We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs: microsoft.com/security/blog/…
#MSTIC and Defender threat intel collab
➕#DART 👻 incident response team experience from the trenches [1/3]
The blog highlights varied initial access vectors and a slew of [inconsistent?] end goals: data theft, extortion, chaos...
One way to interpret "this actor's TTPs and infrastructure are constantly changing" is that they are loosely-organized (see:
But then what?? Let’s talk about some post-compromise techniques...
Please read the above blog to appreciate multiple backdoors used, careful & unique tradecraft used on-premise...
We just published more details on what we’ve been finding post-compromise: blogs.microsoft.com/on-the-issues/…
ADFS key material compromise, SAML shenanigans, OAuth keys added...
Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).
You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
Sep 10, 2020 • 7 tweets • 5 min read
Pokéregex Challenge:
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?
Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊]
If you haven't done something like this before, here's a [crappy] bash one-liner to start:
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
Apr 1, 2020 • 9 tweets • 5 min read
🧾Stock Tax Tip
For years, I've seen teammates pay double taxes on stock grants. And *many* individuals & tax advisors prepare it incorrectly. ☹️
If you're fortunate enough to have sell-to-cover Restricted Stock Unit (RSU) grants – this probably needs adjusted.
Here's the fix:
There may be a tiny caveat in your broker's documentation suggesting you will be double taxed. I heard it was due to a rule change in 2014 (sfgate.com/business/netwo…).
Pictured: the single note in an eTrade PDF.
The impact can be several thousands of dollars overpaid each year...
Mar 9, 2020 • 4 tweets • 3 min read
🧐Fascinating .XLS file just uploaded to VT: virustotal.com/gui/file/64a23…
In addition to some wild 🈸️Chinese phrase translations, its macros drop an [InternetShortcut] file to disk:
网址导航.url
The shortcut's URL (stored within Sheet2) is this GIF⤵️ of how to launch the .xls file
Screenshots:
1⃣ - 🩳✂️: ThisWorkbook macro dropping the instructional GIF .url to disk
2⃣- 🌐🖼️: Sheet2 contains the .url shortcut's remote GIF location
3⃣ - 🚗🏃🏽: tdole macro allowing helpful translation spreadsheet to auto-run
3 of these XLSMs uploaded to VT in last 2 days. Fresh one from this afternoon: virustotal.com/gui/file/fc243…
❔Interview question: is this “malware” & why do you say that? If your job was to decide whether to let it through, alert, or block it globally – what’s your pick? [polls below]
👆🏼Is this “malware” & why? <replies welcome>
Feb 18, 2020 • 4 tweets • 5 min read
Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.
Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.
👉🏽 "Program.cs" #InstallUtil payload with 0 VT detections btw: virustotal.com/gui/file/9193b…@Cneelis@_RastaMouse Uploaded 4 hours ago. (🆕)
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.
Special guests:
👨🏻 Macro stomping (@a_tweeter_user)
👨🏻🦱 CVE exploitation in the trenches (@_bromiley)
👇🏼Episode Recap Thread! 🧵
We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread:
🔚 Result: #RevengeRAT on https://paste[.]ee/r/OaKTX
C2: cugugugu.duckdns[.]org
You should process these at scale and - outside of training - it's not a good use of time to step through them manually.
👨💻btw if you like network infrastructure triage, that DuckDNS C2 resolves to an IP address with :3389 open, serving up an SSL certificate exposing a hostname.
@sj94356@QW5kcmV3 Wait, did @YouTube remove the #StateOfTheHack episode? 👉feye.io/soth 👀
Are we being oppressed? Do they think this is a U.S.-Iran influence operation? ... is it? 🇺🇸🇮🇷Am I going to get a bunch of weird #MAGA replies to this tweet? I have so many questions 😅🙃
Also look closely at both samples' embedded PE information (Original/InternalName) 😉
Dec 4, 2019 • 6 tweets • 11 min read
🔨A Tough Outlook for Home Page Attacks
🔗fireeye.com/blog/threat-re…
Blog has #APT33 🇮🇷, #APT34 🇮🇷, and #UNC1194 🏴😉 home page persistence & RCE.
🔒We talk CVE-2017-11774 patch tampering in-the-wild and made a hardening guide!
😱Cool TTPs (pictured) #GuardrailsOfTheGalaxy
Here is the #UNC1194 first stage (recon) payload stored in an attacker-controlled @Azure storage blob:
👨🏼🎓"Classeur1.xlsm" (7/58): virustotal.com/gui/file/70b86…
Uploaded from Tunis, 🇹🇳
[1/3]
It's reasonable to expect an aspiring detection engineer to explain what's going on here.
CREATE_HEX function: MCAFEE_CERTIFICATION 👀
You should know what |4d 5a| means.
You should be able to explain the rudimentary D1, D2, and D3 evasion functions.
[2/2]