Jenn
Saltmyhash
@saltmyhash@infosec.exchange
- 35 Followers
- 302 Following
- 389 Posts
воР0на 
@saltmyhash Probably.
A source working with Aflac on the incident explained explained that the threat actors did not identify themselves but the characteristics of the attack bear the hallmarks of Scattered Spider
https://therecord.media/aflac-cyberattack-potential-data-breach
Chris Fletch 
Hello #Fediverse it is once again #NewMusicFriday and time for #FletchsFridayReleases. As mentioned, a slightly shorter list this week but that doesn’t mean there isn’t gold in them there hills. #Metal #HeavyMetal #DeathMetal #BlackMetal #ThrashMetal #DoomMetal
@HailsandAles Cryptopsy’s An Insatiable Violence shortlisted for metal album of the year for me. Only complaint is it’s 33 min long. Highly recommended.
Kevin BeaumontThis is the second time cybernews.com have pulled this stunt. https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/
No, the 16 billion credentials leak is not a new data breach
News broke today of a "mother of all breaches," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
Dr. Victoria Grinberg
Chris Sanders 🔎 🧠Investigation Scenario 🔎
A host on your network executed a process whose parent process is mftrace.exe.
What do you look for to investigate whether an incident occurred?
@chrissanders88 mftrace.exe is a legitimate trace log generation tool but is considered a living-off-the-land binary on Windows OS. Specifically, it allows for proxy execution of binaries which is a technique frequently used by threat actors. These utilities are signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. Knowing this, analysts should carefully investigate the child process of mftrace.exe, understanding that its usage may be benign.
First, I would ensure mftrace.exe is being executed out of its typical Windows file directory and not an attacker-controlled location. The LOLBAS project lists the following execution paths for mftrace.exe. Any execution outside of the standard Windows location warrants scrutiny as to how mftrace.exe got there in the first place.
Paths:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
Next, closely examine the spawned child process, looking for file hash hits in threat intelligence platforms or suspicious child process spawns, network connections, registry edits, or file modification events. I would also determine how the child process was initially spawned. Finally, I would examine the host this is occurring on and who it belongs to. Context on whose host this belongs to is also a useful indicator. Developers may call mftrace.exe for legitimate event tracing for windows (ETW) activities. Seeing mftrace.exe execution on an unusual host such as accounting or the help desk warrants additional scrutiny.
Detection Opportunities:
Depending on the frequency of mftrace.exe execution in your environment, you might want to monitor for any time mftrace.exe executes a payload. A sample Sigma rule (see below) provides a decent jumping-off point for custom detection logic.
References:
LOLBAS Entry for mftrace.exe:
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
Sigma Rule for suspicious mftrace execution:
https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
MITRE Map:
T1127: Trusted Developer Utilities Proxy Execution
https://attack.mitre.org/techniques/T1127/
