Microsoft DDE Exploit Email

Microsoft DDE Exploit Arriving in Email Accounts

Keya Horiuchi

A new Dynamic Data Exchange (DDE) exploit recently began arriving in email boxes to unsuspecting user endpoints. It masquerades as an attached invoice and leverages a Microsoft internal usability feature that allows one application to share data with another; for example, data from an Excel spreadsheet can be shared with a Word document. The weaponized DDE functionality in an attached … Read More

Threat Detection 1157

Lateral Movement Using WinRM and WMI

Tony Lambert

Many organizations invest millions of dollars to bolster their systems and prevent attackers from gaining entry. Much less attention is given to the concept of lateral movement within an organization. Yet we’ve seen time and time again that once an adversary breaks through the crunchy outer layer of the network, the gooey center quickly becomes trivial to move about. Stopping … Read More

right-to-left-override unicode attacks

“semaG dna nuF” with Right-to-Left Override Unicode Characters

Red Canary

Our Security Operations team loves to share insights on TTPs when we see them in the wild. Today we’re focusing on an oldie but a goodie: right-to-left override attacks. First, a Refresher on Right-to-Left (RLO) Overrides. Unicode contains several characters designed to allow right to left (RTL) characters to be inserted inside text that is normally left to right. One … Read More

Alternate Data Streams

Using Alternate Data Streams to Bypass User Account Controls

Keshia LeVan

There are some pretty cool PowerShell frameworks out there, which means it’s relatively common to see PowerShell doing nefarious things. So when the below alert fired, it was not immediately obvious that it was anything other than normal PowerShell encoding: Digging a little deeper, however, I found that the pattern of behavior was nearly identical to what happens when you … Read More

Detecting Ransomware

Detecting Ransomware: Behind the Scenes of an Attack

Julie Brown

Ransomware has been the threat of the year. If you’ve had even a lazy eye on current events in information security, you’ve heard about the WannaCry infection that recently took out endpoints for hundreds of companies. By now you’ve (hopefully) patched all of your vulnerable Windows systems—but don’t relax just yet! There are still plenty of active ransomware campaigns, like … Read More

Improving Threat Detection

Improve Your Threat Detection: Inspect All of the New Everythings

Keith McCammon, Chief Security Officer

When asked to describe the potential threats that Red Canary detects and confirms, we tend to frame the discussion around several big buckets: Bad things – the most obvious: malware and unwanted software, primarily. Good things gone bad – legitimate applications and services leveraged by a malicious actor . . . think PowerShell, WMIC, MSHTA, etc. Unusual things – why does your CEO … Read More

Threat Investigation 5207

Shutting Down a Hands-on Keyboard Attack: Two Joes vs One Threat Actor

Suzanne Moore

It was a Friday afternoon when the alert came in. One of Red Canary’s customers had experienced a breach. The compromise occurred on an unsecured endpoint—an isolation development box that was used for testing. The customer had deployed Red Canary Managed Endpoint Detection & Response (MEDR) across its most critical endpoints: domain controllers, front-facing web server, executive endpoints, databases, and … Read More