BumbleBee Zeros in on Meterpreter

➡️Initial Access: Contact Forms/Stolen Images/ISO
➡️PrivEsc: WSReset & Slui UAC Bypass, Zerologon CVE2020-1472
➡️Cred Access: Procdump LSASS, reg dump SAM/SEC/SYS hives
➡️C2: BumbleBee, Meterpreter, CobaltStrike

thedfirreport.com/2022/11/14/bum…

1/X Analysis and reporting completed by @0xtornado, @samaritan_o, @RoxpinTeddy.

Shout outs to @MsftSecIntel, @threatinsight, @malpedia, @TheRecord_Media, @campuscodi
Thanks for all you do!!

2/X

Follina Exploit Leads to Domain Compromise

➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop

thedfirreport.com/2022/10/31/fol… Analysis and reporting completed by @pigerlin, @yatinwad and @_pete_0.

Shout outs to @CISAgov, @GossiTheDog, @msftsecresponse, @malware_traffic and @sans_isc.

BumbleBee Roasts Its Way to Domain Admin

➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk

thedfirreport.com/2022/08/08/bum… Analysis and reporting completed by @Tornado and @MetallicHack

Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!

Here's a thread on some of the interesting things we've seen in the #ContiLeaks.

If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked. New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks

This content looks VERY familiar...

https://twitter.com/vxunderground/status/1423336151860002816

1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions

Thanks @vxunderground!! 1. NTDS dumping
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script

Here's some newer #CobaltStrike servers we're tracking:

scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443

servers[.]indiabullamc[.]com
139.180.214[.]187:80

rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80

Full list available @ thedfirreport.com/services
#AllIntel Here's some newer #CobaltStrike servers we're tracking:

azurecloud[.]dynssl[.]com
136.244.113[.]93:443

securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443

www[.]msclientweb[.]com
147.182.175[.]159:443

Full list available @ thedfirreport.com/services
#AllIntel

Sodinokibi (aka REvil) Ransomware

➡️TTR: 4 hours
➡️Initial Access: IcedID
➡️Discovery: nltest, net, wmic, AdFind, BloodHound, etc.
➡️PrivEsc: UAC-TokenMagic & Invoke-SluiBypass
➡️Defense Evasion: Safe Mode & new GPO
➡️Exfil: Rclone
➡️C2: CobaltStrike

thedfirreport.com/2021/03/28/sod… Shout-out to @hatching_io, @lazyactivist192, @malwrhunterteam, and @R3MRUM. Thanks for doing what you do!

IOCs, ransomware files, PCAPs, logs, memory captures, etc. available @ thedfirreport.com/services