Introducing entropyscan-rs, a #RustLang entropy scanner for analyzing files and directories during incident response. Used carefully, this can quickly identify likely malware when not all stages of an attack have been discovered, such as during a web server compromise without adequate logging. Enjoy!
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
For anyone that ever wanted to get some threat hunting experience, feel free to join us on March 20th for our monthly workshop, this time we will be tackling the MITRE ATT&CK Tactic of Initial Access! Hope to see you there!
We had a customer shift their assessment date out 2 months, so our march is available if there's anyone out there who needs assessment/architecture/engineering/redteam/bluteam work on short notice
Just because you are in the midst of a pen test // red team exercise doesn’t mean the malicious behavior belongs to the red team. Physical penetration attempts, phishes, and other means of entry are still being used by adversaries while testing is occurring. The real adversaries don’t care about your calendar. #infosec #blueteam
The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
IN another example, the #REvil ransomware-as-a-service group used this technique when they targeted the Microsoft Windows Malware Protection Engine and abused it by side-loading a DLL that executed the ransomware. Of course, I can't leave you empty handed, so here is the Community Hunt Package that you can use to hunt for that activity!
🔒 Delve into the gripping tales of true cybersecurity challenges in the InfoSec Diaries – where real-world incidents, investigations, and penetrating test discoveries come to life.
📘 Discover these compelling stories, now available in Paperback, Kindle, and Audiobook formats.
we're running a half-off promo through January at Phobos Group for our RTG services! (the 1hr and 2hr offerings)
If you need an hour or two consult for redteam or blueteam related work, or could find a second set of eyes helpful in the short term, we're here to help!
As we continue down the "Year in Review" from Cisco Talos Intelligence Group we move to the MITRE ATT&CK Technique, which is second on their list of top 20 most common seen, T1078, Valid Accounts.
T1078 or Valid Accounts is used when "adversaries obtain and abuse credentials of existing accounts as a means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion." Basically, the adversary is leveraging your own users against you! Of course, the more privileges the account has the better!
This technique also has 4 sub-techniques, which helps defenders get a little more specific with the technical details. These include the abuse of Default Accounts, Domain Accounts, Local Accounts, and Cloud accounts, all of which have their own little role to play in an adversaries attack!
MITRE just published the Sensor Mappings to ATT&CK Project (SMAP). SMAP builds on MITRE ATT&CK Data Sources by connecting the conceptual data source representations of information that can be collected to concrete logs, sensors, and other security capabilities that provide that type of data. #MITRE#ThreatIntel#BlueTeam
As LLM’s take over the world, a reminder that you can still buy hand crafted, small batch collections of words.
Stand out from the crowd this holiday season with a Mike Sheward InfoSec book - written the old fashioned way - by hand, and fueled by an undying rage that can only exsist in someone who uses JIRA.
Available wherever you buy books and also Walmart.
The Blue Team is charged with defending an organization against an array of technical security threats.
The Blue Team Diaries allow the reader to ride along with the Blue Team at Syntatic, a Seattle-based cloud company, who are charged with keeping millions of customer records safe.
Based on the author's real-world experiences, the diaries tell fictionalised versions of responding to actual security incidents. A must-read for anyone interested in computer security or the incident response field.