The Windows Executable File Format.
#DFIR #Infosecurity #Malware
winitor.com/pdf/Windows-Po…

How to Avoid Burnout ?

Microsoft Graph Activity Logs are out of public preview and now generally available. These have quickly become one of my favourite log sources for both detections and investigations, some guidance and example hunting queries here - techcommunity.microsoft.com/t5/microsoft-e…

When you start a new Sr position and they expect you to hit the ground running right away 😂 😭

Here are IOCs from a likely #kutaki #stealer sample from today.
github.com/executemalware…

Just contributed 4 new entries on behalf of Huntress to the Hijack Libs project (created by Wietze).

Tracking and stopping malicious actors is a team effort, and contributing back to projects like this, LOLBAS, MITRE ATT&CK etc helps defenders overall, so if you can, do it

Some threat actors are still using maldocs with VBA macros, so it must be working.
In some cases we can even see interesting and rarely used techniques. Let's analyse the following sample with oletools and cyberchef:

Here are some #phorpiex IOCs from today:
github.com/executemalware…

New blog post from Mohamed Ashraf and me. Where we did a deep dive into a recent KamiKakaBot sample we encountered.

Unveiling KamiKakaBot – Malware Analysis nextron-systems.com/2024/03/22/unv…

Nextron Systems

Looking for a fun #CyberSecurity #Infosec project? 😁

Want to practice your #ThreatHunting 🔍 and #Detection 🕵️ skills?

Install the NEW #SecurityOnion 🧅 2.4.60 in a VM:
docs.securityonion.net/en/2.4/first-t…

Then follow along with some of our quick #malware analysis posts:…

Here are some #fakeupdates #haneymaney #netsupportrat IOCs from today:
github.com/executemalware…

Showcasing NetExec, exploiting an Active Directory environment! AND, this video comes with an interactive lab environment for you to follow along -- name your price training! You can access the material for free, you just need to cover the VM lab time. 😁youtube.com/watch?v=3SQMZz…

Been a while since I came across #SocGholish , but saw the update.js come from hxxps://invisiblepeople[.]tv/why-i-support-regulating-the-public-feeding-of-homeless-people/<...>. Couldn't pull the file unfortunately.
urlscan.io/result/2857487…

As a child my old man used to say I 'cheated' in video games. Knowing game mechanics and cheating are 2 different things. On that note, my latest video is out 🎉

I demonstrate the basics of video game hacking through memory and save file manipulation.

youtu.be/8puZTOOWlqA

When responding to potential ScreenConnect compromises, you can use the below PowerShell command to accelerate the process:

Looking for strings:
1️⃣ /SetupWizard.aspx/
2️⃣ python-requests (the user agent)

Get-ChildItem C:\inetpub\logs\LogFiles\W3SVC*\*.log | Where-Object {…

We moved the Huntress YARA rule & some of our own into my open source repo, which is used for THOR Lite⚡️& THOR Cloud Lite 🌩️

> use use these free tools to perform compromise assessments on your hosts ✅

github.com/Neo23x0/signat…

THOR Cloud Lite
thorcloud-lite.nextron-systems.com

I've processed Huntress' awesome report on post-exploitation activities observed in relation to the #ScreenConnect vulnerability and created 15 YARA rules

Report
huntress.com/blog/slashandg…

Rules
github.com/Neo23x0/signat…
(I've put the THOR APT Scanner only rules at the end)

IOCs…

We just finished processing or in other words we just 'Slash & Grabbed' this amazing report from Huntress team. Made some updates and added some new Sigma rules. But fortunately a lot of it was already covered by old generic rules.

Here is a quick thread on every Sigma…

Hunt for Google Remote Desktop usage in your environnement:
Detections patterns : github.com/mthcht/ThreatH…
Destination port : github.com/mthcht/awesome…
Windows Service names : github.com/mthcht/awesome…
Windows Firewall rule name : github.com/mthcht/awesome…