#sleuthcon — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #sleuthcon, aggregated by home.social.
-
Please don't yell into the #SleuthCon microphone. Or really any mic ever.
-
Happy @Sleuthcon Day, to whose who observe!
Head on over to https://www.sleuthcon.com/shop/p/sleuthcon-23-virtual-cw4jt-b7m4k purchase a USD $75 virtual ticket to watch the live stream.
(U.S. mailing addresses get conference swag with a virtual ticket!) #SleuthCon #NorthernVirginia #BSidesNoVA
-
-
Power outage during this year's #SLEUTHCON reminds me of #CYBERWARCON 2022 when the same thing happened... ⚡️🤔 Talks are still being recorded, and thank you to everyone working to get the livestream back!
-
Getting ready to watch #SLEUTHCON live tomorrow, stay tuned for talk summaries and other commentary on the conference 🕵🏻♂️
-
Also oh my goodness, first talk, no pressure 🫠 #SLEUTHCON
-
Channeling my inner Taylor Swift for this year’s #SLEUTHCON talk:
It’s Me, Hi, I’m the APT: The Rise of Ecrime to Nation-State Levels 😎
Honored to be featured alongside such amazing fellow researchers! Check out the full agenda.
-
Whoohoo! #SLEUTHCON 2024 is LIVE! The CFP is open and closes March 31. This is my favorite conference of the year, I’m so excited to be heading back to Arlington on May 24th! https://www.sleuthcon.com/
-
ICYMI - #Sleuthcon talks are up! Get them here: https://youtube.com/playlist?list=PLahrNM6FV_q0Goc9nf__64b8NXxQaDN_K
Two interesting ones to check out:
SLEUTHCON 2023 - My 0ktapus Teacher: New Actors, New Problems: https://youtu.be/2HQoGMG4cWM
Presentation by Jake Nicastro, Mandiant
Gone are the days of just rigid, holistic cybercrime attribution. Through 2022 and into 2023, Mandiant has spent hundreds of hours in the trenches shining light in a new dark corner of the cybercriminal world—one with not so much “cybercrime gangs” as there are a sea of creatures making up a messy web of vague personas and murky relationships.
Mandiant has had traditional attribution perfected as an art and a science, but this rising tide of amorphous activity has presented a new challenge in defining a “cluster”.
From the whales of Lapsus and 0ktapus, to the lesser-known predators that prowl in the muddier waters of anonymity, we will dive into how these turbulent “groups” make us question our course.
SLEUTHCON 2023 - Hunting Prolific Access Broker PROPHET SPIDER: https://youtu.be/885psYfsPA8
Presentation by Eric Loui & Ryan Tancibok CrowdStrike
PROPHET SPIDER is an access broker that has conducted low-volume, opportunistic web server compromises since at least May 2017. The adversary primarily gains access to victims by compromising vulnerable web servers, leveraging a range of vulnerabilities for this purpose. This presentation will discuss PROPHET SPIDER’s distinctive tactics, techniques, and procedures (TTPs), details of the adversary’s custom malware, and provide tips for detection and threat hunting.
PROPHET SPIDER exploits known vulnerabilities in Internet-facing servers, including Citrix, Ivanti CSA, JBoss, and particularly Oracle WebLogic. On Windows, the adversary uses PowerShell to download a WGet binary for ingress tool transfer, while typically running Python or Perl reverse shells on Linux. PROPHET SPIDER often deploys both JSP or ASP.NET webshells and executable backdoors to enable persistence. In some cases, the adversary has attempted to compile tools using GCC.
PROPHET SPIDER focuses primarily on capturing legitimate credentials. On Windows, the adversary uses a variety of OS credential dumping techniques, and regularly tries to capture NTDS.DIT. On Linux, the adversary searches for private keys using cat and grep. To move laterally, PROPHET SPIDER uses low-prevalence binaries to scan internal IP ranges, while trying to authenticate using stolen credentials over RDP or SSH. PROPHET SPIDER usually compresses credential-related files into 7zip archives, and exfiltrates these archives over PSCP or FTP. In multiple cases, PROPHET SPIDER intrusions have led to ransomware deployment (including Egregor and MountLocker) or data extortion actors demanding payment in exchange for deleting stolen files, indicating the adversary is likely an access broker.
PROPHET SPIDER’s malware has slowly matured and the adversary has recently shifted from Go to C++. PROPHET SPIDER’s custom tools are typically run by creating a new service. Several Remote Access Trojans (RATs) and proxy tools provide PROPHET SPIDER with flexible capabilities to execute arbitrary commands and exfiltrate data from victim networks.
PROPHET SPIDER has attempted to steadily improve the obfuscation of their code and C2 communications. Custom binary protocols and cryptographic procedures have been implemented in the adversary’s tools.
Fortunately, PROPHET SPIDER is a creature of habit. This presentation will conclude with consistent directory names, filenames, command-line artifacts, URL patterns, and other behaviors that threat hunters and intelligence analysts can use to uncover PROPHET SPIDER intrusions.
-
Happy Friday—the talk recordings from #SLEUTHCON are live 🍿#CTI https://www.youtube.com/playlist?list=PLahrNM6FV_q0Goc9nf__64b8NXxQaDN_K
-
I'm watching #SleuthCon and I'm just so happy to see all these amazing women/non-dude presenters! More of this, please.
-
It’s alive! Joe Wise and I have been working on answering the question: What the heck is going on in the ecrime threat landscape post macros? This banger of a report (if I do say so myself) is the culmination of months of research, lots of actor chaos, and collaboration with some of the best ecrime threat researchers in the game at Proofpoint! Please check it out! 🦖
And many thanks to #SLEUTHCON for hosting us at such an incredible conference.
-
AUGH I just got reminded that #sleuthcon is this Saturday and it's CLOSE, like I can just take the Metro and get there easily!
*presses face against window staring longingly at the fun things inside*
Sigh... I don't suppose they need a last minute speaker wrangler or gofer...
-
Anyone gonna be at #sleuthcon on Friday? Im thinking about checking out the #spy museum Saturday morning.
-
Who is going to #SLEUTHCON on Friday? Would love to see folks there!!
-
Y’all I can’t tell you how excited I am for the upcoming #Sleuthcon conference!! We got a banger of a presentation + report for you.