➡️Threat Actor logs in via RDP ➡️Drops browser ➡️Logs into personal social media account ➡️Transfers files/links through social media ➡️Fails to accomplish mission ➡️Disconnects RDP session leaving social media on screen on the messages tab
Twitter Web App : H. C:\arveyMISP We didnt see Defender Control during this intrusion and we didnt see any commands run or reg keys created around that time, which leads us to believe it was manually turned off but cant confirm. Heres the log
Twitter Web App : While it may be annoying getting hit by these smaller players may save you if you can initiate controls before the Big Game Hunters show up. Biggest advice, keep single factor remote access (RDP) off the internet!
iPhone : Published Sysinternals updates, including Sysmon file delete monitoring, and trying something new: I recorded a video describing the updates and demoing the new Sysmon feature. twitter.com/Sysinternals/s…
Twitter Web App : An actor logged into the honeypot via RDP and installed XMRig with multiple persistence mechanisms. The actor used icacls and attrib to lock down directories and files to make detection and eradication difficult. #infosec #dfir #iocs