Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Christopher Glyer Profile picture
Christopher Glyer
@cglyer
Microsoft Threat Intelligence Center - Former Incident Responder @Mandiant & Chief Security Architect @FireEye

Oct 3, 2018, 5 tweets

First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit

It's not often that you see ACI Shims used for persistence

#FireEyeSummit

How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look

#FireEyeSummit

Ever heard of a Microsoft Exchange transport agent? Neither had I prior to this case

Actor monitored email for list of accounts & stored encrypted copy on disk

My favorite part is you can get remote command execution by emailing a specific account w/ a command

#FireEyeSummit

Unique things about "Platinum"
ACI Shim persistence
WMI persistence (back in 2010)
Port knocking
AMT Serial Over LAN for C2
Bootkits
Exchange transport agent
Undetected for 9 years
Actor learned @Mandiant was engaged & stopped ops 2 days prior to investigation

#FireEyeSummit

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling