Detection for Microsoft Recommended Driver Block List
github.com/Cyb3r-Monk/T...
#ThreatHunting #DetectionEngineering
Detection for Microsoft Recommended Driver Block List
github.com/Cyb3r-Monk/T...
#ThreatHunting #DetectionEngineering
#DFIR Thought of the day: Open Source tools are evolving and are incredibly valuable in investigations
OS tools are often developed to fill gaps in commercial tools. One is the LEAPP project by @abrignoni.com. Incredible new functionality with LAVA LEAPPs.org
11 days. Thatβs how long I survived #whamageddon this yearβ¦ it was a good run.
11.12.2024 22:07 β π 2 π 0 π¬ 0 π 0![jewishatlanta[.]org showing a "verify you are human" notification with a box to check/click on.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:v3kgm6hujff4gbxies5vwbnb/bafkreidr76ktqov4tohqezcbiimurbcswdd44vf7xvzxpxt55ux5qhpwpy@jpeg)
jewishatlanta[.]org showing a "verify you are human" notification with a box to check/click on.
If you click the checkbox, your copy/paste cache will have the malicious PowerShell script for you to paste in a Run window.
![The copy/paste PowerShell script that downloads and runs more malicious script hosted on gardenworksproject[.]org.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:v3kgm6hujff4gbxies5vwbnb/bafkreidouqehlcbfwgkgizspxst2atmatcza7mnuo2eqmqwqvirjlzuwnq@jpeg)
The copy/paste PowerShell script that downloads and runs more malicious script hosted on gardenworksproject[.]org.
Traffic from an infection filtered in Wireshark.
2024-12-06 (Friday): jewishatlanta[.]org compromised and showing a #ClickFix style notification to copy/paste PowerShell script. The resulting #malware infection uses the #BOINC project with some (not all) of the same indicators as noted in July 2024 at www.huntress.com/blog/fake-br... and elsewhere
07.12.2024 08:30 β π 5 π 1 π¬ 0 π 0
Soo... A little bit of awareness is probably a good idea :p
We can delete MDI sensors from the Defender portal and do so in bulk via the internal API
It might be a good idea to set up a detection for this:
CloudAppEvents
| where ActionType == "SensorDeleted"
Screenshot of the email showing a TAR archive as an email attachment.
The TAR archive and its content, a Windows EXE file for AgentTesla
An update to the Windows registry showing the malware persistent on an infected Windows host.
Traffic from an infection filtered in Wireshark to show the FTP data exfiltration traffic.
2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...
05.12.2024 01:14 β π 6 π 4 π¬ 1 π 0
Hey hey, a No Starch Bundle that supports the ACLU and the EFF. You know what to do.
www.humblebundle.com...
DownDetector has published a summary of the largest IT outages of the year. Believe it or not, CrowdStrike is not on top.
www.ookla.com/articles/lar...
Our SIEGECAST: "Be Your Enemy", dives into actionable strategies that take your Blue Team operations to the next level.
Dive in: redsiege.com/be-your-enemy
Video breakdown Included.
Which of these tactics are you already using?
#hacking #Infosec #cybersecurity
Security researcher OSINT Matter has released RequestShield, an open-source tool to analyze HTTP access.logs and identify suspicious HTTP requests and potential security threats
github.com/osintmatter/...
π¨ Timeβs Running Out! π¨
Take your DFIR skills to the next level with 35% OFF all our DFIR Labs! π₯
β° Hurryβthis deal ends 11/30 at 0500 UTC!
store.thedfirreport.com/collections/...
Don't miss out! All of my Applied Network Defense courses are now 25% off until December 3rd at midnight ET. Use the code MAKEMOREBISCUITS to claim your discount. It's our only sale like this all year!
29.11.2024 14:04 β π 2 π 2 π¬ 0 π 0
Censys has released Censeye, a tool to identify hosts with characteristics similar to a given target
github.com/Censys-Resea...
π¨ #DFIR Tool update π¨
Iβve updated parseUSBs (again!):
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem
- Parses alternate S/Ns
- Parses WPDBUSENUM key
github.com/khyrenz/pars...
Screenshot of malicious spam (malspam) with malware file attachment.
Traffic from the XLoader (Formbook) infection filtered in Wireshark.
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
www.zscaler.com/blogs/securi.... This is very interesting :) Nice work Nik!
20.11.2024 02:30 β π 11 π 6 π¬ 0 π 2
Since I'm trying out #Bluesky, I figured I should add in support for it in Unfurl!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
Here is a starter pack of SANS Instructors for all kinds of good infosec stuff.
Iβm still collecting more names and will update this list as updated as possible.
go.bsky.app/Q7Sh3W1
Hi everyone! What is this BlueSky thing all about? I still think 300 characters is way too much for ppl, but I will give the benefit of the doubt. What are you folks up to? π
23.11.2024 01:42 β π 1 π 0 π¬ 0 π 0