Mastouille

0 message0 participant0 message aujourd’hui

Just Another Blue TeamerGood day everyone!Check Point Software researchers provide us a detailed report on a newly discovered malware the <a href="https://ioc.exchange/tags/StyxStealer" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#StyxStealer</a>! It is capable of "stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency" and contains defense evasion techniques. While the malware may be new, one technique that stood out isn't! The use of the Windows run registry key for persistence (Software\Microsoft\Windows\CurrentVersion\Run) is not. This registry key is abused because of the function it carries with it: you can reference an executable or script or whatever you want in the registry details and it will execute once a user logs in. This removes the need for the adversary to have to social engineer or compromise a host over and over again. Knowing that, enjoy the article and stay tuned for your Threat Hunting Tip of the Day! Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove <a href="https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/</a>Cyborg Security Intel 471 <a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Just Another Blue TeamerOnce the registry key was modified and the payload linked to in the registry data, persistence was successfully gained, which enabled the adversaries repeated access to the victim. This is a great article and just the tip of the iceberg when it comes to technical details, so check it out for yourself! Enjoy and Happy Hunting!The Updated APT Playbook: Tales from the Kimsuky threat actor group <a href="https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/</a>I know I share this Cyborg Security Community hunt package a lot, but it's because this behavior is extremely commonly used! It is just one of many behaviors that we help you hunt for that stand the test of time!Autorun or ASEP Registry Key Modification <a href="https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c</a><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITSecurity</a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a> <a href="https://ioc.exchange/tags/huntoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#huntoftheday</a> <a href="https://ioc.exchange/tags/get" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#get</a> hunting

Just Another Blue TeamerHappy Monday everyone! I hope everyone is doing well!Researchers from Rapid7 observed some updated <a href="https://ioc.exchange/tags/TTPs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TTPs</a> and behaviors exhibited by the APT known as <a href="https://ioc.exchange/tags/Kimsuky" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Kimsuky</a> (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run). <a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITSecurity</a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a> <a href="https://ioc.exchange/tags/huntoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#huntoftheday</a> <a href="https://ioc.exchange/tags/gethunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#gethunting</a>

Just Another Blue Teamer<a href="https://ioc.exchange/tags/HappyMonday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyMonday</a> and it is that time again!The The DFIR Report has released their latest report that mentions NetSupport Manager, a remote access tool that I have not heard of before. Initial access was a zip file contained a .js file which was designed to execute an encoded PowerShell command that deployed the NetSupport tool AND established persistence through the modification of the <a href="https://ioc.exchange/tags/Windows" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Windows</a> run registry key. I would go on but you are going to have to read this report for yourself! It is so full of details that I can't begin to cover them myself! Enjoy and Happy Hunting!NetSupport Intrusion Results in Domain Compromise <a href="https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/</a><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITSecurity</a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Just Another Blue TeamerGood day all! The Computer Emergency Response Team of Ukraine, CERT-UA reports on a targeted attack attributed to <a href="https://ioc.exchange/tags/APT28" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#APT28</a> they observed on critical energy infrastructure facility in Ukraine. It started with a <a href="https://ioc.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#phishing</a> email that contained a link to an archive that led to a downloaded zip file that contained three decoy JPGs and a bat file that would run on the victims computer. The BAT file would, again, open some decoy web pages, but more importantly would create a .bat and .vbs file. There was some discovery commands issued, TOR program downloaded and hidden on the victim's computer as a hidden service, and abused common ports (445,389,3389,443). Last but not least, a PowerShell script was used to collect the password hash of the account. Enjoy and Happy Hunting!<a href="https://cert.gov.ua/article/5702579" rel="nofollow noopener noreferrer" target="_blank">https://cert.gov.ua/article/5702579</a><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITSecurity</a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a> <a href="https://ioc.exchange/tags/CERTUA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CERTUA</a>

Just Another Blue TeamerGood day all! If you have been looking for technical and behavioral artifacts regarding CVE-2023-2868, look no further! Mandiant (now part of Google Cloud) takes a deep-dive into <a href="https://ioc.exchange/tags/UNC4841" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UNC4841</a>, a Chinese-nexus threat group, activity that shows how the group is growing in maturity and sophistication. There is a lot to learn about TTPs from this article and I hope you enjoy it as much as I did! Happy Hunting everyone!Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) <a href="https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation" rel="nofollow noopener noreferrer" target="_blank">https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation</a><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITSecurity</a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Just Another Blue TeamerHappy Friday everyone, not only did we make it to the end of the week but to the end of March! Today's <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a> is brought to you by Proofpoint. They report on a threat actor, <a href="https://ioc.exchange/tags/TA473" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#TA473</a> (aka Winter Vivern & UAC-0114) and how they leveraged a vulnerability in public facing Zimbra hosted webmail portals to conduct espionage campaigns against NATO personnel. I hope you have a wonderful weekend and Happy Hunting!Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe <a href="https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability" rel="nofollow noopener noreferrer" target="_blank">https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability</a><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ITSecurity</a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlueTeam</a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a>

Recherches récentes

Options de recherche

Administré par :

Statistiques du serveur :

#readoftheday