Reading through some #xv analysis, I’m now curious whether anyone has tested a modified version to see if any endpoint security tools would have caught this. This could have been incredibly damaging and it seems like some of those tricks should have raised behavioral red flags.
Looking through various #EDR tools, I see mostly no mention except for two confirmations that it wouldn't have been blocked by their products until post-disclosure rules were added.
Local #DNS zones take first priority in #ActiveDirectory. Make sure your #EDR doesn't depend entirely on name resolution... (thanks to Jim Sykora and Jake Hildreth for the great talk!) #WWHF@WWHackinFest
Nice write-up by Microsoft security researchers about new campaign where attackers attempted to move laterally to a cloud environment through a SQL Server instance.
Attackers are now attempting to move laterally into cloud environments via SQL Server instances—a method previously seen in VMs and Kubernetes clusters but not in SQL Server.
In light of all the news about qakbot being dismantled, it’s time to let people know about something we did at @huntress : @JohnHammond discusses the qakbot “vaccine” we used to prevent the spread of qakbot in our customer base:
#EDR system with #SOAR capability and automated response across a vendor agnostic structure, shares threat info to all other clients, can quarantine any suspected client on the endpoint as well as any L2 device while opening a help desk ticket for review.
Marketing: That's XDR!
EDR client that can send a simple block IP command to a firewall
Hey there. @threatresearch here again, taking over the X-Ops Mastadon to talk about some research we posted this week.
We stumbled upon a malicious tool earlier this year, while our EDR and incident response teams were called in to perform postmortem investigations of ransomware attacks.
While reviewing logs, we found that the threat actors had used a custom-designed #malware we're calling #AuKill as a way to terminate the #EDR agent and endpoint security software the target had installed.
A post by Reino about how leaving Bitlocker in “Suspended” state will let you recover the keys for decryption, after which the laptop can be virtualised and messed with without the SOC knowing about it, even when they’re watching closely.