Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
תוכן מסופק על ידי Mandiant. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Mandiant או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.
דומה לState of the Hack
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
We help founders make something people want.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Monday through Friday, Marketplace demystifies the digital economy in less than 10 minutes. We look past the hype and ask tough questions about an industry that’s constantly changing.
…
continue reading
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Player FM - אפליקציית פודקאסט
התחל במצב לא מקוון עם האפליקציה Player FM !
התחל במצב לא מקוון עם האפליקציה Player FM !
))
S3E2: Hacking Tracking Pix & Macro Stomping Tricks
סדרה בארכיון ("עדכון לא פעיל" status)
When?
This feed was archived on February 26, 2024 18:55 (
Why? עדכון לא פעיל status. השרתים שלנו לא הצליחו לאחזר פודקאסט חוקי לזמן ממושך.
What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.
Manage episode 290580674 series 2915100
תוכן מסופק על ידי Mandiant. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Mandiant או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.
On today's show, Nick Carr and Christopher Glyer break down the
anatomy of a really cool pre-attack technique - tracking pixels - and
how it can inform more restrictive & evasive payloads in the next
stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to
explore one such evasive method seen in-the-wild: Macro Stomping. And
we close the show by deep-diving with Matt Bromiley (@_bromiley) on
critical vulnerability we've been responding to most in 2020 - and
what we've seen several attackers do post-compromise.
Just as a targeted intruder might, we start our operation with email
tracking pixels. We break down how these legitimate marketing tools
are leveraged by attackers looking to learn more about their planned
victim's behavior and system - prior to sending any first stage
malware.
We break down the different variations on these trackers for both
benign and malicious uses. For examples of each style of tracking
pixel, see Glyer's recent tweet thread
(https://twitter.com/cglyer/status/1222255759687372801). We talk
through additional red team operators' responses to how they use this
technique in their campaigns today - discussion sparked from this
great offensive security discussion
(https://twitter.com/malcomvetter/status/1222539003565694985). This
trend of professional target profiling - drawing both inspiration and
specific tracking tools from the marketing industry - is highly
effective and a trend we expect to continue.
Next on the episode, we explain how document profiling accomplishes
the same end goal as email pixels - and how it can share information
about the current version of Microsoft Office on the potential
victim's system. Similar to execution guardrails, this Office version
information for Microsoft Word or Excel could be used to deliver
malware that is highly evasive and only runs on that profile.
We also pivot into some potential use cases for fingerprinting Office
versions. We discuss VBA macro stomping and file format intricacies
that require attackers to understand the version of office a target
may be using, in order to create evasive spear phishing lures that may
bypass both static and dynamic detections. Rick Cole joins us to talk
through an active attacker using macro stomping for evasion - both
p-code compiling and PROJECT stream manipulation. Rick walks through a
brief overview of the technique and a particular financial threat
actor who loves macro stomping as much as they love Onyx. Rick
co-authored a blog on the topic
(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-bril
liance-in-the-visual-basics.html) and has an excellent tweet thread
linking to other research
(https://twitter.com/a_tweeter_user/status/1225062617632428033).
Finally, we're joined by a surprise second guest! Matt Bromiley drops
in to discuss FireEye's efforts to respond to the critical Citrix
vulnerability, CVE-2019-19781, that went public on January 10, 2020.
Matt helps us break down some of the activity we've seen since then,
including distinct uncategorized clusters of activity for NOTROBIN,
coin-mining, and attempted ETERNALBLUE-laced ransomware.
In addition to securing his customers in Managed Defense, Matt's been
working with the team to release several blogs, defender tips, and
tools on the vulnerability:
• Matt and Nick published an initial blog on the topic – detailing
exploit timelines, evasive attackers, and resilient approaches to
detection
(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patc
h-promise-it-will-be-200-ok.html)
• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBIN
and the concept of exploit squatter's rights in the blog with the
titl
39 פרקים
שתפו
סדרה בארכיון ("עדכון לא פעיל" status)
When?
This feed was archived on February 26, 2024 18:55 (
Why? עדכון לא פעיל status. השרתים שלנו לא הצליחו לאחזר פודקאסט חוקי לזמן ממושך.
What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.
Manage episode 290580674 series 2915100
תוכן מסופק על ידי Mandiant. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Mandiant או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.
On today's show, Nick Carr and Christopher Glyer break down the
anatomy of a really cool pre-attack technique - tracking pixels - and
how it can inform more restrictive & evasive payloads in the next
stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to
explore one such evasive method seen in-the-wild: Macro Stomping. And
we close the show by deep-diving with Matt Bromiley (@_bromiley) on
critical vulnerability we've been responding to most in 2020 - and
what we've seen several attackers do post-compromise.
Just as a targeted intruder might, we start our operation with email
tracking pixels. We break down how these legitimate marketing tools
are leveraged by attackers looking to learn more about their planned
victim's behavior and system - prior to sending any first stage
malware.
We break down the different variations on these trackers for both
benign and malicious uses. For examples of each style of tracking
pixel, see Glyer's recent tweet thread
(https://twitter.com/cglyer/status/1222255759687372801). We talk
through additional red team operators' responses to how they use this
technique in their campaigns today - discussion sparked from this
great offensive security discussion
(https://twitter.com/malcomvetter/status/1222539003565694985). This
trend of professional target profiling - drawing both inspiration and
specific tracking tools from the marketing industry - is highly
effective and a trend we expect to continue.
Next on the episode, we explain how document profiling accomplishes
the same end goal as email pixels - and how it can share information
about the current version of Microsoft Office on the potential
victim's system. Similar to execution guardrails, this Office version
information for Microsoft Word or Excel could be used to deliver
malware that is highly evasive and only runs on that profile.
We also pivot into some potential use cases for fingerprinting Office
versions. We discuss VBA macro stomping and file format intricacies
that require attackers to understand the version of office a target
may be using, in order to create evasive spear phishing lures that may
bypass both static and dynamic detections. Rick Cole joins us to talk
through an active attacker using macro stomping for evasion - both
p-code compiling and PROJECT stream manipulation. Rick walks through a
brief overview of the technique and a particular financial threat
actor who loves macro stomping as much as they love Onyx. Rick
co-authored a blog on the topic
(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-bril
liance-in-the-visual-basics.html) and has an excellent tweet thread
linking to other research
(https://twitter.com/a_tweeter_user/status/1225062617632428033).
Finally, we're joined by a surprise second guest! Matt Bromiley drops
in to discuss FireEye's efforts to respond to the critical Citrix
vulnerability, CVE-2019-19781, that went public on January 10, 2020.
Matt helps us break down some of the activity we've seen since then,
including distinct uncategorized clusters of activity for NOTROBIN,
coin-mining, and attempted ETERNALBLUE-laced ransomware.
In addition to securing his customers in Managed Defense, Matt's been
working with the team to release several blogs, defender tips, and
tools on the vulnerability:
• Matt and Nick published an initial blog on the topic – detailing
exploit timelines, evasive attackers, and resilient approaches to
detection
(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patc
h-promise-it-will-be-200-ok.html)
• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBIN
and the concept of exploit squatter's rights in the blog with the
titl
39 פרקים
כל הפרקים
×
ברוכים הבאים אל Player FM!
Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.
דומה לState of the Hack
Show notes are at https://stevelitchfield.com/sshow/chat.html
…
continue reading
The director’s commentary track for Daring Fireball. Long digressions on Apple, technology, design, movies, and more.
…
continue reading
This is the audio podcast version of Troy Hunt's weekly update video published here: https://www.troyhunt.com/tag/weekly-update/
…
continue reading
We help founders make something people want.
…
continue reading
Hungry for Technology Talk? Get All You Can Eat at the Android Buffet
…
continue reading
A podcast featuring panelists of engineers from Netflix, Twitch, & Atlassian talking over drinks about all things software engineering.
…
continue reading
Monday through Friday, Marketplace demystifies the digital economy in less than 10 minutes. We look past the hype and ask tough questions about an industry that’s constantly changing.
…
continue reading
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
…
continue reading
Tech Life discovers and explains the ways technology is changing our lives, wherever we are in the world. We meet the people with bright ideas for rethinking the way we work, learn and play, and get hands-on with the products they dream up. We hold tech giants to account for their huge power to affect our lives, and ask who wins, and who loses, in the technology transformation. Tech Life is your guide to a future being made, and remade, at lightning speed in front of our eyes.
…
continue reading
This feed includes all episodes of Paul's Security Weekly, Enterprise Security Weekly, Business Security Weekly, Application Security Weekly, and Security Weekly News! Your one-stop shop for all things Security Weekly!
…
continue reading
Player FM - אפליקציית פודקאסט
התחל במצב לא מקוון עם האפליקציה Player FM !
התחל במצב לא מקוון עם האפליקציה Player FM !
