@NVISOsecurity identified a campaign where #DeerStealer spread via fake Chrome updates on infected sites, using #Telegram to report infections.
Together with @lontze7 and @nef0sf, we took a closer look at how adversaries are abusing Telegram and shared #KQL queries for detection.
๐ข New Microsoft Threat Report: "ViewState Code Injection Attacks Using Publicly Disclosed https://t.co/QmvUaRN0KZ Machine Keys"
I wanted to understand deeper how works the attack so I created a detailed overview. Hope that helps ๐ค
๐ https://t.co/h5BHyR0XI6
@Cyb3rMonk I personally see analysts struggle to think outside of a single log/alert. For example in an alert of suspicious outbound communication to a weird port, usually they will not consider searching multiple intelligence sources to decide whether the destination is malicious or not
Since Cobaltstrike v4.9 is leaked and sooner or later it will be exploited, here is the detection for beacon's core. This detection cannot be modified with malleable profiles. EDRs like Crowdstrike/Elastic/MDATP which constantly scan the memory region for known patterns should easily pick this up. FYI, if BRc4 gets leaked, I would do the same for BRc4 too, like I've done in the past. No hard feelings, just helping the community.
https://t.co/vMzjFtzyfb
Please do the incident response team a favor, and check that the X-Forwarded-For Header is set on all your reverse proxies / load-balancers / etc.
They will thank you later.