Threat Hunting

219 posts

Threat Hunting

@Mahdi_htm

Open to negotiate for threat hunting and threat analysis remote services

انضم Mayıs 2018

414 يتبع1.3K المتابعون

تغريدة مثبتة

Threat Hunting@Mahdi_htm·10 Ara

🎯 New report: Battle of the Shadows: APT Wars in C2 Takeovers & Payload Verification Uncover how elite APTs: 🔹 Defend their C2 infrastructure 🔹 Verify payloads to avoid takeovers 🔹 Engage in tactical "shadow wars" link.medium.com/ZV6ibDXjdPb #threatintelligence

English

6.2K

Threat Hunting@Mahdi_htm·15 Oca

How do you know this is Chinese? Just because of aliexpress?

English

291

Threat Hunting@Mahdi_htm·15 Oca

@cyb3rops

QAM

179

Threat Hunting@Mahdi_htm·15 Oca

It seems like the Fortinet team is under heavy pressure as they’ve released a list of attacker IPs. However, I advise against blindly blocking these IPs. They might belong to CDNs or could have already been reassigned to legitimate services. Always verify before taking action.

English

1.4K

Threat Hunting@Mahdi_htm·14 Oca

🚨 After seeing the Snake driver sniff inbound traffic from a mail server using an incredible technique, now we encounter something new: a Linux kernel module that hijacks inbound network traffic to compromised systems. Innovation in attack vectors is relentless.

English

1.2K

Threat Hunting@Mahdi_htm·31 Ara

Whenever you encounter a combination of interviews, video calls, and macOS, you might be targeted by a Lazarus campaign!

neeraj@knight0x07

Initial infection chain of the new #Lazarus Willo Video Interview campaign is outlined in detail within the infographic Releasing an in-depth blog abt the campaign soon. Happy New Year! @banthisguy9349 #cyber #dfir #infosec #cybersecurity #malware #threatintel #cti #dprk #apt

English

244

Threat Hunting@Mahdi_htm·26 Ara

Does anyone know which threat actor is attributed to stealing IIS machine keys for persistence (executing commands on a web server remotely through IIS insecure serialization)? #threatintel

English

210

Threat Hunting@Mahdi_htm·7 Eki

Security vendors with remote command capabilities could be a potential source of lateral movement and command execution.

blackorbird@blackorbird

Malware download and use of the Wazuh SIEM agent for remote access and telemetry harvesting. "remote_commands" option securelist.com/miner-campaign… ref: github.com/wazuh/wazuh

English

350

Threat Hunting@Mahdi_htm·9 Ağu

APT29 and APT28 separately targeted diplomatic entities within a year using decoy and phishing tactics, including a car sale lure. Each group employed distinct methods, such as hosting payloads on public services like webhook. #threatintelligence Thanks Unit42

English

448

Threat Hunting@Mahdi_htm·5 Ağu

@rosyna You are right!

English

156

Rosyna Keller@rosyna·5 Ağu

@Mahdi_htm I had sworn Compiled HTML Help files were deprecated due to security issues before. Am I misremembering?!

English

154

Threat Hunting@Mahdi_htm·4 Ağu

CHM files are being used for Initial Access (Phish-to-Persist), particularly by DPRK-attributed threat actors and more recently in cybercrime operations. #threatintelligence #threathunting

English

5.1K

Threat Hunting@Mahdi_htm·23 Tem

F5 The Perfect Place to Hide China Threat Group Abuses F5 Load for Persistence. The investigation confirmed that the threat actor maintained a presence in the organizations on-premise network for about three years. The overall goal to the target network for espionage. SygniaTeam

English

4.1K

Threat Hunting@Mahdi_htm·17 Tem

Enterprise Threat Hunting to catch and follow Lazarus recent campaign with passive DNS. Validin provides extensive passive DNS records, which map domains to their associated IP addresses over time. This allows analysts to see where a domain has been hosted and track any changes.

English

2.2K

Threat Hunting@Mahdi_htm·27 May

1) Great talk in Positive hack days about OPSEC mistakes, challenges and techniques for my dear partnerships from positive technologies. I have talked about various Threat Intelligence tips and tricks and OPSEC mistakes like NOBUS WebShell, Operations Security (OPSEC),

English

5.1K

Threat Hunting أُعيد تغريده

Florian Roth ⚡️@cyb3rops·22 Ağu

You can either hunt for it or check and apply our Sigma rules If you're unsure whether a detection idea is already covered by an existing rule, you can use the sigmasearchengine.com, which was developed by my team member @ph_t__ We've also integrated the API of that service into the Sigma VSCode extension

Threat Hunting@Mahdi_htm

Initial Access with Compiled HTML File (CHM) have been used by different TAs including APT37 and APT41. For hunting/detecting them you should check hh.exe spawning mshta.exe or any other related LOBINs in Event ID 1 of Sysmon or 4688 See the execution flow in the following pics

English

184

32.8K

Threat Hunting@Mahdi_htm·22 Ağu

English

34.9K

Threat Hunting@Mahdi_htm·27 Tem

APT28 has been targeting Iranian Embassy in Albania with the Browser In The Browser (BITB) phishing technique. Kudos to @_CERT_UA for first discovering this.

English

20K

Threat Hunting@Mahdi_htm·21 Tem

3/3 Do you want to see what attackers did with powershell in your environment? Enable script block logging (EID = 4104 in Microsoft-Windows-PowerShell/Operational) and look for keywords like add-type, net.webclient and CreateThread/CreateRemoteThread and also Sysmon (EID = 3)

English

738

Threat Hunting@Mahdi_htm·21 Tem

2/3 Do not forget about PS script block logging and look for suspicious connections to cloud providers like OneDrive. To enable PS script block logging: HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging $Name = "EnableScriptBlockLogging" Value:1

English

844

Threat Hunting@Mahdi_htm·21 Tem

1/3 #APT37 recent sample with OneDrive C2 communications and PowerShell script block with internal create thread #threathunting

English

7.5K

اكتشف

@cyb3rops @rosyna @ph_t__ @_CERT_UA @elonmusk @BarackObama @taylorswift13 @cristiano