I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
For anyone that ever wanted to get some threat hunting experience, feel free to join us on March 20th for our monthly workshop, this time we will be tackling the MITRE ATT&CK Tactic of Initial Access! Hope to see you there!
Roundabout PowerShell 6.4.1, the devs decided that System.Diagnostics.Process (the thing you get back from Get-Process) wasn't cuttin' it. They decided to throw folks a bone and enrich the returned data with additional information. In particular, Parent and CommandLine information. Observe the difference between PS 5 and PS 7 when asking for those properties.
"But Taggart, every system in the universe only has PowerShell 5 on it!"
That is true, but what is also true is that PowerShell 7 is portable!
You can drop the portable pwsh directory on a system and run it from within PowerShell 5! So if you want a more powerful interactive shell for incident response, you are merely a copy/paste away.
🎉 🎉 We are thrilled to share that the Threat Intel Community Portal has reached a significant milestone - 1,000,000 submissions!
And we want to say a massive THANK YOU.
In less than four months, we have received 1 million contributions of suspicious IPs, domains, URLs, and emails!
Whether from occasional contributors or organizations sharing large volumes of data via API, the mission is the same: to make the internet a safer place.
And believe us when we say every contribution counts, for it’s the diversity that adds to the strength of the community.
We owe this achievement to all our contributors, so please, take a bow and THANK YOU!
The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!
Somebody recently shared YARA Forge with me and I tested the "core" ruleset and it's maybe the most impressive free ruleset I've seen... Extremely low false positives, very high detection rate.
I wanna use this account to talk and ask questions to the wider community. I may also share #iocs of ongoing campaigns from time to time. I also have a main account (@Nnubes256) for more general stuff; I'm just moving my #cybersecurity presence where the action is :D
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
IN another example, the #REvil ransomware-as-a-service group used this technique when they targeted the Microsoft Windows Malware Protection Engine and abused it by side-loading a DLL that executed the ransomware. Of course, I can't leave you empty handed, so here is the Community Hunt Package that you can use to hunt for that activity!
Hi, Mastadon, I’m a Sr. Security Engineer with more than 15 Years of experience building reliable telecommunication infrasturcutre at global scale.
I’m looking for work one of these domains.
Cyber Threat Intelligence (CTI)
Detection Engineering
Jr. Software Engineering
Pre-sales engineer (B2B SaaS)
As we continue down the "Year in Review" from Cisco Talos Intelligence Group we move to the MITRE ATT&CK Technique, which is second on their list of top 20 most common seen, T1078, Valid Accounts.
T1078 or Valid Accounts is used when "adversaries obtain and abuse credentials of existing accounts as a means of Initial Access, Persistence, Privilege Escalation, or Defense Evasion." Basically, the adversary is leveraging your own users against you! Of course, the more privileges the account has the better!
This technique also has 4 sub-techniques, which helps defenders get a little more specific with the technical details. These include the abuse of Default Accounts, Domain Accounts, Local Accounts, and Cloud accounts, all of which have their own little role to play in an adversaries attack!
A couple weeks back we noticed an uptick of incidents from trojanized Advanced IP Installer's delivered due to #malvertising. We tied it back to a group who were formerly a #darkside#ransomware affiliate according to Mandiant.
You may remember articles circulating about Bing's AI providing malvertising links. This is from the same campaign.
The Cisco Talos Intelligence Group researchers discovered a new remote access trojan (#RAT) that they dubbed "SugarGh0st". The adversary was "targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korean".
In one of the attacks, the adversary used a shortcut file with a double extension, which is a technique adversaries use to abuse the default settings of Windows, which is to hide the extensions, so the user may not suspect anything. Some of the capabilities include video and screen capture as well as the ability to clear tracks by deleting event logs. Check out the rest of the technical details and the second infection chain in the article! Enjoy and Happy Hunting!
I can't believe #BlackHatEurope is starting on Monday! That means this is the last week to register for Cyborg Security's Threat Hunter training delivered by me! We will cover some resources that we can use for researching prior to our hunt, we will demonstrate how to extract key artifacts from an intel report and turn those artifacts into something useful, and then we will get into the data to hunt for evidence of malicious adversary behavior! It's going to be a fun time, good discussions, and a great chance to get some hands on experience hunting and pivoting through an investigation. I can't wait! Until then, Happy Hunting!
One week ago,@cyentiainst and Tidal Cyber published a study that provides a consensus view of the top ATT&CK techniques reported across 22 popular sources.
It's been well-received so far, but I'm sure there are many #infosec professionals out there who don't know about it yet and would benefit from it to build a more threat-informed defense. If you find this research valuable, please share it with your networks - thanks!
As planned (but a little later than I would have wanted) comes Part 2 of my posts related to the Palo Alto Networks Unit 42 article on #AgonizingSerpens. In my first installment, I covered the TTPs and behaviors of the APT that were presented by the team and in this post I am going to cover the TTPs and behaviors observed by the first wiper they discussed, the #MultiLayerWiper. Enjoy and Happy Hunting!
Fortinet also provided an extensive analysis of the Rhysida Ransomware Group. The Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a ransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed around 50 victims so far in 2023. In a 17 page report, Fortinet described Rhysida's TTPs, threat hunting queries, IOC and MITRE ATT&CK mapping. Link:https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware