Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Kyle Hanslovan Profile picture
Kyle Hanslovan
@KyleHanslovan
CEO at @HuntressLabs | Classy but ❤️’s Trap Music
Sep 7, 2022 6 tweets 2 min read
Just watched a partner onboard a company that specializes in PII/PHI who was recently ransomed.
✅ RDP exposed across their Win11 endpoints
✅ NLA disabled w/o a password complexity policy
✅ Shodan screenshot w/shared domain user

FFS, the world needs quality MSPs🤦‍♀️ Image Didn’t realize I’d get so many DMs over this. Here’s backstory for those interested:

From the data Huntress reviewed, the company was originally “secured” by in-house resources, was compromised, and this incident encouraged them to get the help of a mature IT/Security team. 1/x
Mar 6, 2021 9 tweets 5 min read
It's way too early to tell (especially on a Friday night), but we've got one of our recent webshell victims also pulling down shady PoSh from @digitalocean hosted domains. Image hxxp://p.estonine[.]com/p?e currently resolves to IP 188.166.162.201. Pulls down base64 blob that decodes to the additional downloader. gist.github.com/KyleHanslovan/… Image
Dec 15, 2020 7 tweets 4 min read
LOTS of folks asked me about the sophistication of these attacks, the response actions I expect will happen, and the always fun attribution. This thread will cover those topics. (cue scary political hacker image) Starting w/the #SUNBURST backdoor, the actor's approach to hiding source code in plain sight was simple/classy. They studied Orion's code and naming conventions to make sure even SolarWinds devs would not take immediate notice. OrionImprovementBusinessLayer does not stand out.
Dec 14, 2020 7 tweets 6 min read
Was just shown the SolarWinds.Orion.Core.BusinessLayer.dll is included in n-Central's Probe installer by @KelvinTegelaar. WindowsProbeSetup.exe is signed by the same certificate. However the DLL backdoored with #SUNBURST is not signed and appears to be a 2014 version. #Looking The unsigned SolarWinds.Orion.Core.BusinessLayer.dll binary from my copy of the Windows probe installer had hash B9CE678F9DAF32C526211EDEA88B5EC104538C75FAD13767EA44309E9F81DBFC. No OrionImprovementBusinessLayer class within this version (comparison screens attached).
Dec 14, 2020 6 tweets 4 min read
One of the anomalous #SUNBURST DLLs from October 2019 that Microsoft highlighted can be found in the SolarWinds Coreinstall.msi for 2019.4.5220.20161 - hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20161/CoreInstaller.msi ImageImage Malicious #SUNBURST DLL CE77D116A074DAB7A22A0FD4F2C1AB475F16EEC42E1DED3C0B0AA8211FE858D6 from May 2020 can be found in CoreInstaller.msi for 2020.2.5320.27438 -hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2020.2/2020.2.5320.27438/CoreInstaller.msi ImageImage
Dec 14, 2020 16 tweets 8 min read
Only 1 / 67 antivirus engines list SUNBURST backdoor as malicious - SolarWinds.Orion.Core.BusinessLayer.dll virustotal.com/gui/file/32519… #SUNBURST #UNC2452 Image SolarWinds' digital certificate hasn't been revoked yet. Image
Feb 17, 2019 13 tweets 10 min read
EMOTET ANALYSTS: Everyday, our team sees 5-15 clients networks wrecked by Emotet. Cleanup/response can take 3d - 3mo depending on IT department skills, tools, and telemetry. We’re creating a “synchronized” removal capability and could use additional perspective. 1/x We know the core of lateral movement for Emotet, TrickBot, Qakbot, etc. is abusing of elevated creds/tokens, standard local admin passwords, and MS17-010 for poorly maintained networks. With these, payloads are dropped to remote shares via SMB & started via remote services. 2/x