Stephan Berger Profile picture
Mar 21 5 tweets 2 min read
1/ The content below is from a file named install.bat and stems from a recent investigation where a TA launched this batch file. 👀

What's going on?

Well, VboxUpdate.exe is, in fact, tor.exe, and a new service is created, launching tor with a config file.

🧵 #CyberSecurity Image
2/ Below is an excerpt from the content of config.txt; the configuration file passed as an argument to the tor service.

If you think this looks a lot like RDP Tunneling, you are absolutely right. 🥇 Image
3/ Head over to the allthingsdfir blog to read a more profound write-up about the techniques used here and how they work together.

allthingsdfir.com/rdp-over-tor/
4/ What is nice from a #DFIR perspective is that inside the config.txt, there is a log file specified:

> C:\Windows\vbox\debug.log
5/ Which logs the amount of data sent back and forth (or not, in our case). This could prove or disprove that a TA used that backdoor to enter or re-enter the network:

[notice] Heartbeat: Tor's uptime is 3 days 0:00 hours, with 0 circuits open I've sent 0 kB and received 0 kB

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Stephan Berger

Stephan Berger Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @malmoeb

Mar 20
1/ Real-World #PingCastle Finding #13: Allow log on locally

➡️ Domain Users are eligible to log into DC's 🤯🙈

"When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain." [1]

#CyberSecurity Image
2/ Why is this a bad idea?

"If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges." [1]
3/ I encountered this finding several times in our AD assessments, so you better check your settings in your domain right now (better safe than sorry 🔒).

Good luck 🍀
Read 4 tweets
Mar 18
1/ Do you monitor newly created services within your environment, and would you notice when a (vulnerable) driver is loaded?

The screenshot below (#Velociraptor 🤩) is from a recent #XMRig CoinMiner investigation ⤵️

🧵 #CyberSecurity
2/ We talked about vulnerable drivers before:

Read 4 tweets
Mar 17
1/ #Velociraptor has covered hunting for malicious WMI Event Consumers for some time. [1]

However, Velociraptor does not provide an eradication hunt for malicious WMI Event Consumers out of the box.

🧵 #CyberSecurity
2/ @threatpunter wrote a detailed blog about WMI persistences and how to remove them.

"The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence." ✂️ Image
3/ "Alternatively, you can remove the WMI event subscriptions from the command line." [2] Image
Read 4 tweets
Mar 15
1/ Number #10 of the #ActiveDirectory hardening measures:

Easy Wins (for Attackers)

🧵 #CyberSecurity
This is the last thread in this AD hardening measure series, but there would still be so much to discuss 😅

Here are more points you should focus on to defend your networks even better.
"Administrative accounts should never be enabled for delegation.

You can prevent these privileged accounts from being targeted by enabling the ‘Account is sensitive and cannot be delegated’ flag on them. You can optionally add these accounts to the ‘Protected Users’ group.
Read 11 tweets
Mar 14
1/ Number #9 of the #ActiveDirectory hardening measures:

Relaying

🧵 #CyberSecurity
2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
3/ @TrustedSec has written an excellent blog post about the different relaying techniques, how they work and which prerequisites have to be in place that the attack is successful. [1]
Read 8 tweets
Mar 13
1/ Number #8 of the #ActiveDirectory hardening measures:

Print Spooler Service

🧵 #CyberSecurity
2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]

Screenshot below from #PingCastle (@mysmartlogon)
3/ Apart from the (older) attack technique with unconstrained delegations (see above), the printer spooler has had various critical vulnerabilities over the last two years. [3]
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(