#readoftheday — Public Fediverse posts

Good day everyone!

This is a really interesting read from SentinelOne Labs . Back in October 2024 they dealt with a reconnaissance operation that was related to the activity cluster tracked as #PurpleHaze and then in 2025 "they helped disrupt an intrusion linked to a wider #ShadowPad operation". The activity was attributed to China-nexus threat actors.

The article gives an in-depth view of what it looks like when an organization that is responsible for "IT services and logistics" gets compromised, which we could call a supply-chain attack. The article also provides a TON of technical details about tools and infrastructure that was used, indicators of compromise to scan for in your environment, and behaviors and commands that were observed throughout. This one may take a while to read but its worth it! Thanks to the researchers Dr Aleksandar Milenkoski and Tom Hegel for this report! I hope you all enjoy it as much as I did. Happy Hunting!

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
https://www.sentinelone.com/labs/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Wednesday!

Today's #readoftheday is an article from Sophos researchers provide details on an attack that involved the #3AM ransomware strain. With what started with email-bombing, led to social engineering and Microsoft Quick Assist, and a Windows 7 virtual machine. What I really enjoy about this article is the technical details about the "pre-ransomware" activity which can be seen in the Discovery and Defense Evasion sections. These normally involve some LOLBINs (Living-Off-The-Land Binaries) and use the tools that can help provide the adversary with information about the system. Enjoy and Happy Hunting!

A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist
https://news.sophos.com/en-us/2025/05/20/a-familiar-playbook-with-a-twist-3am-ransomware-actors-dropped-virtual-machine-with-vishing-and-quick-assist/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Monday everyone!

Coming out of a brief lull in activity, I have a #readoftheday for you! This comes from a CYFIRMA article that takes a look at the APT #VoltTyphoon. They share vulnerabilities that have been recently exploited and (my favorite part) recent #TTPs and #behaviors that are associated with the group! I like how well it is documented that I am not even going to recreate it here! I will definitely diving back into their archives to see if there are more of these profile articles! Enjoy and Happy Hunting!

APT PROFILE – VOLT TYPHOON
https://www.cyfirma.com/research/apt-profile-volt-typhoon-2/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Happy Friday everyone!

A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.

According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.

The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.

If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!

Article Source:
Update on SVR Cyber Operations and Vulnerability Exploitation
https://www.ic3.gov/Media/News/2024/241010.pdf

Mitre source:
https://attack.mitre.org/groups/G0016/

Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471

Happy Wednesday everyone!

This resources has been popping up on my feed everywhere so I took a look at it and I see why! When he is not instructing the #SANS FOR589, Will Thomas is creating highly valuable resources like the Russian APT Tool Matrix.

Will has taken the time to correlate the tools of Russian #APTs such as #CozyBear and #Sandworm and even supplied the aliases that go along with them as well. This is a great resource if you are an organization who is APT focused to prioritize your threat hunting! Thanks a ton Will!

Enjoy and Happy Hunting!

Russian APT Tool Matrix:
https://github.com/BushidoUK/Russian-APT-Tool-Matrix/blob/main/GroupProfiles/Sandworm.md

Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday #HappyHunting Cyborg Security, Now Part of Intel 471

Happy Monday everyone!

We are going to start this week off with a nice resource in our #readoftheday! If you have yet to hear about Wazuh, now is your chance! It is a free, open-source security platform that protects data assets from threats [2]. In this article, the researchers cover what abusing Living-off-the-Land binaries (LOLBINs) looks like from the perspective of an Ubuntu and Kali Linux endpoint and focus on the #DirtyPipe exploit and the DDexec utility. After walking readers through the emulation they then discuss how Wazuh helps detect these techniques. It is a good read and a resource I want to get into my own lab to start playing with!

As always, check out the full article and others by Wazuh researchers on their blog and stay tuned for the threat hunting tip of the day! Enjoy and Happy Hunting!

Detecting Living Off the Land attacks with Wazuh
https://wazuh.com/blog/detecting-living-off-the-land-attacks-with-wazuh/

Other reference:
https://github.com/wazuh/wazuh [2]

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471

Happy Friday Everyone!

The Check Point Software researchers help us into the weekend with the #readoftheday, and ironically it covers some things that we have been researching as of late!

In this article, the researchers detail how a threat actor used an Internet Shortcut (.url) file to open up the attacker website in Internet Explorer (a more vulnerable brower) instead of Chrome or Edge. This is accomplished through the use of a specially crafted .url file that contains the values "mhtml" and also "!x-usc". These tactics were last when threat actors were exploiting CVE-2021-40444 (Microsoft MSHTML Remote Code Execution Vulnerability)[2] and are seen again.

As you wait for the Threat Hunting Tip of the day, go read the entire article yourself and see what I missed! Enjoy and Happy Hunting!

RESURRECTING INTERNET EXPLORER: THREAT ACTORS USING ZERO-DAY TRICKS IN INTERNET SHORTCUT FILE TO LURE VICTIMS (CVE-2024-38112)
https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/

Additional resource:
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting

Happy Wednesday everyone!

This is the second #readoftheday this week that involves eBooks being used as the lure for victims and in this case Trellix reveals that this eBook delivers a malware known as #ViperSoftX.

Once the victim downloads the archive file, they are presented with an eBook cover page, a hidden folder, shortcut file and three JPGs. These files are not what they seem, as you all may have guessed. One is an AutoIT script, one the AutoIT executable, and the last a PowerShell script. The shortcut file leads to the execution of the PowerShell code that unhides the hidden folder, checks the disk size of all drives, moves the AutoIT files to the AppData\Microsoft\Windows directory and deletes the LNK files in the current directory.

A notable MITRE ATT&CK TTP here is the use of PowerShell encoded commands or T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File. This is a common technique that adversaries use to hide the true nature of the commands or communication with their C2 server.

As always, I am leaving you hanging and will be back for the Threat Hunting Tip of the day! While you are waiting patiently, go read the rest of the article, it has tons of details I left out! Enjoy and Happy Hunting!

The Mechanics of ViperSoftX: Exploiting AutoIt and CLR for Stealthy PowerShell Execution
https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471

Good day everyone!

Kaspersky brings us today's #readoftheday!

A new APT targeting Russian government who has been dubbed CloudSorcer. "It's a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration" (we can start to create hypotheses that include the use of notable TTPs such as Discovery, Command and Control, and Collection). The malware's backdoor module collects information about the victim's machine which includes the hostname, username, windows subversion information, and system uptime. Then a pipe is created ( in this case \\.\PIPE\[1428] [not sure if that is a constant]) that connects to the C2 module process. The researchers state "It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures."

Aaaaaaand this is where I am going to leave you hanging, on a nice cliff! Go and read the article and find out the rest of the details and for your threat hunting tip! Enjoy and Happy Hunting!

CloudSorcerer – A new APT targeting Russian government entities
https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #Intel471 #gethunting

Happy Friday everyone!

#Cryptominers and #CVE20173506 is featured in today's #readoftheday! Trend Micro takes us through a riveting tale where the protagonist, #WaterSigbin, abuses a vulnerability in Oracle WebLogic Servers. After exploitation, a Base64-encoded payload is run that drops the initial stage loader named "wireguard2-3.exe", which masquerades itself as a legitimate VPN technology to help with it's defense evasion. It also plays a role in getting the attack to the next stages which involve DLL-reflection, C2 communication, and finally the #XMRig cyrptominer.

Significant details that are included is a scheduled task created for Windows Defender exclusion, some discovery using WMI, and another scheduled task for persistence. As usual, I am not going to spoil it all, go and have a read for yourself! Enjoy and Happy Hunting!

Notable MITRE ATT&CK TTPs (thanks to the authors):
TA0001 - Initial Access
T1190 - Exploit Public-Facing Application

TA0002 - Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
T1047 - Windows Management Instumentation

TA0005 - Defense Evasion
T1620 - Reflective Code Loading
T1036.005 - Masquerading: Match Legitimate Name or Location
T1562.001 - Impair Defenses: Disable or Modify Tools

TA0003 - Persistence
T1053.005 - Scheduled Task/Job: Scheduled Task

TA0011 - Command And Control
T1571 - Non-Standard Port
T1071 - Application Layer Protocol

TA0007 - Discovery
T1057 - Process Discovery
T1012 - Query Registry

Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html

Intel 471 #CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting

Happy Friday everyone!

I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.

To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!

UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2d

Article Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting

Happy Wednesday everyone!

The Proofpoint Threat Research team paired up with the Team Cymru to dissect the #Latrodectus malware. "First seen being used by #TA577 and more recently #TA578, Latrodectus is a downloader that likes to evade sandbox environments." The researchers take a deep dive into the code to see what information they could extract and found PLENTY!

After you are done reading, why not take a Cyborg Security Community Hunt Package to hunt for a threat like this? In the article, the researchers mention that the malware sets an AutoRun registry key for persistence, which is a common technique used by different adversaries and malware due to the capability and functionality of those registry keys. So, take this hunt package with you, it's dangerous out there! Enjoy and Happy Hunting!

Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c

Source of article:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting

Good day everyone!

The Microsoft Threat Intel team has recently dropped some new #ForestBlizzard TTPs and behaviors! They take a look at the malware the group used, named GooseEgg, and reveal how it set up a scheduled task for persistence calling on a batch file named servtask.bat. Find much more information in the article, but I am not going to spoil it! Enjoy and Happy Hunting!

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting

Happy Monday everyone!

I know this was posted a week or two back, but I wanted to bring it up again in another light. The first time I read it from a technical level looking for the usual TTPs and behaviors but while I was mowing my yard and listening to The Cybersecurity Defender's Podcast by @limacharlieio the participants mentioned something that I didn't even realize the first time I read it. They mentioned that #APT44, or Sandworm, is a very serious adversary due to the amount of capabilities they have and on so many different levels. From espionage to persistence to destructive activity, they are a very refined group and should be taken seriously. Thanks for the great insight! I hope you enjoy and Happy Hunting!

Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm
https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting

Happy Monday everyone!

Looking for ACTIONABLE information on #DLLSideLoading? Look no further than this complete article from the Securonix Threat Research team. They provide a clear overview of the technique, provide the answer to the question "Why should I be worried?", give examples of real-world malware that used it, and some great detection and hunt opportunities. This is well worth the read and I hope you enjoy! Happy Hunting!

Securonix Threat Research Knowledge Sharing Series: Detecting DLL Sideloading Techniques Found In Recent Real-world Malware Attack Chains
https://www.securonix.com/blog/detecting-dll-sideloading-techniques-in-malware-attack-chains/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Good day everyone!

I haven't finished this one yet, and if you check it out you will see why, but so far it is a wonderful resource on #APT44. Mandiant (now part of Google Cloud) researches put together what is years of knowledge and research on the group into a single, complete document. I really do wish more of these existed (and if they do please drop them in the comments!) simply due to the amount of information contained within. I hope you enjoy and Happy Hunting!

https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Friday everyone!

It's always a good morning when you get news of some new MITRE ATT&CK Tactics, Techniques, or Sub-techniques! Nate Nelson highlights the new additions and discusses how #APT37 and #APT41 are adopting the techniques in recent attacks! Enjoy and Happy Hunting!

DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse
https://www.darkreading.com/vulnerabilities-threats/dprk-exploits-mitre-sub-techniques-phantom-dll-hijacking-tcc-abuse

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting! #readoftheday

Happy Friday everyone!

The Threat Hunters at Group-IB share their tactics and techniques, this time when they are hunting for suspicious or malicious activity related to adversaries leveraging the living-off-the-land binary (#LOLBIN) wmic.exe, or Windows Management Instrumentation, or WMI. What I really like about this, aside from some experts sharing their knowledge, is that they not only touch on the execution but share other ways to hunt for follow on activity, for example, what activity looks like when WMI is the parent process. These are always a great read! Enjoy and Happy Hunting!

Hunting Rituals #4: Threat hunting for execution via Windows Management Instrumentation
https://www.group-ib.com/blog/hunting-rituals-4/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Thursday everyone!

If you can't tell by my previous posts, I like to focus on the details found in intel reports but today I found a report that takes a high-level view of recent attacks that involved APT groups attack the Middle East. Researchers at positive technologies provide great insight to not only the groups that are involved but the #TTPs and behaviors that they exhibit, the countries and industries targeted the most, and how you could prepare yourself! Enjoy and Happy Hunting!

How APT groups operate in the Middle East
https://www.ptsecurity.com/ww-en/analytics/apt-groups-in-the-middle-east/?utm_source=pt-en&utm_medium=article&utm_campaign=positive-technologies-cyberattackers-targeting-telecommunications&utm_content=news

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Tuesday everyone!

Proofpoint researches observed activity from TA450 (AKA #MuddyWater) that involved social engineering and targeted Israeli employees. The researches noticed a change in the adversaries #TTPs, moving from using a PDF with malicious attachments to putting the malicious link in the email body.

Taking this information into account, how can we hunt for this? Well, we can always look for Microsoft Office programs executing strange behavior such as spawning abnormal processes (especially the abuse of [LOLBINS]) or making network connections. Or, as a wise old man said back in 1986 "It's dangerous to go alone! Take this."

Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4

This hunt package has been designed to detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

Happy Monday everyone! I hope everyone is doing well!

Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

Happy Wednesday everyone!

Read this report by CrowdStrike this morning that covered a lot of technical details on the new tactics, techniques, and procedures (TTPs) observed by the researchers when analyzing the #HijackLoader. Now among all the creative or sophistication that went into making this malware more and more evasive, there is an artifact that sticks out to me, and that is execution of .dll's or .exe's out of the C:\Windows\SYSWOW64\ directory. This tells me right away that something suspicious might be happening. Now, if you have 32-bit versions of programs that run in your environment, then this hunt may be a bit harder due to a larger set of false-positives, but if there aren't a lot of false-positives this could be an easy win! Happy Hunting!

HijackLoader Expands Techniques to Improve Defense Evasion
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday

Happy Tuesday everyone!

#APT37, aka #ScarCruft, is at it again! SentinelOne researchers noticed that they are targeting media organizations and others that are associated with North Korean affairs. The group leverages .LNK files, zip files, and phishing emails.

I found this article most interesting because of the multiple types of file formats that were used, to include .bat and .dat files, involved in the campaign. They also use a custom backdoor known as #RokRat to aid in their attack. This is a great article and worth the time! Enjoy and Happy Hunting!

Notable MITRE ATT&CK TTPs and Behaviors:
TA0001 - Initial Access
T1566.001 - Phishing: Spearphishing Attachment

TA0002 - Execution
T1059.001 - Command And Scripting Interpreter: Powershell
T1204.001 - User Execution: Malicious Link

https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #gethunting

Happy Friday everyone, I hope everyone survived this week!

The Microsoft Threat Intel team has been tracking an Iranian #APT known as #PeachSandstorm. They start with a password spray attack and if they are successful they then utilize both publicly available and custom tools. They cover the attacks in much more detail and provide us with some mitigations and detections! Enjoy and Happy Hunting!

Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets
https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #APT33 #Elfin #RefinedKitten

The Symantec research team uncovered an espionage campaign from the #APT group they track as #Redfly. The group used multiple tools during the campaign which included the #ShadowPad trojan, #Packerloader, and a key logger. They also abused some #LOLBINs to achieve their goals.

Redfly masqueraded ShadowPad in a "VMware" directory and gained persistence by creating a service that ran the malware once the computer started and the keylogger stored its captured keystrokes in a directory that included "Intel" in the path. The APT group used the reg.exe to dump credentials from he SYSTEM, SAM, and SECURITY hive. They also used a renamed version of ProcDump to dump credentials from LSASS. Powershell was also used to gather information on the storage devices attached to the system and finally a scheduled task was created to preform side-loading and lateral movement. #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Good day everyone! The ReliaQuest Threat Research team recently provided a wrap up of the most commonly used loaders, the top 80% which comprised of only three different malware! These big three are #QBot, #SocGholish, and #RaspberryRobin. THEN, they not only provided the data sheet to provide to your management or C-suite, they broke them down even further to include technical details as well! Thank you to the Threat Research team for such a great report, I hope you enjoy it as much as I did, and Happy Hunting!

The 3 Malware Loaders Behind 80% of Incidents
https://www.reliaquest.com/blog/the-3-malware-loaders-behind-80-of-incidents/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Happy Tuesday everyone! #APT37 is the topic of today's #readoftheday, specifically ThreatMon takes a deep-dive into the #RokRat malware, which is a remote access trojan (RAT). Enjoy and Happy Hunting!

Link to article in the comments!

***AS usual I am going to leave one of the MITRE ATT&CK blank. I would like to see if any of you that see this can help FILL in that blank! If so, leave your thoughts in the comments OR send me a DM!***

Notable MITRE ATT&CK TTPs:
TA0007 - Discovery
T1087 - Account Discovery
T1083 - File and Directory Discovery
T1018 - Remote System Discovery
T1082 - System Information Discovery

TA0009 - Collection
T[What technique covers the threat actor capturing information under the TEMP folder?] - Good luck!

TA0011 - Command And Control
T1071.001 - Application Layer Protocol: Web Protocols

TA0002 - Execution
T1059.003 - Command and Scripting Interpreter: Windows Command Shell

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting