Introducing entropyscan-rs, a #RustLang entropy scanner for analyzing files and directories during incident response. Used carefully, this can quickly identify likely malware when not all stages of an attack have been discovered, such as during a web server compromise without adequate logging. Enjoy!
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
For anyone that ever wanted to get some threat hunting experience, feel free to join us on March 20th for our monthly workshop, this time we will be tackling the MITRE ATT&CK Tactic of Initial Access! Hope to see you there!
We had a customer shift their assessment date out 2 months, so our march is available if there's anyone out there who needs assessment/architecture/engineering/redteam/bluteam work on short notice
Just because you are in the midst of a pen test // red team exercise doesn’t mean the malicious behavior belongs to the red team. Physical penetration attempts, phishes, and other means of entry are still being used by adversaries while testing is occurring. The real adversaries don’t care about your calendar. #infosec #blueteam
The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
🔒 Delve into the gripping tales of true cybersecurity challenges in the InfoSec Diaries – where real-world incidents, investigations, and penetrating test discoveries come to life.
📘 Discover these compelling stories, now available in Paperback, Kindle, and Audiobook formats.
we're running a half-off promo through January at Phobos Group for our RTG services! (the 1hr and 2hr offerings)
If you need an hour or two consult for redteam or blueteam related work, or could find a second set of eyes helpful in the short term, we're here to help!
As we continue down the "Year in Review" from Cisco Talos Intelligence Group we move to the MITRE ATT&CK Technique, which is second on their list of top 20 most common seen, T1078, Valid Accounts.
T1078 or Valid Accounts is used when "adversaries obtain and abuse credentials of existing accounts as a means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion." Basically, the adversary is leveraging your own users against you! Of course, the more privileges the account has the better!
This technique also has 4 sub-techniques, which helps defenders get a little more specific with the technical details. These include the abuse of Default Accounts, Domain Accounts, Local Accounts, and Cloud accounts, all of which have their own little role to play in an adversaries attack!
MITRE just published the Sensor Mappings to ATT&CK Project (SMAP). SMAP builds on MITRE ATT&CK Data Sources by connecting the conceptual data source representations of information that can be collected to concrete logs, sensors, and other security capabilities that provide that type of data. #MITRE#ThreatIntel#BlueTeam
As LLM’s take over the world, a reminder that you can still buy hand crafted, small batch collections of words.
Stand out from the crowd this holiday season with a Mike Sheward InfoSec book - written the old fashioned way - by hand, and fueled by an undying rage that can only exsist in someone who uses JIRA.
Available wherever you buy books and also Walmart.
The Cisco Talos Intelligence Group researchers discovered a new remote access trojan (#RAT) that they dubbed "SugarGh0st". The adversary was "targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korean".
In one of the attacks, the adversary used a shortcut file with a double extension, which is a technique adversaries use to abuse the default settings of Windows, which is to hide the extensions, so the user may not suspect anything. Some of the capabilities include video and screen capture as well as the ability to clear tracks by deleting event logs. Check out the rest of the technical details and the second infection chain in the article! Enjoy and Happy Hunting!
I can't believe #BlackHatEurope is starting on Monday! That means this is the last week to register for Cyborg Security's Threat Hunter training delivered by me! We will cover some resources that we can use for researching prior to our hunt, we will demonstrate how to extract key artifacts from an intel report and turn those artifacts into something useful, and then we will get into the data to hunt for evidence of malicious adversary behavior! It's going to be a fun time, good discussions, and a great chance to get some hands on experience hunting and pivoting through an investigation. I can't wait! Until then, Happy Hunting!
Fake job scams are through the roof at the moment, for obvious reasons.
Not only do they suck because they are generally a terrible way to scam people who are having an especially hard time, but they also place employees of the impersonated companies at risk.
The Blue Team Diaries story, Recruit - is a tale about the impact of such a scam, based on real world events of course. You can find it on Kindle (Unlimted members download for free) and Audible. It's also part of the Blue Team Diaries paperback, which you can find at most places books are sold.
As planned (but a little later than I would have wanted) comes Part 2 of my posts related to the Palo Alto Networks Unit 42 article on #AgonizingSerpens. In my first installment, I covered the TTPs and behaviors of the APT that were presented by the team and in this post I am going to cover the TTPs and behaviors observed by the first wiper they discussed, the #MultiLayerWiper. Enjoy and Happy Hunting!