本エントリは This Week in 4n6 (FourAndSix=Forensics) で紹介された各記事の冒頭を表示し、チェックする記事をザッピングするために自動生成&投稿したものです。4n6 は こちら からご確認いただけます。
THREAT INTELLIGENCE/HUNTING
Faan Rossouw at Active Countermeasures
Adam Goss
Fortra PhishLabs
Skip to main content Secondary Navigation Fortra.com Client Login Request Support GET A DEMO Platform Services Toggle Dropdown Column 1 Brand Protection Domain Monitoring Customer Phishing Protection Social Media Protection Counterfeit Protection Mobile App Protection Open Web Monitoring Column 2 Threat Intelligence Dark Web Monitoring Compromised Credentials Monitoring Intelligence Assessments Intelligence Feeds Threat Engagement and Disruption Security Awareness Training Email Security View al...
Any.Run
May 8, 2024 Add comment 264 views 9 min read HomeCybersecurity LifehacksHow to Use Threat Intelligence Feeds Recent posts How to Use Threat Intelligence Feeds 264 0 Tools and Technologies ANY.RUN Uses to Protect Privacy of Enterprise Clients 254 0 Release Notes: YARA Search, New Rules, Config Extractors, and More 941 0 HomeCybersecurity LifehacksHow to Use Threat Intelligence Feeds Threat Intelligence Feeds are an essential part of your cybersecurity perimeter — if you use this tool correctly, y...
Christine Barry at Barracuda
Topics: May. 9, 2024 | Christine Barry Tweet Share Share Tweet Share Share Today, we're looking at Rhysida ransomware, a ransomware-as-a-service (RaaS) operation that employs double extortion to force victims to pay a ransom. Rhysida was first observed in May 2023 but was later found to have been in operation since January of that year. Rhysida is still active today and has posted 91 victims on its leak website. Activity from this group surged in November 2023 and has reduced since then. The mos...
Brad Duncan at Malware Traffic Analysis
2024-05-09 (THURSDAY): GOOTLOADER ACTIVITY NOTES: Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. REFERENCES: //www.linkedin.com/posts/unit42_gootloader-unit42threatintel-timelythreatintel-activity-7194787295676313600-UylW //twitter.com/Unit42_Intel/status/1789021679634505978 ASSOCIATED FILES: 2024-05-09-IOCs-from-GootLoader-infection.txt.zip 1.5 kB (1,509 bytes) 2024-05-09-GootLoader-infection-traffic.pcap.z...
CERT-AGID
Phishing multibanking sfrutta nome e loghi della Presidenza del Consiglio dei Ministri 09/05/2024 governo multibanking A partire dalle prime ore del mattino, si sta diffondendo una massiccia campagna di phishing che utilizza come oggetto “Avete diritto a un rimborso fiscale” e sfrutta i loghi del Governo Italiano. L’email, indirizzata genericamente ai cittadini italiani, promette un rimborso di â¬268,30. Come spesso accade nelle campagne di phishing, si sfrutta l’urgenza, avvisando che l’offert...
Sintesi riepilogativa delle campagne malevole nella settimana del 4 – 10 Maggio 2024 10/05/2024 riepilogo In questa settimana, il CERT-AGID ha riscontrato ed analizzato, nello scenario italiano di suo riferimento un totale di 23 campagne malevole, di cui 21 con obiettivi italiani e 2 generiche che hanno comunque interessato l’Italia, mettendo a disposizione dei suoi enti accreditati i relativi 137 indicatori di compromissione (IOC) individuati. Riportiamo in seguito il dettaglio delle tipologie ...
Chainalysis
May 9, 2024 | by Chainalysis Team Share Crypto Investigations: Blockchain Intelligence for Law Enforcement Available now Get your copy With a global market capitalization exceeding $2 trillion, regulation increasing worldwide, and adoption growing each year, cryptocurrency is here to stay. What does this mean for law enforcement? It’s no surprise that where economic opportunity abounds, so do attempts to subvert it with crime. Much like fiat currency, crypto has been used in connection with scam...
Check Point
Filter by: Select category Research (559) Security (924) Securing the Cloud (291) Harmony (162) Company and Culture (22) Innovation (6) Customer Stories (13) Horizon (5) Securing the Network (11) Partners (8) Connect SASE (10) Harmony Email (66) Artificial Intelligence (20) Infinity Global Services (14) Crypto (13) Healthcare (14) Harmony SASE (2) SecurityMay 8, 2024 Stop Chasing Breaches: Build a Resilient Security Architecture ByHezi Chen, Head of Competitive Intelligence & Tech Marketing Shar...
Filter by: Select category Research (559) Security (924) Securing the Cloud (291) Harmony (162) Company and Culture (22) Innovation (6) Customer Stories (13) Horizon (5) Securing the Network (11) Partners (8) Connect SASE (10) Harmony Email (66) Artificial Intelligence (20) Infinity Global Services (14) Crypto (13) Healthcare (14) Harmony SASE (2) ResearchSecurityMay 9, 2024 April 2024’s Most Wanted Malware: Surge in Androxgh0st Attacks and the Decline of LockBit3 ByCheck Point Team Share Resear...
Yehuda Gelb at Checkmarx Security
CISA
Release DateMay 10, 2024 Alert CodeAA24-131A Actions for critical infrastructure organizations to take today to mitigate cyber threats from ransomware: Install updates for operating systems, software, and firmware as soon as they are released. Require phishing-resistant MFA for as many services as possible. Train users to recognize and report phishing attempts. SUMMARY Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network def...
Permiso
The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework is a globally-accessible knowledge base of adversary tactics and techniques and procedures (TTPs) which are constantly updated to reflect real-world observations of evolving landscape of cyber threats. The MITRE ATT&CK can be described as a comprehensive cybersecurity framework, a threat modeling framework, a taxonomy for cyber threats, and a cyber threat intelligence framework, all rolled into one. This Framework ...
CTF导航
Dissecting Windows Malware Series – Creating Malware-Focused Network Signature – Part 5 逆向病毒分析 4天前 admin 19 0 0 In the previous article //8ksec.io/dissecting-windows-malware-series-risc-vs-cisc-architectures-part-4/, we took a little detour and learnt more about CPU architectures, in order to understand the underlying mechanisms assembly code analysis is build upon. 在上一篇文章 //8ksec.io/dissecting-windows-malware-series-risc-vs-cisc-architectures-part-4/ 中,我们绕道而行,更多地了解了 CPU 架构,以便了解汇编代码分析的底层机制。 We m...
Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion 渗透技巧 4天前 admin 19 0 0 This is the second blog post in a series, sharing MITRE’s experiences detecting and responding to a nation-state cyber threat actor incident in our research and experimentation network, NERVE. It follows our April 19, 2024 posting, “Advanced Cyber Threats Impact Even the Most Prepared”. 这是该系列的第二篇博文,分享了 MITRE 在我们的研究和实验网络 NERVE 中检测和响应民族国家网络威胁行为者事件的经验。在此之前,我们于 2024 年 4 月 19 日发布了“高级网络威胁甚至影响最有准备的人”。 In this post...
Custom Beacon Artifacts 逆向病毒分析 4天前 admin 9 0 0 If you’re an experienced Cobalt Strike user, you will already know what roll the artifact kit plays in customising its binary (executable and DLL) payload artifacts (artefacts for the British). If not, here’s a tl;dr: 如果您是经验丰富的 Cobalt Strike 用户,您已经知道工件套件在自定义其二进制(可执行和 DLL)有效载荷工件(英国人的工件)时起到了什么作用。如果没有,这里有一个 tl;博士: Beacon is a reflective DLL that needs to be loaded into memory to run. When a payload gets generated in Cobalt Strike, the reflective Beacon...
Cyberdom
by SecWriter · May 11, 2024 As part of ongoing research and hunting, as well as investigating security incidents, I encounter many cases where there are gaps in security tools, systems do not document and collect logs properly or do not display them as we would like, attackers are very skilled, and finding evidence can be complex. Visibility and logs missing or not displayed correctly can decide the results of an incident investigation and even lead to a lack of visibility. In the cloud, lack of...
Cybereason
Written By Cybereason Security Services Team Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis Report, Cybereason’s Security Research Team explores the security implications, vulnerabilities, and potential mitigation strategies surrounding Hidden VNC (hVNC) and Hidden RDP (hRDP), as well as showcasing examples o...
Cyble
Ransomware May 10, 2024 In the Shadow of Venus: Trinity Ransomware’s Covert Ties Cyble investigates a newly identified ransomware variant Trinity and its potential connections to Venus Ransomware, analyzing the similarities between them. Key Takeaways CRIL (Cyble Research and Intelligence Labs) has discovered a new ransomware variant named Trinity. This variant employs a double extortion technique to target victims. The Threat Actors (TA) behind Trinity ransomware utilize both victim support and...
Cyfirma
Published On : 2024-05-09 Share : Ransomware of the Week CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization. Type: Ransomware Target Technologies: MS Windows Introduction CYFIRMA Research and Advisory Team has found Repair ransomware while monitoring various underground forums as part of our Threat Discovery...
Detect FYI
The Effortless Solution: Automating IOCs Lookup Table Updates in Splunk
Impair Defenses [T1562.012]: Detect Linux Audit Logs Tampering (Part 1)
Dirk-jan Mollema
10 minute read Temporary Access Passes are a method for Microsoft Entra ID (formerly Azure AD) administrators to configure a temporary password for user accounts, which will also satisfy Multi Factor Authentication controls. They can be a useful tool in setting up passwordless authentication methods such as FIDO keys and Windows Hello. In this blog, we take a closer look at the options attackers have to abuse Temporary Access Passes for lateral movement, showing how they can be used for password...
Esentire
May 06, 2024 Welding the Weak Spots: Strengthening Manufacturing Cybersecurity… VIEW ARTICLES → Resources Case Studies TRU Intelligence Center Cybersecurity Tools Videos Reports Webinars Data Sheets Real vs. Fake MDR Blogs Security Advisories EXPLORE LIBRARY → SECURITY ADVISORIES Apr 25, 2024 Two Cisco Zero-Day Vulnerabilities Exploited THE THREATOn April 24th, Cisco, in coordination with the Canadian Center for Cyber Security (CCCS), the Australian Cyber Security Centre (ACSC), and the National...
BY eSentire Threat Response Unit (TRU) May 8, 2024 | 6 MINS READ Attacks/Breaches Threat Intelligence Threat Response Unit TRU Positive/Bulletin Want to learn more on how to achieve Cyber Resilience? TALK TO AN EXPERT Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in ...
Flashpoint
Alleged LockBit developer created and operated most prolific ransomware variant under aliases “LockBit” and “LockBitSupp”; U.S State Department offers reward up to $10M; U.S. Department of Treasury designates LockBit administrator for sanctions. SHARE THIS: Flashpoint May 7, 2024 “The U.S. Justice Department unsealed charges today against a Russian national for his alleged role as the creator, developer, and administrator of the LockBit ransomware group from its inception in September 2019 throu...
Fortinet
By Douglas Jose Pereira dos Santos | May 06, 2024 In the second half of 2023, the cybersecurity landscape experienced various significant developments—like the rise in sophisticated attacks targeting large-scale enterprises and critical industries—that impact every organization. In our 2H 2023 Threat Landscape Report, we examine the cyberthreat landscape over the year’s second half to identify trends and offer insights on what security professionals should know to effectively protect their organ...
g0njxa
InfoSec Write-ups
Intel471
May 06, 2024 Arm Yourself with Knowledge in The 471 Cyber Threat Report 2024 It’s time to arm yourself against cybercrime with the Intel 471 Cyber Threat Report 2024, our comprehensive cyber threat intelligence (CTI) analysis of threat actor activity and techniques from January 2023 to March 2024. We also look at the varied motivations of hacktivist groups, ransomware gangs, and initial access brokers (IABs), and highlight emerging trends to help you stay ahead of a rapidly changing threat lands...
May 07, 2024 Extortion attacks by cybercriminal gangs who steal and encrypt files continue to be one of the top threats to critical infrastructure, enterprises, governments, educational institutions and health care organizations. Countries including the U.S. and U.K. classify these ransomware attacks as national security threats due to the disruption, impacts and cost of recovery. These attacks continue to grow in scale. We observed more than 4,000 attacks in 2023, almost double the ransomware i...
Intrinsec
par Equipe CTI | Mai 6, 2024 | Cyber Threat Intelligence, Threat Intelligence Report Key findings How a pivot on the Whois of the C2 domains of Matanbuchus can be leveraged to anticipate future campaigns and wider threats. A seemingly Russia-based Bulletproof hosting service is currently used by impactful intrusion sets leveraging Matanbuchus and SocGholish malware. How the encrypted strings contained in the Matanbuchus DLL can be dynamically decrypted with emulation. TA577 could currently be a ...
Jamy Casteel at Kroll
Jamy CasteelJamy CasteelAccording to Gartner, the global market for cloud infrastructure services increased by 30% in 2022, exceeding $100 billion for the first time. AWS and Azure account for almost two-thirds of this figure. While many organizations benefit from these platforms, the popularity of the cloud can also present significant security challenges. The ethical hacking of Azure and AWS by expert practitioners provides key insights into potential vulnerabilities and the ways in which thre...
Kashinath T Pattan at Juniper Networks
Home / Security / Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation May 7, 2024 by Kashinath T Pattan Juniper Threat Labs has been monitoring exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities. We have observed instances of Mirai botnet delivery in the wild, using this exploit with remote code execution capa...
KELA Cyber Threat Intelligence
It’s Not Over, Yet… Law enforcement has once again targeted LockBit, the notorious ransomware gang, but the end of this group remains uncertain. Despite multiple high-profile crackdowns, LockBit’s operations continue unabated, illustrating their resilience against law enforcement efforts. This ongoing challenge is highlighted by insights from KELA’s threat researchers, recently featured on Wired.com. As we delve deeper into LockBit’s history and recent takedown attempts, it becomes clear why a f...
Brian Krebs at Krebs on Security
May 7, 2024 14 Comments The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments. Image: U.K. National Crime Agency. Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, ...
Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights - April Updatekustoinsights.substack.comCopy linkFacebookEmailNoteOtherKusto Insights - April UpdateUgur Koc and Bert-Jan PalsMay 07, 20241Share this postKusto Insights - April Updatekustoinsights.substack.comCopy linkFacebookEmailNoteOtherShareWelcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as fro...
Marcus Edmondson at ‘The Threat Hunter’s Dilemma’
marcusedmondson.substack.comCopy linkFacebookEmailNoteOtherStacking in Velociraptor in 1 MinuteStacking the threat hunting superpower. Marcus EdmondsonMay 10, 20241Share this postStacking in Velociraptor in 1 Minutemarcusedmondson.substack.comCopy linkFacebookEmailNoteOtherShareWhat is stacking?Stacking is just another name for grouping like objects together and counting the amount of each like object. Very useful for finding anomalies. Also the larger the environment the more useful it is. One ...
Priyanka Agarwal at Microsoft’s ‘Security, Compliance, and Identity’ Blog
Mohammed AlAqeel (AlJawarneh)
Report this article Mohammed AlAqeel (AlJawarneh) Mohammed AlAqeel (AlJawarneh) Subject Matter Expert in Cyber Defense solutions | Digital Forensic Incident Response (DFIR) | Cyber Threat Intelligence(CTI)| Threat Detection and Response Consultant|GCFA | GCFE| GCTI| eCMAP| OSINT/SOCMINT | IT and OT. Published May 9, 2024 + Follow Cyber Defense researchers observed a new technique used by APT Group, specifically using ransomware groups to evade EDR solutions and dump credentials (lsass memory) by...
Obsidian Security
Emerging Identity Threats: The Muddy Waters of Residential Proxies
Identity Threat Alert: Prevent Attackers from Bypassing the IdP to Log-in to Salesforce
Grace Chi at Pulsedive
In part 3, we examine the challenges, organizational context, and issues with methods used for cyber threat intelligence sharing. Grace Chi May 11, 2024 • 5 min read BLUFOrganizational Challenges Persist: Respondents highlighted legal liabilities, sharing restrictions, lack of formalized processes, and measurement gaps hampering efforts. Despite these obstacles, there's a noted increase in visibility with leadership.The vast majority of respondents dedicate 1-10 hours a week to sharing efforts, ...
Tyler McGraw, Thomas Elkins, and Evan McCann at Rapid7
May 10, 2024 8 min read Rapid7 Last updated at Fri, 10 May 2024 17:55:27 GMT Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, and Evan McCannExecutive SummaryRapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection and response (MDR) customers. The incident involves a threat actor overwhelming a user's email with junk and calling the user, offering assistance. The threat actor prompts impacted users to download remote monitoring a...
Recorded Future
Posted: 8th May 2024By: Insikt Group® New research from Recorded Future’s Insikt Group describes a complex influence campaign known as Emerald Divide, believed to be conducted by Iranian-aligned actors and active since 2021. The campaign aims to manipulate Israeli society by amplifying ideological divisions and diminishing trust in the Israeli government, particularly by capitalizing on reactions to the Israel-Hamas conflict and other social and political issues. Individual components of this in...
Posted: 9th May 2024By: Insikt Group® In early March 2024, Insikt Group identified a malign influence network, CopyCop, skillfully leveraging inauthentic media outlets in the US, UK, and France. This network is suspected to be operated from Russia and is likely aligned with the Russian government. CopyCop extensively used generative AI to plagiarize and modify content from legitimate media sources to tailor political messages with specific biases. This included content critical of Western polici...
Susannah Clark Matt at Red Canary
Resecurity
Cyber Threat Intelligence 6 May 2024 hacktivists, data leak, data breach, personal data, identity protection, biometrics A threat actor leaked the personally identifiable information (PII) of over five million citizens from El Salvador on the Dark Web, impacting more than 80% of the country’s population. The threat actor, going by the alias ‘CiberinteligenciaSV,’ posted the 144 GB data dump to Breach Forums, writing that the leak included 5,129,518 high-definition photos, each labeled with the c...
SANS Internet Storm Center
Analyzing Synology Disks on Linux Published: 2024-05-08 Last Updated: 2024-05-08 07:00:07 UTC by Xavier Mertens (Version: 1) 0 comment(s) Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I’m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of disks. They offer multiple disk management options but rely on many open-source software (like most appliances). For e...
Detecting XFinity/Comcast DNS Spoofing Published: 2024-05-06 Last Updated: 2024-05-08 00:15:59 UTC by Johannes Ullrich (Version: 1) 0 comment(s) ISPs have a history of intercepting DNS. Often, DNS interception is done as part of a "value add" feature to block access to known malicious websites. Sometimes, users are directed to advertisements if they attempt to access a site that doesn't exist. There are two common techniques how DNS spoofing/interception is done: The ISP provides a recommended D...
Analyzing PDF Streams Published: 2024-05-09 Last Updated: 2024-05-09 15:02:37 UTC by Didier Stevens (Version: 1) 0 comment(s) Occasionaly, Xavier and Jim will ask me specific students' questions about my tools when they teach FOR610: Reverse-Engineering Malware. Recently, a student wanted to know if my pdf-parser.py tool can extract all the PDF streams with a single command. Since version 0.7.9, it can. A stream is (binary) data, part of an object (optional), and can be compressed, or otherwise ...
Securelist
Publications 08 May 2024 minute read Table of Contents Ransomware landscape: rise in targeted groups and attacksOther notable ransomware variantsTrends observed in our incident response practiceRansomware groups’ tactics and techniquesRansomware: becoming a matter of national and international securityRansomware – what to expect in 2024 Authors Kaspersky Ransomware attacks continue to be one of the biggest contemporary cybersecurity threats, affecting organizations and individuals alike on a glo...
APT reports 09 May 2024 minute read Table of Contents The most remarkable findingsMiddle EastSoutheast Asia and Korean PeninsulaHacktivismOther interesting discoveriesFinal thoughts Authors GReAT For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published and di...
Douglas Bonderud at Security Intelligence
On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code. While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were activel...
Anusthika Jeyashankar at Security Investigation
How Businesses Can Minimize Network Downtime Recovering SAP Data Breaches Caused by Ransomware How Does DGA Malware Operate And How To Detect In A… What is Port Forwarding and the Security Risks? SIEM How To Optimize Business IT Infrastructure How Businesses Can Identify And Address Cybersecurity Lapses Cybersecurity Management 101: Balancing Risk Management With Compliance Requirements Remote Desktop Gateway – What Is It How to Detect Malware C2 with DNS Status Codes TOOLS VDR — a Space for Eff...
SOCRadar
Indictment and Charges APT31 Techniques and Modus Operandi Conclusion MITRE ATT&CK Techniques Latest IoCs for APT31 Home Resources Blog May 09, 2024 9 Mins Read Dark Web Profile: APT31 Advanced Persistent Threat Group 31 (APT31), also known by aliases like ZIRCONIUM or Judgment Panda, represents a sophisticated cybersecurity threat with ties to state-sponsored activities. Threat Actor Card of APT31 This group is believed to operate primarily on behalf of the Chinese government, engaging in cyber...
Ania Kacewicz and Cui Lin at Splunk
By Ania Kacewicz, Cui Lin Share on X Share on Facebook Share on LinkedIn In our previous blog of this series, we presented typical strategies to prevent the whole UBA system performance from downgrading at an early stage. Then, we introduced a sample notebook to demonstrate how to validate data and monitor models to gain insights into the scalability of UBA clusters. In this blog, we will discuss how the scalability performance of Account and Device Exfiltration models can be achieved in Splunk ...
Stephan Berger
6 May 2024 Table of Contents Insider Threat? Let me introduce you Canarytokens Excel Canarytoken Another story - Elevate Kit from CobaltStrike But why? Conclusion Bottom line Insider Threat? We were contacted by a company that regularly sends emails to customers promoting new services and discounts. An Excel is uploaded to a web server, where a job processes the file to create an email per customer, taking the email addresses from the uploaded Excel file. For a significant period of time, the co...
Today I Learned - Zsh History Timestamps 7 May 2024 Table of Contents Zsh Timestamps man page Zsh Timestamps In Zsh, which serves as the default shell for Kali, Gentoo, and macOS (replacing Bash in macOS Catalina), among others, the shell session retains the command history with timestamps in memory. Throughout the session, each executed command is logged in the history along with a timestamp denoting its execution time. To view the command history on a live system, we can execute one of the fol...
10 May 2024 Table of Contents Introduction Find installed software Removing folders Remove traces in the Firewall Rules Testing Conclusion Introduction Fox_threatintel tweeted recently about an open directory on 91.215.85.18:9380/. I downloaded all the files from this directory and stumbled upon a ‘cleaner’ script, which we will examine in this short blog post. The original script is available on VirusTotal. Figure 1: Tweet from Fox_threatintel Find installed software First, the script defines a...
Guillaume André at Synacktiv
Written by Guillaume André - 06/05/2024 - in Pentest - Download A few months following our blogpost on Microsoft Defender for Identity, new alerts related to Active Directory Certificate Services were added. This article will focus on suspicious certificate usage alerts: the detection mechanism will be explained as well as how to avoid raising any alert. In addition, a PowerShell script will be released to perform Kerberos authentication via PKINIT with the Windows API, from a non domain-joined...
Triskele Labs
Agree & Join LinkedIn By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement, Privacy Policy, and Cookie Policy. Skip to main content LinkedIn Articles People Learning Jobs Join now Sign in Triskele Labs’ Post Triskele Labs 5,465 followers 2d Report this post Multi-factor authentication (MFA) in 2024 is a must-have. It combines basic security measures with additional verifications methods to make access to environments more difficult for threat actors. However, as with e...
Raunak Parmar at White Knight Labs
by Raunak Parmar | May 7, 2024 | Uncategorized This will be a multi-part blog series on abusing logic apps. In this blog, we will cover a few scenarios on how we can leverage our privileges on our storage account linked with a logic app to gain access on Logic Apps and create our new workflow, upload code that will allow us to execute system commands, and more. We will understand the relationship between logic apps and storage accounts. Let’s start from scratch by first understanding storage acc...
