ImPureMotion

@Kostastsale Awesome stuff - good recent use case from (thedfirreport.com/2023/08/28/htm…) where xcopy was used to rename rundll32 to entails.exe tweaking the regex a bit if you have cmdline parsed out: (xcopy|copy|copy-item|cp)\s+c:\\windows\\(system32|syswow64)\\[a-zA-Z0-9_\-]{1,}\.exe\s\w:\\.*\\?

Malware sometimes copies Windows binaries out of System32(See recent #DarkGate copying curl.exe & renaming) 🎯You can hunt or detect this by using the below regex ➡️(copy|copy-item|cp)\s+c:\\windows\\system32\\[a-zA-Z0-9_\-]{1,50}\.exe\s+(c:\\.*\\)?[a-zA-Z0-9_\-]{1,50}\.exe

@TheDFIRReport Fantastic stuff

HTML Smuggling Leads to Domain Wide Ransomware ➡️Initial Access: Thread-Hijacked Email > HTML Attachment ➡️Credentials: LSASS Access, SessionGopher ➡️Lateral Movement: RDP, PsExec ➡️C2: IcedID, Cobalt Strike ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/08/28/htm… 1/X

@0x4D31 @ateixei Threat Detection Engineering #TDE

@ateixei or maybe #TDE

Seems like Detection Engineering has many similarities with Data Engineering starting with the acronym 'DE'. Should we pick #DetEng instead? Suggestions?

@msuiche Scanning inbound email

@elonmusk Can we add folders to organize bookmarks?

Major Twitter improvement we just released is that you can now bookmark tweets from tweet details page. Importantly, bookmarks are *private*, unlike likes. No one other than you can see your bookmarks.

@dcunited @orthovirginia youtube.com/shorts/7bagCFX…

@phage_nz @pr0xylife Similar lure body format seen in fortinet.com/blog/threat-re…

AsyncRAT. Google Drive hosted VBS. SQL: SQL8003.site4now[.]net:1433 Payload: hXXps://textbin[.]net/raw/26gcw6zquf C2: crazydns.linkpc[.]net:5900 Sample: app.any.run/tasks/d66f6c69… bazaar.abuse.ch/sample/62aed61… (H/T @pr0xylife)

@securitydoggo 👀

Don't know if it's because I haven't been on #infosec Twitter as much, or because I clicked on a few of the posts, but seems like everyone and their mothers has open positions 👀

@securitydoggo The tattoo should read "I <3 Active Lists"

My time using #ArcSight is coming to an end soon. Should I get a tattoo of the logo for kicks and giggles? #cyber #infosec #SIEM

@securitydoggo Have them try to beat you at Regex Golf: alf.nu/RegexGolf

Been running some #YARA, #Snort, and #Regex training for the team - anyone got any tips or things I should make sure to cover to make sure the team are 100% #cyber ninjas?

Operation JOKAA(RR) #molerats #gazacybergang #apt #malware #infosec mymalwareparty.blogspot.com/2018/11/operat…

@DrunkBinary @unpacker @jfslowik @cyb3rops @0stracon @markus_neis a636cd2f1ba46a9af23f9c0a24f8ee4e

Lazarus Group HWP Exploit Doc sample a5a71b23e75795fd76153fdf02e7e2ed @unpacker @jfslowik @cyb3rops @0stracon @markus_neis

@securitydoggo Would be me exiting after no VT

@securitydoggo no more VT? :(

@ItsReallyNick @securitydoggo @James_inthe_box @lotus_ruan @PureReactions @_jsoo_ @bartblaze @blu3_team Hash for it: c22937cee87b45ba18c16318533648fb

@ItsReallyNick @securitydoggo @James_inthe_box @lotus_ruan @PureReactions @_jsoo_ @bartblaze @blu3_team Another one: 講座登入檢視意見回饋操作說明.doc Lecture Login View Feedback Feedback Instructions .doc

Iranian #Oilrig campaign decoy: "User list must change password.xls", target in Saudi Arabia. C2: coldflys[.]com Further analysis: #heading=h.o3c0cv46s20s" target="_blank" rel="nofollow noopener">docs.google.com/document/d/1oY… Leads and analysis with @ImPureMotion and @blu3_team

#AridViper uses pastes on pastebin.com/u/virtualnote for second stage scripts delivery Recent sample: محضر اجتماع اليوم - (Minutes of today 's meeting) Details and Indicators in Raw Threat Intelligence: docs.google.com/document/d/1oY… Credit @ImPureMotion