Samir

some exploits tend to load directly ntoskrnl.exe (indows Kernel) to do some offsets calcs for some critical kernel structs or global vars ... in normal condition this should be rare so won't harm to add it to your sysmon/EDR config.pic.twitter.com/VDststNMUQ

high likely fake #winnti sample detected: macro code in this doc is similar to the one reported below used to exec hermes ransomware :) https://app.any.run/tasks/b87d950b-c1c4-41ea-aae6-ed855a54e8a5/ … https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/password-protected-word-document-delivers-hermes-ransomware/ … https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ …pic.twitter.com/7aG4ZbqGex

in-memory traces of ppldump, exploiting zam64.sys vulndriver to dump lsass memory, cool stuff. sysmon will show a generic\noisy calltrace so detection chances here are low, if combined with lsass loading dbgcore.dll it may work. https://github.com/realoriginal/ppldump … https://github.com/SouhailHammou/Exploits …pic.twitter.com/rbXCtivW3M

some notes/inputs to take into consideration while investigating persistence via service (hijack existing or/and add new rogue svchost hosted service)pic.twitter.com/EkYJiLrXXx

Local Groups Discovery: those are the top observed system processes that do some sort of local groups membership discovery (source: eventid 4799), if you see for instance rundll32 in there that something worth further checks (e.g. cmdline, netcons etc.)pic.twitter.com/Glo4knnLK3

simple #threathunting yara rule to detect suspicious windows servicedll, e.g. 2nd match is related to #Konni APT sample "mshlpsrvc.dll"pic.twitter.com/VN6vtcPYpj

another macro with safe landing (no susp child processes): c2: ssl.securelogonweb\.com, backdoor: cobaltstrike, persis:startupfolder, other:cactustorch, wmic+xsl https://app.any.run/tasks/4a40a89c-bddd-4df8-993e-5732d8a52133/ …pic.twitter.com/9baHl5lnnp

for espionage based attacks, "high" # of copying data from usb to a tmp staging c:\ folder is expected, other than monitoring cmd.exe's cmdline "*copy*e|f|g:*.pdf|.doc|etc.. .*c:\*" any other ideas?pic.twitter.com/xmtWpMYohM

finally a macro sample using something other than ps as a wmiprvse child process :) https://app.any.run/tasks/2f64ab4f-b405-4462-830c-03cbdf475216/ …pic.twitter.com/oci6S4ItBH

interesting sample using "over-sizing" likely to bypass AV scan, md5: 15af764731c257caf1ee26d1cfc049a9pic.twitter.com/mJcERFL6Q1

interesting sample, using minimal macro to write to startup folder for persistence & uses IE via COM to download 2 txt files (no noisy ps or abnormal exec). https://app.any.run/tasks/866b7e6a-4657-4a1f-bba9-44bfb42b7390/ …pic.twitter.com/NPlTC35ZeH

behavior detection won the race :)pic.twitter.com/ptFEnHDgTZ

processes that use bits in windows, SCCM client, browsers, outlook, onedrive & some update programs, powershell one was for testing thus it's not that frequent to have it there and if so likely the transfer job name will be known and can be baselined.pic.twitter.com/Vcm4IK6Qcf

some "äudit evasion" keywords/cmdlets to watch in "MSExchange Management" event logs or online exchange admin audit logs --> https://docs.microsoft.com/en-us/exchange/policy-and-compliance/admin-audit-logging/log-structure?view=exchserver-2019 …pic.twitter.com/U0QonNPdM4

2020: still "2" lines of code to get browsers saved creds and so many security products with no resilient detection/prevention for the same issuepic.twitter.com/ieIUMZDtnt