xknow

interesting sample, uses ShellWindows COM to bypass suspicious office child processes, try to download calc.bin from a likely legit/compromised bitcoin related website: https://app.any.run/tasks/29e2b46d-407b-493b-aee4-550159622ce3/ …pic.twitter.com/8XJDj4i6ZJ

Actually, that was a tracker. "Steve" is using an iPhone and is in Lagos, Nigeria (using the same IP address as Katy, who received a slightly different file).pic.twitter.com/XcMkTW1bEz

CredAccess: some keyword you can add to the list of suspicious powershell scriptblock keywords_list, you can also monitor suspicious ImageLoad of the 2 highlighted ones (see below) Tool: https://github.com/nccgroup/SCOMDecrypt …pic.twitter.com/W8QKjdfzUa

Proof-of-concept exploits published for the Microsoft-NSA crypto bug (CVE-2020-0601) * Two are public (via @KudelskiSec & @ollypwn), at least one is private (@saleemrash1d) * People are calling this bug CurveBall now https://www.zdnet.com/article/proof-of-concept-exploits-published-for-the-microsoft-nsa-crypto-bug/ …pic.twitter.com/H6lPnjdnBg

CVE-2020-0601 - PoC for code signing PE files using a Certificate Authority using ECC https://github.com/ollypwn/cve-2020-0601 …pic.twitter.com/QKIaWrRQFL

That epic Microsoft moment#cve20200601 #curveball Recently worked on #mimikatz and ECC, so yes, 10 and 2016/2019 only. Previous versions like Windows 7 did not support personnal EC curves (only few NIST standard ones)pic.twitter.com/EayEuFVv1J

No fancy EDR required to capture CVE-2020-0601 attempts (after patching). Just ensure you're forwarding Application log events. Currently, CVE-2020-0601 is the only Microsoft code (AFAIK) that calls the CveEventWrite API so event noise is not a concern. https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-cveeventwrite …pic.twitter.com/JWPnaMaIqB

Sigma rule to detect the exploitation of CVE-2020-0601 as noted by @mattifestation Reference https://twitter.com/mattifestation/status/1217179698008068096 … - built-in feature, no Sysmon required - rule is generic & detects all future events generated by this source Rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_audit_cve.yml …pic.twitter.com/GpemX1l4bN

Azure AD privilege escalation - Taking over default application permissions as Application Admin - Azure AD security == @_dirkjan just saying #infosec #pentest #redteam https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/ …pic.twitter.com/lcW90HwXAQ

If you haven't done so already, go download and update UFED to 7.28! Make sure you hit the correct portal to update: https://community.cellebrite.com/  #checkm8 @Cellebrite_UFED #DFIRpic.twitter.com/4QB3FP10rD

#sysmon traces of this new LM tool can be found in the ATT&CK_EVTX repo : https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx … https://github.com/Mr-Un1k0d3r/PoisonHandler …pic.twitter.com/13715E1W4Z