Malwar3Ninja | Threatview.ioSep 1, 2024

[Threatview.io]⚡️Glad to see #cobaltstrike detections based on ioc’s detected by our scanner present in Suricata Signatures - “ET Threatview.io High Confidence Cobalt Strike C2”

🚀 More new detection rules updated for c2 & #phishing

#dfirreport

https://thedfirreport.com/2024/08/26/blacksuit-ransomware/

BlackSuit Ransomware

Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged va…

The DFIR Report
acrypthash👨🏻‍💻Feb 21, 2024

Woah @TheDFIRReport has an audio version of their latest report      

#security #dfirreport #audio

KyanHexagonNov 6, 2023

The DFIR Report folks released one of their private/paid reports related to the recent WS_FTP vulnerability. A glimpse into a whole company being run like an easy difficulty Hack the Box machine.

https://thedfirreport.com/wp-content/uploads/2023/11/WS_FTP-Exploit-Activity-leads-to-Sliver.pdf

#dfirreport #hacking #redteam #pentesting

RandyMar 10, 2023

Here's a handy script to gather up hashes for all Rclone releases, along with the current results.

https://gist.github.com/rmceoin/efedac0f86884dea548dc757b4a885ef

The recent year in review by #DFIRReport has a ton of great intel and as I've seen many times before rclone is called out. It is frequently used for exfil.

So, along with other tools, rclone has been on my hit list to chase down the hashes and see what our defenses think of them and if used internally.

It turns out Rclone is on GitHub and appears to host the last several years of releases there. With a little GitHub and Bash magic out pops all the recent hashes. I stayed focused just on the Windows hashes.

No doubt a TA would pivot to another method, but the hope would be it'd delay them and help set off more alarms as they bump around.

#ThreatIntel

Rclone hashes

Rclone hashes. GitHub Gist: instantly share code, notes, and snippets.

Gist
Ján TrenčanskýMar 6, 2023
#DFIRReport 2022 year in review is out. Great reading as always. https://thedfirreport.com/2023/03/06/2022-year-in-review/
2022 Year in Review - The DFIR Report

As we move into the new year, it’s important to reflect on some of the key changes and developments we observed and reported on in 2022. This year’s year-in-review report … Read More

The DFIR Report
acrypthash👨🏻‍💻Nov 14, 2022
The new report from #DFIRreport is insane!
acrypthash👨🏻‍💻Nov 1, 2022

Last spam toot and then I need to get into the projects, the new #dfirreport is out!

https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/

Follina Exploit Leads to Domain Compromise

In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain.

The DFIR Report
ITSEC NewsOct 19, 2020
Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack - Researchers said the group was able to move from initial phish to full domain-wide encryption in j... https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/ #initialphishingemail #privilegeescalation #vulnerabilities #activedirectory #attackanalysis #cve-2020-1472 #cobaltstrike #websecurity #bazarloader #dfirreport #fivehours #zerologon #malware #ryuk
Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack

Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours.

Threatpost - English - Global - threatpost.com