Share this page!

Stephan Berger Profile picture
Twitter logo
Dec 22 4 tweets 2 min read
1/ #Azure In a recent case, the TA was able to compromise the user despite MFA (MFA fatigue).

After logging in, the attacker registered another mobile number as "Alternate Mobile Phone Call".

In the audit logs, we see this event within "Authentication Methods":

🧵 #DFIR
2/ The audit logs are a goldmine for finding suspicious behavior in an Azure tenant.

If we filter by "Core Directory", "UserManagement" and "Update user" ..
3/ .. we also see the ModifiedProperties (the modifications done by the attacker).

Notice, the primary Phone Number is a Swiss mobile phone (+41), and the attacker added a number from the United Arab Emirates (+971).

Suspicious? You bet!
4/ #ThreatHunting

We can export all MFA properties of users to search for users who have added or registered a second number or use a mobile number from a country without a branch office.

I use the code from the link below quite frequently:

morgantechspace.com/2018/06/find-a…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Stephan Berger Profile picture
Dec 17
1/ USB malware, part 4: Blast from the past. Again, a user executed a shortcut on a USB stick, which led to the execution of the following commands:

🧵 #CyberSecurity
2/ 'C:\Windows\system32\cmd.exe' /c cls&cls&cls&cls&cls&cls&start explorer FACTURE' 'PROFORMA&cls&cls&start notepad.vbe&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&cls&exit

Explorer is opened as a camouflage. In the background, the VBE script 'd:\notepad.vbe' runs (sample [1] ).
3/ The code is encoded (hence the E in VBE), but with CyberChef, we can at least get some readable code, but the script uses other obfuscation techniques, which are relatively easy to reversing.

@_bromiley wrote an excellent article about VBE files. [3]
Read 8 tweets
Stephan Berger Profile picture
Dec 16
1/ And the next case where a user downloaded a malicious file via Discord. [1]

After mounting the ISO, we find the file AnyDesk.exe, again very large and again with filler bytes. [2]

🧵 #CyberSecurity
2/ AnyDesk.exe (from the downloaded and mounted ISO archive) is already known by several AV vendors

(MD5 b7746c3c810615a1a8e367db9f3386eb).
3/ The user executed the malicious file, which resulted in a network request to an IP address belonging to AS 44477, Stark Industries Solutions (@UK_Daniel_Card - I learned my lesson 😜)

Check out the relations, where different themes were used for naming the ISO files.
Read 7 tweets
Stephan Berger Profile picture
Dec 15
1/ USB-Malware, part 3: Here we go again - a malicous USB-stick contained various shortcuts (DCIM.lnk, Video.lnk, etc.), including the malicious payload 'DCIM.JPG'.

🧵 #CyberSecurity
2/ After clicking on one of the shortcuts, the infection chain was kicked off (@MarvHaim did the first analysis 💪):

C:\Windows\system32\Wscript.exe' /e:Vbscript.Encode DCIM.JPG

The file DCIM.JPG is - surpise - not an actual JPG image but an obfuscated malicious VBS script. [1]
3/ The execution of the malicious script resulted in the following actions:

dcim.jpg was copied to c:\users\<username>\perflogs\dcim.jpg, following by setting the file attributes 'system' and 'hidden'.
Read 8 tweets
Stephan Berger Profile picture
Dec 14
1/ USB-Malware, part 2: Even though the Andromeda botnet was busted years ago, we still see infected USB sticks in corporate networks equipped with malicious code which tries to infect the host. 🧵

#CyberSecurity
2/ Recently, @f0r3idd3n_news investigated a case where an EDR prevented the start of a malicious DLL from the USB stick.

C:\Windows\system32\rundll32.exe' \\_-_-__-__-_--__-_-----__-_____-_-_-__-_-_--_--_-_--.{5EA8A78C-FA18-418A-A1FD-7D179EBFDBF7},8akw6YkuEYiuwGqe
3/ The entry point into the DLL in our example is 8akw6YkuEYiuwGqe.

@CrowdStrike recently published an excellent analysis of precisely this behavior and how to interpret the characters. [1] As Crowdstrike writes:
Read 5 tweets
Stephan Berger Profile picture
Dec 13
1/ In the last few weeks, we have investigated various infections with the malware dubbed "Raspberry Robin" by RedCanary.

As described by Microsoft and observed in our own investigations, the infections lead to further malware, in our case, Agent Tesla. 🧵
2/ Raspberry Robin uses msiexec.exe to download a malicious MSI package, using short domain names, as described in [1].

In addition, we observed port 8080 in the corresponding network request in all infections examined - a good indicator for #hunting in the firewall logs.
3/ @Kostastsale tweeted a regex for hunting these C2 requests and @felixaime a link to a repository consisting of Raspberry Robin domains (also called QNAP Worm). [3][4]

The domains contacted by our infected machines are also listed on the IOC inventory 👌 (passive DNS, anyone?)
Read 13 tweets
Stephan Berger Profile picture
Dec 6
1/ One of our analysts compiled various data from a potential infection on a client (screenshot below) and then asked for help assessing this finding.

Unfortunately, the host was rebuilt by the client, so we could not pull the DLL and further evidence from the host.🧵 Image
2/ How might we find the original executable that triggered this sequence of commands? Google did not return any helpful results.

First, I looked up a domain at VT that was contacted by the software (see evidence above).

There is a "Downloaded File" linked (updates.txt). Image
3/ The content of updates.txt file was stored at VT, and we found two URLs to MSI Installer. Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(