Josh Lemon's Avatar

Josh Lemon

@joshlemon.bsky.social

Chief of DIFR at SoteriaSec | SANS Institute Principal Instructor | SANS FOR509 co-author | Director MDR Uptycs | Digital Forensics & Incident Response geek.

36 Followers  |  113 Following  |  23 Posts  |  Joined: 25.11.2024  |  2.0374

Latest posts by joshlemon.bsky.social on Bluesky

🚨 Alert on new credentials added to SPs.
πŸ”₯ Monitor changes to federated domains (federationConfiguration).
πŸ•΅πŸΌβ€β™‚οΈ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.

#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection

19.07.2025 04:18 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

"Iβ€―SPy" Entraβ€―ID Global Admin Escalation Technique

Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.

πŸ”— securitylabs.datadoghq.com/articles/i-s...

19.07.2025 04:18 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Here are some recent TTPs for Scattered Spider as well.
www.crowdstrike.com/en-us/blog/c...

09.07.2025 06:14 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

#ScatteredSpider are particularly good at #SocialEngineering their way via a third-party to other victims.

For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.

09.07.2025 06:07 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
M&S confirms social engineering led to massive ransomware attack M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack.

This is a timely reminder to ensure any third-parties with access to your systems follow the same cyber policies you'd expect your internal staff to follow.

www.bleepingcomputer.com/news/securit...

#IncidentReponse #DataBreach #CSIRT

09.07.2025 06:07 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

πŸ’‘ On a side note, this is a great write up on #container #DFIR analysis if you're interested.

28.04.2025 10:46 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

πŸ•΅πŸΌβ€β™‚οΈ This malicious #container uses TENEO heartbeats to effectively earn credits. TENEO's ledger isn't exactly public so tracking the tokens isn't simple, there also doesn't appear to be a way to cash out...yet.

28.04.2025 10:46 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.

πŸ”— www.darktrace.com/blog/obfusca...

28.04.2025 10:46 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
NSW man charged over β€˜serious data breach’ that exposed thousands of sensitive court documents More than 9,000 files downloaded from NSW JusticeLink system but authorities say no personal data compromised

Here's an update on the data breach of court documents from the NSW JusticeLink website.

tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.

www.theguardian.com/australia-ne...

23.04.2025 13:59 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

πŸ•΅πŸΌβ€β™‚οΈ Detect .LNK files making external connections, they are particularly easy to tune.

πŸ•΅πŸΌβ€β™‚οΈ Detect mshta.exe running suspicious executables (i.e. cmd.exe).

Happy #ThreatHunting

πŸ”— blog.sekoia.io/detecting-mu...

23.04.2025 12:50 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.

πŸ”Ž Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.

23.04.2025 12:50 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
signature-base/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar at master Β· Neo23x0/signature-base YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base

- Make sure you go #ThreatHunting for compromised systems, prioritise public facing systems.

πŸ•΅πŸΌβ€β™‚οΈ YARA signature: github.com/Neo23x0/sign...

ℹ️ Public disclosure: www.openwall.com/lists/oss-se...

βš™οΈ PoC Demo: x.com/Horizon3Atta...

19.04.2025 05:12 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

🚨 New Critical RCE in Erlang/0TP SSH (CVSS 10)

- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub

19.04.2025 05:12 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Google's Threat Intelligence Group published details last month of Russian #APTS targeting #Signal

➑️ Maliciously getting victims to scan QR codes
➑️ Maliciously cloning incoming messages with a Linked Device
➑️ Stealing the message database off a device

25.03.2025 23:39 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

With all the talk about the use of #Signal by government officials in the US, it's worth remembering #ThreatActors will target what they need to steal the data they want.

πŸ”— cloud.google.com/blog/topics/...

25.03.2025 23:39 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Microsoft recommended driver block rules View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.

Vuln Driver Blocklist: learn.microsoft.com/en-us/window...

02.03.2025 21:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs inΒ zero-dayΒ attacks to gain SYSTEM privileges in Windows.

Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.

Recent Vuln Driver: www.bleepingcomputer.com/news/securit...

Known Vuln Drivers: www.loldrivers.io

02.03.2025 21:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Image

Image

#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!

#IncidentResponse #ransomware #ThreatDetection

02.03.2025 21:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Join me for SANS Institute #Perth Community Night today!

πŸ“‹ Registration
Thurs, 13 Feb 2025
5:30pm – 6pm

🎀 Presentation
6pm – 7pm

Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/

πŸ“The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000

12.02.2025 23:00 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub - MalBeacon/what-is-this-stealer: A repository of credential stealer formats A repository of credential stealer formats . Contribute to MalBeacon/what-is-this-stealer development by creating an account on GitHub.

I just found this amazing repository of credential stealer system info files by #MalBeacon, along with #YARA sigs for them.
Useful to ID a cred stealer or going #ThreatHunting.

github.com/MalBeacon/wh... #threatintel #infosec #malware #DFIR

15.01.2025 22:42 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Remember this is just one botnet of #PlugX it's still used in the wild by many other threat actor groups.

For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.

15.01.2025 21:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
FBI wipes Chinese PlugX malware from over 4,000 US computers ​The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.

The #FBI mass-removed #PlugX #malware from infected US computers. The infections were attributed to #MustangPanda (aka #TwillTyphoon).

https://buff.ly/3PBmOpe
#IncidentResponse

15.01.2025 21:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C The Halcyon RISE Team has identified a unique ransomware technique that encrypts Amazon S3 buckets with no known method to recover unless a ransom is paid...

#Ransomware threat actors are increasingly abusing #AWS Server-Side Encryption (SSE-C) to encrypt S3 buckets. Most recently a TA known as #Codefinger is using this technique.

πŸ•΅ Monitoring S3 & encryption activity via CloudTrail & GuardDuty.

www.halcyon.ai/blog/abusing...

#CloudForensics #FOR509

14.01.2025 03:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@joshlemon is following 20 prominent accounts