaustive):

pwndefend.com/2021/09/15/pos…
3/ Another point missing on the checklist is the hunting for "legitimate" remote desktop solutions installed by the TA, which could be used as a backdoor for re-entry (Atera, Splashot, AnyDesk..).
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(