Lunchtime threat hunt: map recent MS/Storm-0558 detections to Google Workpace/GMail. Summary: fail.

CISA noted that a US gov entity detected the incident via analysis of the `MailItemsAccessed` event type: "In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs." This event type was only available via more expensive E5 logging, which many/most don't pay for). MS changed this today to make available to more customers without paying extra, after pressure.

Maybe I'm missing something but I can't seem to find a Google Workspace equivalent event type in Security Center ( https://support.google.com/a/answer/11482175?sjid=7101640716602908317-NA , Enterprise Plus licensing). Does Google not log these types of events?

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

This technique of infecting common file types on target networks for reinfection is under appreciated by defenders and under utilized by adversaries. It’s why we prepared so thoroughly for migration of an Aurora victim to a clean network back in 2010.

Thrunting file mods by process other than the default URI handler is a great starting query, especially PowersHell.exe.

"Another interesting aspect of Gamaredon infections is that the threat actors plant as many as 120 malicious infected files per week on the compromised system to increase the likelihood of re-infection."

https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/?

This post brought to you by bitcoin.

https://apnews.com/article/north-korea-kim-icbm-nuclear-802a6a0719460463030c50429d27a087

Never forget.

https://krebsonsecurity.com/2023/06/russian-cybersecurity-executive-arrested-for-alleged-role-in-2012-megahacks/?utm_source=substack&utm_medium=email

Q3 OKRs find you uninspired? Our infrastructure security team is looking for a senior enterprise / corpsec security engineer who's looking to make an impact and move the program forward . Great mission, team and company

https://grnh.se/a6ecc2251us

I often get asked for advice on how to get into this field (infosec generally and/or D&R specifically). Sometimes by people who work in adjacent fields. I also get asked for advice on how to demonstrate domain experience. Here is a great post by Efi Kaufman on how to build a nearly free home network security monitoring stack using all the same tools one would find in a corporate environment. Building this lab and running it for some time is invaluable experience for someone trying to enter the field. And a great resume builder to boot. One might even be well prepared for a number of interview questions.

https://www.linkedin.com/posts/efik_your-almost-free-home-network-detection-activity-7032752308106977280-3for?utm_source=share&utm_medium=member_desktop