EncapsulateJay

146 posts

EncapsulateJay

EncapsulateJay

@EncapsulateJ

SOC Analyst @HuntressLabs Volunteer @TheDFIRReport

Katılım Şubat 2021
460 Takip Edilen195 Takipçiler
EncapsulateJay
EncapsulateJay@EncapsulateJ·
This case has it all: Malvertising, trojanized software, and, of course ransomware that goes BOOM. If you want to read what like to work boots on the ground as an analyst in 2026, then this is for you. @TheDFIRReport whole team smashed it once again. thedfirreport.com/2026/06/29/fro…
English
0
3
7
2.3K
EncapsulateJay retweetledi
Renzon
Renzon@r3nzsec·
I worked with @RussianPanda9xx and @TheDFIRReport to investigate and publish this flash alert. The trojanized payloads (disguised as legitimate tools like Greenshot, SyncTrayzor, DocFX, and Cake) established primary C2 channels through ClickHouse and Supabase, with secondary backup channels capable of dynamically falling back to Ably, Dropbox, direct HTTP, or even GitHub Issues. This campaign ultimately delivered The Gentleman Ransomware, with aggressive data exfiltration via Rclone and lateral movement using GoTo Resolve RMM. Read the flash report below ⬇️ #dfir #tuktukc2 #etherRAT
The DFIR Report@TheDFIRReport

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware In April, we observed an intrusion that began with a malicious MSI masquerading as Sysinternals RAMMap and ended in domain-wide deployment of The Gentlemen ransomware. The intrusion featured EtherRAT, Ethereum-based EtherHiding C2 configuration, TryCloudflare tunnels, GoTo Resolve, Rclone exfiltration to Wasabi, and a newer malware framework named TukTuk. TukTuk stood out for its resilient C2 design, using SaaS and cloud platforms such as ClickHouse and Supabase, with support for Ably, Dropbox, GitHub Issues, direct HTTP, Slack, and Arweave-based dead-drop configuration retrieval. Detection opportunities included! ➡️ Full report is linked in the replies. #ThreatIntel #ThreatHunting #DigitalForensics

English
0
26
113
23.2K
EncapsulateJay retweetledi
Jevon_Ang
Jevon_Ang@Jev_3ng·
Most SOC reports and write-ups are punchy, to-the-point, polished reports. After all, every investigation (regardless of vertical) starts out as a chaotic mix of different threads that we corral into order like a tired sheepdog dreaming of making it as an internet meme and retiring on the royalties. Unfortunately, these polished reports don't capture how we actually form our suspicions, the pivots, the dead ends, the moment it all starts to make some semblance of sense. If you've ever wondered what that process actually looks like, I've spun up a blog series that breaks down real MDR incidents to capture what it's like riding the investigation roller-coaster, so those new to the industry can see how we progress from start to end within the context of a SOC investigation. Please enjoy this breakdown of a threat actor's attempt to enumerate and pivot further into the victim's environment — made with 100% organic human analyst tears! jevonang.com/Investigations…
Jevon_Ang tweet media
English
1
13
61
5.4K
EncapsulateJay retweetledi
Renzon
Renzon@r3nzsec·
DFIR analysts who use macOS as their daily driver deserve free and native forensic tooling. So I built one. 🍎 Introducing 𝗜𝗥𝗙𝗹𝗼𝘄 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 — a timeline analysis app built from the ground up for Mac-based DFIR folks, forensic investigators, or SOC analysts. Built in appreciation of, and inspired by, Eric Zimmerman’s Timeline Explorer. Every feature in this tool was shaped by real IR casework. Handling massive timelines, parsing artifacts here and there, and pivoting across logs during active investigations. I built IRFlow Timeline to be the native macOS timeline analyzer that actually keeps up with a live case. Every button and view is intentional; if it’s in the app, it’s because I needed it mid-case and realized the standard tools fell short. No dependencies. Zero setup. Just drag, drop, and analyze. #dfir #incidentresponse #timeline #macos #threathunitng #digitalforensics
English
20
119
505
40.7K
EncapsulateJay
EncapsulateJay@EncapsulateJ·
@Kostastsale Wishing you all the success In the world with this venture mate! No doubt it will be a high quality resource!
English
1
0
2
42
Kostas
Kostas@Kostastsale·
📢 𝗜’𝗺 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗶𝗻𝗴 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗮𝗯𝘀, 𝗹𝗮𝘂𝗻𝗰𝗵𝗶𝗻𝗴 𝗻𝗲𝘅𝘁 𝘆𝗲𝗮𝗿! After building threat hunting teams for large MSSPs, creating DFIR Labs for TheDFIRReport, and sharing years of free threat hunting material, I want to bring everything together into one platform. Something closer to how investigations actually work, not another set of CTF-like labs or check-the-box exercises. • 𝗖𝗵𝗼𝗼𝘀𝗲 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 𝗶𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵: your choices determine how the investigation unfolds. • 𝗡𝗼 𝗺𝗼𝗿𝗲 𝗸𝗲𝘆𝘄𝗼𝗿𝗱 𝗺𝗮𝘁𝗰𝗵𝗶𝗻𝗴. Answers are evaluated on intent and accuracy. • Work directly in 𝗘𝗹𝗮𝘀𝘁𝗶𝗰, 𝗦𝗽𝗹𝘂𝗻𝗸, 𝗼𝗿 𝗔𝘇𝘂𝗿𝗲 𝗗𝗮𝘁𝗮 𝗘𝘅𝗽𝗹𝗼𝗿𝗲𝗿 and learn to investigate and hunt using hypotheses. 𝗧𝗵𝗲 𝘄𝗮𝗶𝘁𝗹𝗶𝘀𝘁 𝗶𝘀 𝗻𝗼𝘄 𝗼𝗽𝗲𝗻!! Those who sign up will receive a founders discount, early beta access, and the opportunity to provide feedback during development. The waitlist will close once a certain number of people have signed up and may reopen later if more testers are needed. This is something I wish existed when I was starting in the industry, and something I still want today. Register now, and more details soon. threathuntinglabs.com
English
17
66
378
32K
EncapsulateJay
EncapsulateJay@EncapsulateJ·
@TheDFIRReport crew have gone and done it again. Really interesting report here. Sneaky exposed RDP port lead to full blown ransomware. Great work @Friffnz @MittenSec
The DFIR Report@TheDFIRReport

🐈 Cat’s Got Your Files: Lynx Ransomware 🎉New report out by @Friffnz, Daniel Casenove & @MittenSec!🎉 Attackers used stolen creds to access RDP, quickly pivoted to a DC with a second compromised admin, created impersonation accounts, mapped the environment, and more.

English
0
1
10
741
Friff
Friff@Friffnz·
Look what finally turned up today! Thanks @SecBlueTeam !
Friff tweet mediaFriff tweet media
English
2
0
3
260
EncapsulateJay retweetledi
Ayush Anand
Ayush Anand@Securityinbits·
ClickFix just got clever-ditched Win+R for Win+X (Power User Menu) ⚠️ New variant drops Lumma after Defender exclusion: - Prompts for elevation till user accept - Add defender exclusion on %temp% - Drops & runs Lumma Multiple Sigma rules fired 💥 Process Tree👇
Ayush Anand tweet mediaAyush Anand tweet mediaAyush Anand tweet mediaAyush Anand tweet media
English
5
37
129
11.9K
EncapsulateJay
EncapsulateJay@EncapsulateJ·
There's pretty much never been a better time to start learning or get hands on blue team experience through labs. The availability and quality of labs being released today compared to 4 years ago is night and day. Training providers like Xintra are paving the way for the future!
inversecos@inversecos

NEW LAB: Scattered Spider (UNC3944) 🕷️🕸️ Scattered Spider hits indie studio AB Projekt Blue, deploying ransomware and stealing unreleased game code. Test your skills on: 👀 Social Engineering & MFA Fatigue 👀 Credential Theft via OST Files 👀 Bring Your Own Vulnerable Driver (BYOVD) 👀 EDR Manipulation 👀 Custom Ransomware Binary 👀 RMM Exploitation Lab Contributors Adversarial Emulation @q8fawazo Incident Response @r3nzsec Threat Intelligence @CuratedIntel Solve it here 👉 xintra.org @XintraOrg

English
1
4
29
3.5K
EncapsulateJay retweetledi
Rem
Rem@sudo_Rem·
If you’re running an SSLVPN (SonicWall, Fortigate, etc.) and not retaining those logs, you’re setting yourself up for disaster. It's not uncommon to see sub-10 minute slices of activity in the totality of exported logs; which is next to useless.
English
0
3
7
1.1K
EncapsulateJay retweetledi
Ame
Ame@pe4Chscreeching·
🚨 Case from @HuntressLabs 🔎 Cephalus seen side loading DLL 'SentinelAgentCore.dll' into legitimate 'SentinelBrowserNativeHost.exe' for ransomware execution ✏️ File extension for encrypted files - '.sss'
Ame tweet mediaAme tweet media
English
3
15
68
11.6K
EncapsulateJay
EncapsulateJay@EncapsulateJ·
@SecurityAura 100% something as simple as an org implementing a standardised naming convention for all workstations and servers ahead of time can help detect anomalies super quick during an IR engagement.
English
0
0
1
20
Aura
Aura@SecurityAura·
Meme'ing aside, do not underestimate the power of naming conventions for stuff such as systems, accounts, services, tasks, etc. There is SO many detection and/or hunting possibilities you can/could unlock if you were to just ... name things properly.
Ru Campbell@rucam365

More art than science.

English
1
2
12
1.3K