Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Stephan Berger Profile picture
Stephan Berger
@malmoeb
Head of Investigations @InfoGuardAG
Margus Potter Profile picture Max Barquero Profile picture 2 subscribed
Jun 16, 2023 ā€¢ 11 tweets ā€¢ 3 min read
1/ We recently had an interesting #Azure case where the TA, instead of creating a new Inbox Rule, added email addresses of interest to the list of blocked senders and domains.

The incoming emails will get flagged as spam and moved to the Junk email folder. šŸ“‚

šŸ§µ 2/ Here is a screenshot from Outlook web access

(the view might differ, as, for example, here on the screenshot from the theitbros [1]) Image
Apr 18, 2023 ā€¢ 14 tweets ā€¢ 5 min read
1/ Customer receives an email from a network monitoring device that a host is supposedly infected with a #CoinMiner. The Task Manager on the said system shows the following screenshot šŸ¤•.

A story of an unpatched system, incorrect scoping, and šŸ€. šŸ§µ

#CyberSecurity Image 2/ The affected (and remotely accessible) server have had Confluence installed.

One of my first questions I asked the customer was if the system was up to date (Spoiler: it wasn't).

Confluence 6.0.4 was installed at the time of the incident.
Apr 17, 2023 ā€¢ 4 tweets ā€¢ 2 min read
1/ I used #AutoRuns v14.09 (GUI) in my lab setup but noticed that it failed to find (or display) the malware in the Startup folder, although the file is there (screenshot below).

I checked back and forth, searched manually for the file, and restarted the OS and AutoRuns.

šŸ§µ Image 2/ With #Velociraptor, I ran the hunt Sysinternals.Autoruns, and with the CLI version of AutoRuns, the malware is found in the Startup folder. Image
Mar 21, 2023 ā€¢ 5 tweets ā€¢ 2 min read
1/ The content below is from a file named install.bat and stems from a recent investigation where a TA launched this batch file. šŸ‘€

What's going on?

Well, VboxUpdate.exe is, in fact, tor.exe, and a new service is created, launching tor with a config file.

šŸ§µ #CyberSecurity Image 2/ Below is an excerpt from the content of config.txt; the configuration file passed as an argument to the tor service.

If you think this looks a lot like RDP Tunneling, you are absolutely right. šŸ„‡ Image
Mar 20, 2023 ā€¢ 4 tweets ā€¢ 2 min read
1/ Real-World #PingCastle Finding #13: Allow log on locally

āž”ļø Domain Users are eligible to log into DC's šŸ¤ÆšŸ™ˆ

"When you grant an account the Allow logon locally right, you are allowing that account to log on locally to all domain controllers in the domain." [1]

#CyberSecurity Image 2/ Why is this a bad idea?

"If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges." [1]
Mar 18, 2023 ā€¢ 4 tweets ā€¢ 3 min read
1/ Do you monitor newly created services within your environment, and would you notice when a (vulnerable) driver is loaded?

The screenshot below (#Velociraptor šŸ¤©) is from a recent #XMRig CoinMiner investigation ā¤µļø

šŸ§µ #CyberSecurity 2/ We talked about vulnerable drivers before:

Mar 17, 2023 ā€¢ 4 tweets ā€¢ 2 min read
1/ #Velociraptor has covered hunting for malicious WMI Event Consumers for some time. [1]

However, Velociraptor does not provide an eradication hunt for malicious WMI Event Consumers out of the box.

šŸ§µ #CyberSecurity 2/ @threatpunter wrote a detailed blog about WMI persistences and how to remove them.

"The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence." āœ‚ļø Image
Mar 15, 2023 ā€¢ 11 tweets ā€¢ 5 min read
1/ Number #10 of the #ActiveDirectory hardening measures:

Easy Wins (for Attackers)

šŸ§µ #CyberSecurity This is the last thread in this AD hardening measure series, but there would still be so much to discuss šŸ˜…

Here are more points you should focus on to defend your networks even better.
Mar 14, 2023 ā€¢ 8 tweets ā€¢ 3 min read
1/ Number #9 of the #ActiveDirectory hardening measures:

Relaying

šŸ§µ #CyberSecurity 2/ There exists a ton of different techniques of how attackers can relaying credentials to another host in order to raise their privileges or get a shell on the target server.
Mar 13, 2023 ā€¢ 8 tweets ā€¢ 4 min read
1/ Number #8 of the #ActiveDirectory hardening measures:

Print Spooler Service

šŸ§µ #CyberSecurity 2/ A running print spooler service on domain controllers is still a relatively common finding in our AD assessments, even though an attack path via spooler service and unconstrained delegations have been known for years. [1]

Screenshot below from #PingCastle (@mysmartlogon)
Mar 12, 2023 ā€¢ 8 tweets ā€¢ 2 min read
1/ Number #7 of the #ActiveDirectory hardening measures:

Harden critical accounts

šŸ§µ #CyberSecurity 2/ To raise the bar again, add critical accounts to the Protected Users Security Group.

"This group provides protections over and above just preventing delegation and makes them even more secure; however, it may cause operational issues, so it is worth testing in your env." [2]
Mar 11, 2023 ā€¢ 13 tweets ā€¢ 5 min read
1/ Number #6 of the #ActiveDirectory hardening measures:

Privileges and Permissions

šŸ§µ #CyberSecurity 2/ #PingCastle lists, among many other things, the privileges assigned to domain users via GPOs.

The screenshot shows that the Default Notebook Policy grants Domain Users the SeLoadDriverPrivilege privilege.

Why is this bad?
Mar 10, 2023 ā€¢ 6 tweets ā€¢ 3 min read
1/ Number #5 of the #ActiveDirectory hardening measures:

Add Computers to the Domain

šŸ§µ #CyberSecurity Image 2/ The following case is still worth mentioning:

A customer called us because he discovered two new computers within his computer objects that did not match his naming scheme. Image
Mar 9, 2023 ā€¢ 6 tweets ā€¢ 3 min read
1/ Number #4 of the #ActiveDirectory hardening measures:

PowerShell Script Block Logging

šŸ§µ #CyberSecurity 2/ Strictly speaking not part of a guide about hardening AD, but I must stress once again the importance of logging executed PowerShell code on clients and servers:



And here with several examples from our Incident Response cases:

Mar 8, 2023 ā€¢ 7 tweets ā€¢ 3 min read
1/ Number #3 of the #ActiveDirectory hardening measures:

Passwords

šŸ§µ #CyberSecurity 2/ We talked about passwords in SYSVOL before:

Mar 7, 2023 ā€¢ 7 tweets ā€¢ 3 min read
1/ Number #2 of the #ActiveDirectory hardening measures:

Service Accounts

šŸ§µ #CyberSecurity 2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.

This can be disastrous, especially with a weak password for the service account:

Mar 6, 2023 ā€¢ 14 tweets ā€¢ 4 min read
1/ I presented 10 #ActiveDirectory hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.

The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.

šŸ§µ #CyberSecurity 2/ Number #1 of the Active Directory hardening measures:

#ADCS (Active Directory Certificate Services)
Feb 16, 2023 ā€¢ 10 tweets ā€¢ 4 min read
1/ Ouch. šŸ«£

A TA brute-forced the password of the domain admin.

The customer first suspected an internal compromise, but upon a deeper investigation of this incident, we quickly realized that the IP address was the internal address of a Cisco ASA VPN box.

šŸ§µ #CyberSecurity 2/ The customer disabled the login mask a long time ago on the public internet-facing IP address of the Cisco ASA, as depicted in the image below.
Feb 16, 2023 ā€¢ 5 tweets ā€¢ 2 min read
1/ Two takeaways from @Aon_plc's blog about the forensic traces left by Evilginx2 [1]:

1āƒ£ "Initial logins from the phishing server will appear as the victim's legitimate user agent string."

šŸ§µ #CyberSecurity 2/ When I saw this for the first time I was quite confused and scratched my head, because I always look for suspicious user agents or deviating user agents of the compromised user.

It took a moment to realise that the phishing kit spoofed the UA from the user's browser. šŸ‘‰šŸ˜
Jan 31, 2023 ā€¢ 6 tweets ā€¢ 3 min read
1/ In a recent case, the TA installed DWservice as a backdoor. [1]

I installed the software on my test machine, which works incredibly well!

The screenshot shows the desktop from my lab machine, which I accessed from within the browser.

šŸ¤Æ

šŸ§µ #CyberSecurity 2/ The screenshot above depicts the content of the config.json file, which is located in the installation directory of DWservice, and could be interesting for LEA purposes (the key could be linked to an account).

Below is another screenshot with various features of the service.
Jan 25, 2023 ā€¢ 5 tweets ā€¢ 2 min read
1/ Three observations while playing around with a malicious OneNote sample we discovered today at a customers network:

Purchase_order__01_B2202026_2022-07-18_09-15-49.one

MD5: 99388b4d4f9c52a79e84e9538d92d979

šŸ§µ #CyberSecurity 2/ In this case, a malicious .bat file gets executed when the user double clicks "View Document".

The malicious .bat file is written to a temporary folder:

C:\Users\<username>\AppData\Local\Temp\OneNote\16.0\Exported\{0438B35A-EB92-4C25-8DB6-5413952EFD08}\NT\0\.bat"