Faisal  

@[email protected]
67 Followers
51 Following
29 Posts

Security Analyst | Threat Intel | CTF | Security Researcher | Detection Engineering.

RT != Endorsement

@faisalusuf .bsk.social
@faisalusuf

ThreatIntel
BlueTeam
Faisal  Dec 5
Kevin BeaumontDec 4
Microsoft, after embracing Elon Musk on stage at Build and in product, has abandoned their yearly diversity report. https://www.theverge.com/tech/838079/microsoft-diversity-and-inclusion-changes-notepad
Faisal  May 8, 2024
Show threadOpinionatedcisoApr 19, 2024

@faisalusuf Palo will tell you if you got owned if you upload a support dump.

I strongly suggest everyone with a GlobalProtect endpoint does this, and if they are owned follow the palo guidance.

Alex

Faisal  Apr 19, 2024

Calendly being targeted recently. Here are the IOCs you may want to block:

calhellly[.]buzz
caltendly[.]xyz
calhellly[.]click
caltendly[.]click
callndaly[.]art
calendly[.]buzz
Calandly[.]one
calendllyn[.]com
Calendly[.]city
calendsly[.]cc
calindaly[.]com
caltendly[.]com
Caltendly[.]icu
Caltendly[.]life
154[.]82[.]93[.]96
78[.]24[.]180[.]93
92[.]246[.]136[.]89
#phishing
#threatintel
#threathunting

Faisal  Apr 18, 2024

Those patching their PaloAlto CVE-2024-3400 should also consider performing a compromise assessment.

IOC:.https://github.com/volexity/threat-intel/blob/main/2024/2024-04-12%20Palo%20Alto%20Networks%20GlobalProtect/indicators/iocs.csv

threat-intel/2024/2024-04-12 Palo Alto Networks GlobalProtect/indicators/iocs.csv at main · volexity/threat-intel

Signatures and IoCs from public Volexity blog posts. - volexity/threat-intel

GitHub
Faisal  Feb 19, 2024
Always destroy your login session once you are done don't be lazy to click the browser X button.
Faisal  Nov 3, 2023

OKTA Breached Again.
Threat hunting rules are pushed to @sigma_hq official repo.

Based on
#BeyondTrust
and
#cloudflare
investigation and threat hunting the IOC. A set of rules is published in the
@sigma_hq
repository to identify the IOCs in the environment.

https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/README.md
Rules:
1- rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml
2- rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml
3- rules/cloud/okta/okta_admin_activity_from_proxy_query.yml

#OKTA #oktabreach

sigma/rules-emerging-threats/2023/TA/Okta-Support-System-Breach/README.md at master · SigmaHQ/sigma

Main Sigma Rule Repository. Contribute to SigmaHQ/sigma development by creating an account on GitHub.

GitHub
Faisal  Nov 3, 2023
Jake WilliamsNov 3, 2023
SOC preventing data exfiltration while the IR team neutralizes the threat...
Faisal  Aug 4, 2023

The detection rules are published in Sigma official repo for both Lin and Win OS based on
@Mitiga_io
report.

https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/

Amazon's AWS SSM agent can be used as post-exploitation RAT malware

Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platform's System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT).

BleepingComputer
Faisal  Aug 2, 2023

https://phish.ly An automated phishing analysis powered by
Tines
and
@urlscanio

https://www.tines.com/blog/phishly-democratizing-suspicious-email-analysis-tines-urlscan

Analyze suspicious emails with Tines and urlscan - Phish.ly

Forward a suspicious email (or an .eml attachment) to [email protected], Tines will automatically analyze the URLs with urlscan and send you a report.

Phish.ly
Faisal  Jul 24, 2023
Pop corn hour will start when X (twitter) will change the API base url.