malmoeb.bsky.social's Avatar

malmoeb.bsky.social

@malmoeb.bsky.social

Head of Investigations at InfoGuard AG - dfir.ch

670 Followers  |  1,040 Following  |  562 Posts  |  Joined: 05.02.2024  |  1.7509

Latest posts by malmoeb.bsky.social on Bluesky

References:

[1] www.rapid7.com/blog/post/pt...
[2] dfir.ch/posts/publis...

13.01.2026 17:47 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

In the Metasploit Wrap-Up from last week, a new Python Site-Specific Hook Persistence module was released. [1]

I wrote a detailed blog about this persistence, which I think is pretty cool. [2] If you have never heard of this technique, you might want to read up on it.

13.01.2026 17:47 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Lost in the Fog: A New Ransomware Threat - Arctic Wolf Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.

References:

arcticwolf.com/resources/bl...
thedfirreport.com/2024/12/02/t...

09.01.2026 09:45 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

The observed hostname that conducted the brute-force was "packerp-qdo4b3v" - packerp-* was also mentioned on other blogs, see reference section below. Yet another use case for monitoring hostnames roaming around in the network πŸ€“ - and invest some time in the new year to get rid of your shadow IT. ☝

09.01.2026 09:45 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

"We've now located the network. It was an SSL VPN network that was apparently still active on the FortiGate for several users. The VPN function has now been deactivated."

Oh well..

09.01.2026 09:45 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

To quote my teammate Evgen Blohm (@ChaplinSec): "Shadow IT at its best."

He responded to an intrusion involving (successful) brute-force attempts from an unknown IP range. Yup, not just an unknown IP address or device, from an unknown IP range (Yikes). The customer later informed us:

09.01.2026 09:45 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Trial, Error, and Typos: Why Some Malware Attacks Aren't as 'Sophisticated' as You Think | Huntress Think all threat actors are pros? This post reveals how 'unsophisticated' malware and attacker errors help defenders stop attacks before damage is done.

Yes, we respond to APTs, but many attackers (especially ransomware groups) are not what I would call "sophisticated".

Reference:
www.huntress.com/blog/trial-e...

31.12.2025 08:13 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

It's simple alerts that could save your day, like the one that shows "kali" on your network (and no, this was not a pentest).

I loved the latest blog post from Huntress, "Why Some Malware Attacks Aren't as 'Sophisticated' as You Think", which reflects what we see in our daily Incident response work

31.12.2025 08:13 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Successful logon (type: Network) for account 'svc_ldap_sso' from 'kali' (10.10.10.180)

As I've preached so many times before, analyzing the hostnames roaming your network could be a great canary!

31.12.2025 08:13 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I consider such AV alerts critical because a) somebody is trying to dump LSASS, and b) service accounts should not have a dual purpose, especially not used for daily operations.

When we checked the security logs for that server:

31.12.2025 08:13 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

See the username? My first impulse is that this username (svc_ldap_sso) should never run anything on a server, and definitely not execute malicious commands (procdump, per se, it's not malicious, but this combination is likely not legit).

31.12.2025 08:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

1117 HackTool:Win32/DumpLsass.A Tool Remove No additional actions required CmdLine:_C:\Users\svc_ldap_sso\Desktop\procdump64.exe -accepteula -ma lsass.exe C:\programdata\over.png

31.12.2025 08:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

My teammate Asger Deleuran Strunk worked on a case where the TA tried to dump LSASS with procdump on a server, resulting in Defender blocking the attempt:

31.12.2025 08:13 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
candera/hobocopy @ GitHub

I think the "causality and actor pair were seen on 0 hosts and 0 unique days in the last 30 days" is pretty cool, and one should definitely pay attention to such alerts.

[1] candera.github.io/hobocopy/

30.12.2025 08:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Hobocopy is over 15 years old (😲), but it is still used by attackers today, maybe because vendors do not flag it as much as other backup tools (read, rclone, for example) used by ransomware groups.

30.12.2025 08:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Hobocopy?

"Hobocopy is a free, open-source backup tool for Windows. It can copy files that are locked, so you can do things like back up your Outlook .pst files without closing Outlook." [1]

30.12.2025 08:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

This causality and actor pair were seen on 0 hosts and 0 unique days in the last 30 days.

The sensitive shadow copy path: \Device\HarddiskVolumeShadowCopy93\Windows\System32\config\SAM
****

30.12.2025 08:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

This was an interesting alert, raised by an EDR:

****
Uncommon creation or access operation of sensitive shadow copy by a high-risk process

The process HoboCopy.exe created or accessed a sensitive Shadow Copy volume path.

30.12.2025 08:55 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
How to recognise a genuine password request Authentication dialogs for Macs with and without support for Touch ID, in recent versions of macOS including Tahoe, and how to tell whether a request in Terminal is genuine.

One of your key defences against that is to know when a password request is genuine, and when it’s bogus." [1]

If you are like me, don't worry no more. Read the article, and be maybe a bit safer out there :)

[1] eclecticlight.co/2025/12/18/h...

28.12.2025 09:18 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

"One of the primary aims of most malware is to trick you into giving it your password. Armed with that, there’s little to stop it gathering up your secrets and sending them off to your attacker’s servers.

28.12.2025 09:18 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

I recently thought about the different pop-ups I receive every day on my Mac, AND how malware does the same to trick people into entering their password.. and I wondered if I could tell a legitimate prompt from a malicious one. I found a good article, depicting exactly this topic:

28.12.2025 09:18 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

19 years later - still alive and kicking πŸ˜‚ Cheers to that!

[1] x.com/malmoeb/stat...
[2] vx-underground.org/Malware%20An...

27.12.2025 08:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

What's funny (not funny) is that I browsed the Malware Analysis section of VX Underground yesterday, and in 2006 (when this section started), there were only two papers about Malware families uploaded in that year. One of them was Neshta! [2]

27.12.2025 08:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

As last time, the TA brought infected files into the compromised network, helping spread the infection. The file and registry paths have not changed in our case and are still the same as in my old X post.

27.12.2025 08:13 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
System Audit Policy recommendations This article provides guidance on Windows audit policy settings, baseline recommendations, and advanced options for both workstations and Windows servers.

[1] learn.microsoft.com/en-us/window...

26.12.2025 13:48 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

The company, for whatever reason, turned off logging for Logons, as a quick check with auditpol revealed (see image). However, "Logon and Logoff" auditing is enabled by default. [1]

You might want to consider checking your audit policy settings before writing yet another playbook πŸ€“

26.12.2025 13:48 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

We were investigating yet another compromised network, where we were at first puzzled by the missing logon records inside the Security event logs. Log clearing, anti-forensics?

It turned out to be something simpler.

26.12.2025 13:48 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Companies frequently approach us to discuss their security posture, playbooks, architecture, etc., but I wonder how many of them also regularly check basic configuration settings? An example from a recent case:

26.12.2025 13:48 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

So, this means that every time the Scheduled Task runs, the Python interpreter is executed, effectively loading the malicious Python file named b5yogiiy3c.dll. A pretty sneaky way, and something you should watch out for during your next hunting session or IR gig. πŸ€“

[1] detection.fyi/elastic/dete...

25.12.2025 09:01 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Adversaries can exploit these files to maintain persistence by injecting malicious code." [1]

Path: C:\ProgramData\cp49s\Lib\sitecustomize[.]py
Content: See the image below.

25.12.2025 09:01 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

@malmoeb is following 18 prominent accounts