CHECK OUT OUR NEW EBOOK: Streamlining the Threat Detection Development Lifecycle with SnapAttack >>

 

Login | Signup

resource center

Threat Intelligence
Resources

BOOK DEMO >
SUBSCRIBE >

Threat SnapShots

In this week's Threat SnapShot, we're discussing everyone's favorite Office application -- Word (sorry Excel and PowerPoint)! First, we'll look at the CVE-2023-21716, a remote code execution vulnerability in Microsoft Word that has a CVSS score of 9.8. This vulnerability affects rich text format (RTF) documents that have an exceptionally large font table, which can cause a heap overflow. We'll demonstrate the proof-of-concept exploit released by the original reporter, and discuss some likely detection strategies for this threat. Next, we'll dive into the new Emotet campaign that is using a 500 MB Word document as the initial infection vector, and discuss threat hunting and detection opportunities you can use in your organization today.<br /><br />References:<br />- https://www.cyberkendra.com/2023/03/researchers-released-ms-office-zero-day.html<br />- https://twitter.com/jduck/status/1632471544935923712<br />- https://www.darkreading.com/threat-intelligence/emotet-resurfaces-yet-again-after-three-month-hiatus<br />- https://twitter.com/Max_Mal_/status/1633102894328168448<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/intelligence/c34371ed-6d6b-475a-a574-3673032fccaf - Intelligence: Researchers Released MS Office Zero-Day Vulnerability Details and Exploit Code<br />- https://app.snapattack.com/threat/8f5a7a52-0da4-393c-e32b-5547aa3aca97 - Threat: Microsoft Word’s RTF Heap Corruption (CVE-2023-21716)<br />- https://app.snapattack.com/detection/6d672c6d-6a1d-4035-800d-42b2b5897c23 - Detection: Microsoft Office Product Spawning Windows Shell<br />- https://app.snapattack.com/detection/c809cf76-1919-4f30-853f-679426873b31 - Detection: Created Files by Office Applications<br />- https://app.snapattack.com/detection/575afa6b-f46a-49c8-ab19-6ac1ce8b8eb3 - Detection: Microsoft Office spawning script interpreter<br />- https://app.snapattack.com/intelligence/9a367cf3-5c7a-48ae-917a-f7ebf3620ebb - Intelligence: Emotet Resurfaces Yet Again After 3-Month Hiatus<br />- https://app.snapattack.com/threat/47c7fa7c-b536-01e0-8c1c-60caa92a1774 - Threat: Emotet - Inflated Document and DLL Campaign<br />- https://app.snapattack.com/detection/b3123391-b0b8-40f5-8a7a-87dcb4cc8fb6 - Detection: Unsigned DLLs loaded from rundll32 regsvr32 from non-standard directories<br />- https://app.snapattack.com/detection/0b637cf0-fdd4-4838-bfd7-e83b4fe6245e - Detection: Suspicious File Create by regsvr32<br />- https://app.snapattack.com/detection/2e5505fc-0d05-4a1c-a32e-97699bf734c4 - Detection: Regsvr32 Anomaly<br />- https://app.snapattack.com/detection/c809cf76-1919-4f30-853f-679426873b31 - Detection: Created Files by Office Applications<br />- https://app.snapattack.com/detection/a41e4f07-f49e-477e-8e95-d969d053edf8 - Detection: Emotet Traffic Pattern<br />- https://app.snapattack.com/detection/2a8e6fb6-899f-445d-8fa4-988729503379 - Detection: Legitimate Application Dropped Archive
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLkdpVDhNdV9Id3Mw
SnapAttack 501

Hunting for MS Word 0-Day (CVE-2023-21716) and New Emotet Campaign | Threat SnapShot

03/09/23

Qakbot (Qbot) has been around for over a decade, and can routinely be found on lists of the most common malware infections. From the attacker's perspective, a lot of this success can be attributed to rapidly changing their TTPs to avoid detection, packaging their malware in new and novel ways to evade anti-virus, EDR, and SIEM detections rules. In this week's SnapShot, we'll take a look at a recent Qakbot sample, highlight some of their evasion strategies (like adding multiple backslashes to file paths), and discuss detection and hunting strategies you can use to keep ahead of their ever changing techniques.<br /><br />References:<br />- https://www.avertium.com/resources/threat-reports/a-closer-look-at-qakbot<br />- https://www.cisa.gov/resources-tools/resources/qbotqakbot-malware<br />- https://twitter.com/pr0xylife/status/1630274058725072899<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/threat/43800c7a-a9e5-40b4-00e3-66f070b2f3d6 - Threat: Qakbot - HTML Infection Chain<br />- https://app.snapattack.com/detection/e6328038-4ff8-4e11-b2ad-decebe593d59 - Detection: Suspicious Invoke-WebRequest Usage (ScriptBlockText)<br />- https://app.snapattack.com/detection/c80416cf-2e42-41c0-8205-94b6b5325e62 - Detection: Suspicious Copy From or To System32<br />- https://app.snapattack.com/detection/85a2ae02-7f4c-4a17-bd40-0e192d37757c - Detection: Possible Script Execution from ISO
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLlZPa1Y1S1RLOU9B

Detecting QAKBOT/QBOT Malicious Activity

03/03/23

In this week's Threat SnapShot, we'll take a look at the new Empire 5.0 release and some of the more recent post-exploitation modules they've included in the framework -- including an initial access module that uses a macro-enabled Office document to backdoor a user's desktop shortcuts to launch the Empire agent, and a ransomware simulator module using the PSRansom tool. As always, we'll discuss threat hunting and detection strategies you can use in your organization's environment.<br /><br />Resources:<br />- https://twitter.com/EmpireC2Project<br />- https://github.com/BC-SECURITY/Empire<br />- https://github.com/JoelGMSec/PSRansom<br />- https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/threat/a0e9dfda-9146-a428-59ee-b59d9f45aff1 - Threat: Empire - Backdoor LNKs via Macro<br />- https://app.snapattack.com/threat/47acde49-7183-3568-a155-b658f1c998c4 - Threat: Empire - Ransomware Simulation with PSRansom<br />- https://app.snapattack.com/detection/b9d86d6c-6c4f-4f1c-a7fc-4fb269523269 - Detection: Office Creating or Modifying Desktop Shortcut<br />- https://app.snapattack.com/detection/a695abad-e258-4c02-a01b-b8fbf8212570 - Detection: Possible Malicious Shortcut Activity<br />- https://app.snapattack.com/detection/b89e87d2-8d61-4d4a-a28b-b074cbc99f8c - Detection: Initial Access via Empire Backdoor LNK Macro<br />- https://app.snapattack.com/detection/f8fc9031-bc04-455d-9cc3-2c2ad40b4af1 - Detection: Initial Access via Empire Backdoor LNK Macro (PowerShell)
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLnRWQ0VvV1ZaSWIw

Hunting for Empire 5.0 - Backdoored Desktop Shortcuts and PSRansom Modules | Threat SnapShot

02/23/23

You've probably heard about potatoes on Windows -- starting with HotPotato in 2016, followed by RottenPotato, JuicyPotato, and SweetPotato, among many others Potatoes are a collection of privilege escalation attacks on Windows that typically abuse authentication mechanisms, credentials/tokens and services with impersonation privileges. LocalPotato (CVE-2023-21746) is the newest in the potato family, and abuses flaws in the NTLM authentication challenge process that allow arbitrary file reads and writes as system. We'll demonstrate two ways to use LocalPotato to escalate privileges: by copying the SAM/SYSTEM files and dumping password hashes, and a new privilege escalation against the StorSvc service. As always, we'll discuss detection and threat hunting strategies for these attacks.<br /><br />References:<br />- https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/<br />- https://github.com/decoder-it/LocalPotato<br />- https://twitter.com/BlackArrowSec/status/1625105617294696449<br />- https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/threat/1aefe908-24dc-d73d-cebb-7393d279ae25 - Threat: Dumping Credentials with LocalPotato (CVE-2023-21746)<br />- https://app.snapattack.com/detection/fe3c2372-d4d0-4e31-8f5d-88409a125523 - Detection: Sensitive Registry Access via Volume Shadow Copy<br />- https://app.snapattack.com/detection/44ce9821-d3a2-4d6f-9401-678a26565663 - Detection: Copying Sensitive Files with Credential Data<br />- https://app.snapattack.com/detection/f572af6e-8daf-4591-9c85-3407eac3590e - Detection: Suspicious Winsock Named Pipe<br />- https://app.snapattack.com/threat/aea80b68-b0e7-25b6-f437-83d8964f7d69 - Threat: Escalation to System via LocalPotato (CVE-2023-21746) and StorSvc<br />- https://app.snapattack.com/detection/8dbd5a1c-bdad-464d-bd1d-90b40d59a226 - Detection: Possible Windows Privilege Escalation via StorSvc service<br />- https://app.snapattack.com/detection/9ed07ab5-8a2b-434b-a509-7026dad39d78 - Detection: Windows Privilege Escalation via StorSvc service
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLm0wSXJMdUxNZHZ3

Detecting LocalPotato (CVE-2023-21746) Privilege Escalation Attacks on Windows

02/16/23

Load More... Subscribe
This error message is only visible to WordPress admins

Error 403: Requests from referer are blocked..

Domain code: global
Reason code: forbidden

Threat SnapShots

In this week's Threat SnapShot, we're discussing everyone's favorite Office application -- Word (sorry Excel and PowerPoint)! First, we'll look at the CVE-2023-21716, a remote code execution vulnerability in Microsoft Word that has a CVSS score of 9.8. This vulnerability affects rich text format (RTF) documents that have an exceptionally large font table, which can cause a heap overflow. We'll demonstrate the proof-of-concept exploit released by the original reporter, and discuss some likely detection strategies for this threat. Next, we'll dive into the new Emotet campaign that is using a 500 MB Word document as the initial infection vector, and discuss threat hunting and detection opportunities you can use in your organization today.<br /><br />References:<br />- https://www.cyberkendra.com/2023/03/researchers-released-ms-office-zero-day.html<br />- https://twitter.com/jduck/status/1632471544935923712<br />- https://www.darkreading.com/threat-intelligence/emotet-resurfaces-yet-again-after-three-month-hiatus<br />- https://twitter.com/Max_Mal_/status/1633102894328168448<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/intelligence/c34371ed-6d6b-475a-a574-3673032fccaf - Intelligence: Researchers Released MS Office Zero-Day Vulnerability Details and Exploit Code<br />- https://app.snapattack.com/threat/8f5a7a52-0da4-393c-e32b-5547aa3aca97 - Threat: Microsoft Word’s RTF Heap Corruption (CVE-2023-21716)<br />- https://app.snapattack.com/detection/6d672c6d-6a1d-4035-800d-42b2b5897c23 - Detection: Microsoft Office Product Spawning Windows Shell<br />- https://app.snapattack.com/detection/c809cf76-1919-4f30-853f-679426873b31 - Detection: Created Files by Office Applications<br />- https://app.snapattack.com/detection/575afa6b-f46a-49c8-ab19-6ac1ce8b8eb3 - Detection: Microsoft Office spawning script interpreter<br />- https://app.snapattack.com/intelligence/9a367cf3-5c7a-48ae-917a-f7ebf3620ebb - Intelligence: Emotet Resurfaces Yet Again After 3-Month Hiatus<br />- https://app.snapattack.com/threat/47c7fa7c-b536-01e0-8c1c-60caa92a1774 - Threat: Emotet - Inflated Document and DLL Campaign<br />- https://app.snapattack.com/detection/b3123391-b0b8-40f5-8a7a-87dcb4cc8fb6 - Detection: Unsigned DLLs loaded from rundll32 regsvr32 from non-standard directories<br />- https://app.snapattack.com/detection/0b637cf0-fdd4-4838-bfd7-e83b4fe6245e - Detection: Suspicious File Create by regsvr32<br />- https://app.snapattack.com/detection/2e5505fc-0d05-4a1c-a32e-97699bf734c4 - Detection: Regsvr32 Anomaly<br />- https://app.snapattack.com/detection/c809cf76-1919-4f30-853f-679426873b31 - Detection: Created Files by Office Applications<br />- https://app.snapattack.com/detection/a41e4f07-f49e-477e-8e95-d969d053edf8 - Detection: Emotet Traffic Pattern<br />- https://app.snapattack.com/detection/2a8e6fb6-899f-445d-8fa4-988729503379 - Detection: Legitimate Application Dropped Archive
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLkdpVDhNdV9Id3Mw
SnapAttack 501

Hunting for MS Word 0-Day (CVE-2023-21716) and New Emotet Campaign | Threat SnapShot

03/09/23

Qakbot (Qbot) has been around for over a decade, and can routinely be found on lists of the most common malware infections. From the attacker's perspective, a lot of this success can be attributed to rapidly changing their TTPs to avoid detection, packaging their malware in new and novel ways to evade anti-virus, EDR, and SIEM detections rules. In this week's SnapShot, we'll take a look at a recent Qakbot sample, highlight some of their evasion strategies (like adding multiple backslashes to file paths), and discuss detection and hunting strategies you can use to keep ahead of their ever changing techniques.<br /><br />References:<br />- https://www.avertium.com/resources/threat-reports/a-closer-look-at-qakbot<br />- https://www.cisa.gov/resources-tools/resources/qbotqakbot-malware<br />- https://twitter.com/pr0xylife/status/1630274058725072899<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/threat/43800c7a-a9e5-40b4-00e3-66f070b2f3d6 - Threat: Qakbot - HTML Infection Chain<br />- https://app.snapattack.com/detection/e6328038-4ff8-4e11-b2ad-decebe593d59 - Detection: Suspicious Invoke-WebRequest Usage (ScriptBlockText)<br />- https://app.snapattack.com/detection/c80416cf-2e42-41c0-8205-94b6b5325e62 - Detection: Suspicious Copy From or To System32<br />- https://app.snapattack.com/detection/85a2ae02-7f4c-4a17-bd40-0e192d37757c - Detection: Possible Script Execution from ISO
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLlZPa1Y1S1RLOU9B

Detecting QAKBOT/QBOT Malicious Activity

03/03/23

In this week's Threat SnapShot, we'll take a look at the new Empire 5.0 release and some of the more recent post-exploitation modules they've included in the framework -- including an initial access module that uses a macro-enabled Office document to backdoor a user's desktop shortcuts to launch the Empire agent, and a ransomware simulator module using the PSRansom tool. As always, we'll discuss threat hunting and detection strategies you can use in your organization's environment.<br /><br />Resources:<br />- https://twitter.com/EmpireC2Project<br />- https://github.com/BC-SECURITY/Empire<br />- https://github.com/JoelGMSec/PSRansom<br />- https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/threat/a0e9dfda-9146-a428-59ee-b59d9f45aff1 - Threat: Empire - Backdoor LNKs via Macro<br />- https://app.snapattack.com/threat/47acde49-7183-3568-a155-b658f1c998c4 - Threat: Empire - Ransomware Simulation with PSRansom<br />- https://app.snapattack.com/detection/b9d86d6c-6c4f-4f1c-a7fc-4fb269523269 - Detection: Office Creating or Modifying Desktop Shortcut<br />- https://app.snapattack.com/detection/a695abad-e258-4c02-a01b-b8fbf8212570 - Detection: Possible Malicious Shortcut Activity<br />- https://app.snapattack.com/detection/b89e87d2-8d61-4d4a-a28b-b074cbc99f8c - Detection: Initial Access via Empire Backdoor LNK Macro<br />- https://app.snapattack.com/detection/f8fc9031-bc04-455d-9cc3-2c2ad40b4af1 - Detection: Initial Access via Empire Backdoor LNK Macro (PowerShell)
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLnRWQ0VvV1ZaSWIw

Hunting for Empire 5.0 - Backdoored Desktop Shortcuts and PSRansom Modules | Threat SnapShot

02/23/23

You've probably heard about potatoes on Windows -- starting with HotPotato in 2016, followed by RottenPotato, JuicyPotato, and SweetPotato, among many others Potatoes are a collection of privilege escalation attacks on Windows that typically abuse authentication mechanisms, credentials/tokens and services with impersonation privileges. LocalPotato (CVE-2023-21746) is the newest in the potato family, and abuses flaws in the NTLM authentication challenge process that allow arbitrary file reads and writes as system. We'll demonstrate two ways to use LocalPotato to escalate privileges: by copying the SAM/SYSTEM files and dumping password hashes, and a new privilege escalation against the StorSvc service. As always, we'll discuss detection and threat hunting strategies for these attacks.<br /><br />References:<br />- https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/<br />- https://github.com/decoder-it/LocalPotato<br />- https://twitter.com/BlackArrowSec/status/1625105617294696449<br />- https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc<br /><br />SnapAttack Content:<br />- https://app.snapattack.com/threat/1aefe908-24dc-d73d-cebb-7393d279ae25 - Threat: Dumping Credentials with LocalPotato (CVE-2023-21746)<br />- https://app.snapattack.com/detection/fe3c2372-d4d0-4e31-8f5d-88409a125523 - Detection: Sensitive Registry Access via Volume Shadow Copy<br />- https://app.snapattack.com/detection/44ce9821-d3a2-4d6f-9401-678a26565663 - Detection: Copying Sensitive Files with Credential Data<br />- https://app.snapattack.com/detection/f572af6e-8daf-4591-9c85-3407eac3590e - Detection: Suspicious Winsock Named Pipe<br />- https://app.snapattack.com/threat/aea80b68-b0e7-25b6-f437-83d8964f7d69 - Threat: Escalation to System via LocalPotato (CVE-2023-21746) and StorSvc<br />- https://app.snapattack.com/detection/8dbd5a1c-bdad-464d-bd1d-90b40d59a226 - Detection: Possible Windows Privilege Escalation via StorSvc service<br />- https://app.snapattack.com/detection/9ed07ab5-8a2b-434b-a509-7026dad39d78 - Detection: Windows Privilege Escalation via StorSvc service
YouTube Video VVVpNUthYVIwdExVbXg1d290cG5XajhnLm0wSXJMdUxNZHZ3

Detecting LocalPotato (CVE-2023-21746) Privilege Escalation Attacks on Windows

02/16/23

Load More... Subscribe
This error message is only visible to WordPress admins

Error 403: Requests from referer are blocked..

Domain code: global
Reason code: forbidden

© 2021-2023 Threatology, Inc. All rights reserved.

Site built by ModusMark