Follina Exploit Leads to Domain Compromise

➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop

thedfirreport.com/2022/10/31/fol…
Analysis and reporting completed by @pigerlin, @yatinwad and @_pete_0.

Shout outs to @CISAgov, @GossiTheDog, @msftsecresponse, @malware_traffic and @sans_isc.
IOC's for intrusion, dated June 2022

Maldoc:
doc532.docx
03ef0e06d678a07f0413d95f0deb8968190e4f6b

Qbot Dll:
liidfxngjotktx.dll
dab316b8973ecc9a1893061b649443f5358b0e64

Netsupport Client
client32.exe
3112a39aad950045d6422fb2abe98bed05931e6c
Qbot C2:
144.202.3[.]39:443
67.209.195[.]198:443
176.67.56[.]94:443
72.252.157[.]93:995
90.120.65[.]153:2078
72.252.157[.]93:990
86.97.9[.]190:443
37.34.253[.]233:443
23.111.114[.]52:65400

CobaltStrike C2
190.123.44[.]126:443
ATERA ID
cadencefitzp.atrickzx@gmail[.]com
Detections:

➡️1 custom Qbot Sigma rule
➡️15 Sigma Detections
➡️14 Network Detections

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with The DFIR Report

The DFIR Report Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TheDFIRReport

Aug 8
BumbleBee Roasts Its Way to Domain Admin

➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk

thedfirreport.com/2022/08/08/bum…
Analysis and reporting completed by @Tornado and @MetallicHack

Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!
IOC's

#Bumblebee
BC_invoice_Report_CORP_46.zip
6c87ca630c294773ab760d88587667f26e0213a3
142.91.3[.]109:443
45.140.146[.]30:443

#CobaltStrike
fuvataren[.]com
45.153.243[.]142:443

dofixifa[.]co
108.62.12[.]174:443

CS Payload Hosting
hxxp://104.243.33.50:80/a
Read 6 tweets
Mar 1
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.

If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks Image
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks ImageImageImageImage
Read 78 tweets
Aug 5, 2021
This content looks VERY familiar...



1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions

Thanks @vxunderground!!
1. NTDS dumping
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script
1. Dump LSASS via #CobaltStrike, RDP, Mimikatz
2. AnyDesk install/exec
3. Scheduled task and wmic exec
4. AdFind! The same script we've been seeing since 2019
Read 9 tweets
Jul 8, 2021
Here's some newer #CobaltStrike servers we're tracking:

scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443

servers[.]indiabullamc[.]com
139.180.214[.]187:80

rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

azurecloud[.]dynssl[.]com
136.244.113[.]93:443

securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443

www[.]msclientweb[.]com
147.182.175[.]159:443

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

macrodown[.]azureedge[.]net
85.93.88[.]165:80

taobao[.]alibaba-cn[.]ga
155.94.163[.]56:80

upload[.]dwi22g[.]com
185.244.150[.]52:443

Full list available @ thedfirreport.com/services
#AllIntel
Read 4 tweets
Mar 29, 2021
Sodinokibi (aka REvil) Ransomware

➡️TTR: 4 hours
➡️Initial Access: IcedID
➡️Discovery: nltest, net, wmic, AdFind, BloodHound, etc.
➡️PrivEsc: UAC-TokenMagic & Invoke-SluiBypass
➡️Defense Evasion: Safe Mode & new GPO
➡️Exfil: Rclone
➡️C2: CobaltStrike

thedfirreport.com/2021/03/28/sod… ImageImageImageImage
Shout-out to @hatching_io, @lazyactivist192, @malwrhunterteam, and @R3MRUM. Thanks for doing what you do!

IOCs, ransomware files, PCAPs, logs, memory captures, etc. available @ thedfirreport.com/services Image
🔥C2🔥:

CobaltStrike:
smalleststores[.]com
cloudmetric[.]online
45.86.163[.]78:80
45.86.163[.]78:443
195.189.99[.]74:8080
195.189.99[.]74:80
45.86.163[.]78:8080

IcedID:
nomovee[.]website
cikawemoret34[.]space
161.35.109[.]168:443
206.189.10[.]247:80
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(