Invictus Incident Response

💥 𝐂𝐥𝐨𝐮𝐝 𝐋𝐚𝐛𝐬 𝐢𝐬 𝐥𝐢𝐯𝐞! 🏗️ A hands-on lab environment to practice your cloud incident response skills. cloudlabs.invictus-ir.com We're also doing a giveaway here, to enter: 1. Like this post 2. Comment why you want to have access (Winners announced Monday September 1) #stayInvictus #CloudLabs #CloudIncidentResponse

Is your organization truly ready for a cloud breach? Most teams discover their cloud incident response (IR) gaps at 2:00 AM in the middle of a live incident. In the cloud, the "old rules" don't apply, the clock starts when an attacker gets a token, not a shell. We are excited to share the Cloud IR Readiness Guide, a practical manual designed to help security leaders pressure-test their environments before the crisis hits. The 5 Gaps That Determine Containment: 1. Log Integrity: It’s not just about having logs; it’s about whether they are immutable and independent enough to reconstruct an attacker’s tracks after they’ve tried to cover them. 2.Identity as the Perimeter: Traditional IP-based containment is dead. You need a full inventory of human and service identities to revoke sessions fast. 3. The Collection Plan: Collection speed is dictated by access. Do you know where your evidence will land and who is authorized to "pull everything" from a tenant?. 4. Cloud-Native Tabletops: If your last exercise was a standard ransomware drill, you’re using the wrong muscles. You need to test for OAuth phishing and metadata service abuse. 5. Pre-Staged Partnerships: The worst time to negotiate an MSA or grant admin access to a stranger is during an active breach. Stop relying on "compliance checklists" and start building actual technical authority to act in the first critical hours. Download the full guide below to see where your organization stands on the readiness scale. eu1.hubs.ly/H0vjnXM0 Get a Professional Perspective. Invictus is offering a Free 15-Minute Technical Readiness Assessment. We will help you understand if your organization is prepared to recover from an incident or where you may be currently vulnerable. eu1.hubs.ly/H0vjpTB0 #CloudIR #InvictusIR #InfoSec #CyberSecurity #CloudSecurity #IncidentResponse

The first part of our incident response in Kubernetes (K8s) blog series is now live! Incident Response in Kubernetes (EKS) 🏗️ invictus-ir.com/news/incident-… #stayInvictus #CloudIncidentResponse #EKS #KubernetesForensics

@InvictusIR 🔥 🔥 y’all cooking

We’ve received quite a few messages over the past few days about Get-UAL being broken. It turns out Microsoft made an update that impacted the script, but this has now been fixed in our latest release. 𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦 While we were at it, we also added some additional features and improvements. Check out the release notes for all the details. github.com/invictus-ir/Mi… #stayInvictus #CloudIncidentResponse #MicrosoftExtractorSuite

𝐀𝐀𝐃𝐆𝐫𝐚𝐩𝐡𝐀𝐜𝐭𝐢𝐯𝐢𝐭𝐲𝐋𝐨𝐠𝐬: 𝐇𝐨𝐰 𝐭𝐨 𝐃𝐞𝐭𝐞𝐜𝐭 𝐋𝐞𝐠𝐚𝐜𝐲 𝐀𝐳𝐮𝐫𝐞 𝐀𝐃 𝐆𝐫𝐚𝐩𝐡 𝐀𝐭𝐭𝐚𝐜𝐤𝐬 Today is a great day for Blue Teamers in the Microsoft Cloud! There are finally logs streaming into the #aadgraphactivitylogs table. If you want to know what's inside the logs and how to detect some #RoadRecon check out our write-up 👇 invictus-ir.com/news/the-missi… #stayInvictus #CloudIncidentResponse

Defeating the Atlas Lion Threat 🦁 Most threat actors want your data. Atlas Lion (Storm-0539) wants your balance sheet specifically, your gift card portals. We have been tracking the evolution of this Moroccan-based group. They aren't just sending simple phishing links; they are high-jacking "trust chains" by: 🔹 Enrolling their own Virtual Machines (VMs) directly into your cloud domain. 🔹 Abusing MFA registration to bypass traditional security perimeters. 🔹 Leveraging legitimate platforms like Akamai and Linode to hide in plain sight. Our latest research on this cloud threat actor is live: invictus-ir.com/news/atlas-lio… #stayInvictus #CloudIncidentResponse #AtlasLion

Incident Response in the Neocloud ⛅️ Check out the next part on Lambda Cloud invictus-ir.com/news/incident-… #stayInvictus #CloudIncidentResponse #NeoCloud #LambdaCloud

📷 The SaaS Hardening Checklist: - Kill "Shadow Consent" – Disable user consent and implement an Admin Consent Workflow. No unvetted app should touch your data. - Audit Permissions – Understand Delegated vs. Application-level access to ensure the principle of least privilege. - Restrict App Access – Require explicit user assignment on first-party apps to block attackers from exploiting "trusted" tools. - Enforce Hygiene – Build application cleanup into your standard off-boarding process. Read the full breakdown: invictus-ir.com/news/the-silen… #StayInvictus #SaaS #CloudIncidentResponse #EntraID

Threat intel ftw: @IntCyberDigest @dprkcert @vxunderground

Update: Fingerprinting the HTTP response headers, we identified a unique ETag: W/"16-zUIWjx30dNMOrJoqA1R8JWYnVAw" which is shared between the primary Axios C2 and 23.254.167[.]216; both servers are also hosted on Hostwinds LLC (AS 54290). This specific IP and ETag fingerprint provide a high-confidence link to the "JustJoin" landing pages. As documented by researchers at Hunt.io, this infrastructure is associated with DPRK-nexus activity. This overlap further supports that the Axios incident is likely linked to a DPRK-nexus 🇰🇵 threat actor.

We just published an emergency blog on the #Axios compromise. A must read for incident responders and everyone who's been overwhelmed with supply chain package compromises. invictus-ir.com/news/the-poiso… #stayInvictus #CloudIncidentResponse #NPM

@ramimacisabird @vxunderground

🚨Axios Attack Infrastructure Update🚨 New C2 pivots reveal a coordinated staging effort. The malicious payload was published by nrwise@proton[.]me a separate account from the ifstap proton address used in the maintainer hijack. Analysis shows a newly identified and highly likely C2 callnrwise[.]com on the same infrastructure used in the #Axios attack, sharing clear naming similarities with the attacker's Proton account. #npm #SupplyChainAttack

🚀 Introducing 𝐀𝐥𝐥-𝐈𝐧 access for Cloud Labs Most cloud security training happens in a vacuum. Real-world attacks don't. We are incredibly excited to announce the launch of our All-in level for Cloud Labs. Here is what makes this scenario unique: 🌐 Cross-Cloud Attacks: You will trace sophisticated threats that pivot across different cloud environments, mimicking the true complexity of modern, multi-layered breaches. 🛠️ Live Environment Access: You get real, hands-on access to investigate active threat scenarios directly within live Google Workspace and Google Cloud environments. It is time to test your cloud incident response skills for real! #stayInvictus #CloudIncidentResponse #CloudLabs

Our latest research is live on a recent #AiTM case we worked on together with BIO-ISAC This blog dives into the underlying infrastructure of modern phishing campaigns and includes Indicators of Compromise of this recent campaign. invictus-ir.com/news/the-invis… #stayInvictus #CloudIncidentResponse #AiTM

Have you ever wondered, what modern cloud compromises look like? This is your chance to investigate one, our newest lab is ready for you! Sign-up now to investigate our latest lab👇 cloudlabs.invictus-ir.com #stayInvictus #CloudLabs #CloudIncidentResponse

Our latest research on OAuth apps is now live. In this blog we take a look at some case studies where Entra ID apps were abused. We have also included actionable advice on how to prevent these issues in your environment: invictus-ir.com/news/entra-oau… #stayInvictus #CloudIncidentResponse #SaaS #EntraID

Happy is an understatement! This year we will be teaching both our AWS and Microsoft Cloud IR course at @BlackHatEvents in Las Vegas. Grateful for this opportunity!