My new blog is XINTRA.ORG/BLOG

Stealing access tokens to gain access to a user’s account in Azure is a technique that’s been actively used by threat groups over the past few years. I’ve observed this technique in several engagements across the past few years from Chinese APT groups. Generally, this is done through a spear phishing / phishing email with a link that requires a user to grant access to a malicious application through OAuth’s authorization code flow. This enables the attacker-controlled application to access the user’s data. I’ve broken the blog into two components: Attack overview Detection methodology ATTACK OVERVIEW The attacker will register a malicious application and generate a phishing link in an email that takes a user to a page that looks like the image below. This will generally show information including the app name (in this instance it’s listed as “evilapp”) – whether the app is verified / unverified and then the option to accept or not.  Just a side note: in almost every instance, the t...

  Threat actors can modify the timestamps on malicious files to evade detection.  This technique has been used time and time again across various APT and opportunistic threat groups. How do you detect this when auditd, bash history and EDR does not exist? I notice basically all writeups on timestomping detection on Linux focus solely on looking at command-line usage of "touch". I'm here to offer you a different method. I will cover TWO techniques to perform timestomping and offer a different method of detection that doesn’t rely on auditd, command line logging or EDR. Why should you care? Because inexperienced analysts may notice a specific malicious file being created outside of an attack window and consider that the compromise timeframe may be even earlier than what it is. Further, the analyst may completely disregard a file as an attacker-based tool if it is completely outside of the timeframe. I’m here to help :)  This blog is structured in four sections: Timestomping...