home.social

#dfirday — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #dfirday, aggregated by home.social.

  1. Happy #DFIRDay!

    The DFIR Report has released another detailed report that starts with #Nitrogen malware and ends with #BlackCat ransomware encrypting the files of the victim.

    Something that really stood out about this attack was the Persistence technique that was observed. Now I am not going to hit you with the same "Run Registry Keys" and "Windows Startup directory" but it does involve scheduled tasks. And not just the existence of a scheduled task being created but MULTIPLE task creation attempts. Not only does the section highlight the "human element" that exists with cyber attacks, since there were multiple mistakes and typos, but makes you question how often this type of thing occurs in your environment. I know I stand a little outside of organizations and I only have a small window in, but I think that this many attempts from a single or multiple hosts seems like a red flag. In other words, don't just think about the technique, think about frequency and how often this might legitimately exist. Once you understand that, it is easier to find the abnormal! Enjoy the rest of the article and Happy Hunting!

    Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
    thedfirreport.com/2024/09/30/n

    Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday Cyborg Security, Now Part of Intel 471

  2. Happy Monday, or should I say, Happy #DFIRDay!

    That's right, The DFIR Report has dropped another one of their awesome reports, this time covering an attack that involved the #BlackSuit ransomware. There was a dash of #CobaltStrike, #SystemBC, some encoded Powershell commands for defense evasion (and to keep you guessing on what the command really is!), LSASS access for credentials, and ultimately led to the ransomware being deployed. This report provides a great example of all the things the adversary needs to do to be successful in an attack and all the information they need from your environment to do it!

    Stay tuned for your Threat Hunting Tip of the Day but while you wait, enjoy the article! Happy Hunting!

    And I promise you I am not going to take the easy way out and hit you with the AutoRun registry key hunt package again!

    BlackSuit Ransomware
    thedfirreport.com/2024/08/26/b

    Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday