Michael Ligh (MHL)

@iMHLv2 @ConnectWise ConnectWise is whistling past the graveyard for years now...

hehe RMMs, baby.

Compromised systems will look like this when the attacker is actively controlling it

@ConnectWise please see case Case #03559262 ASAP - your platform is being abused to distribute malware

Sounds different. This was phish email -> klish [.] top/ab/ -> k126.screenconnect [.] com -> modified msi -> relay/connect back to instance-z9sodv-relay.screenconnect [.] com. Telegram via JS gives attacker heads up

@iMHLv2 @ConnectWise Had a weird event at a client today. EDR hit on ScreenConnect (valid tool from another MSP) but the user and MSP both confirmed they weren’t in a session. Next hit was SC launching PowerShell and running .ps1 files in windows\systemtemp\screenconnect Related? DM me?

The latest @DarknetDiaries (Ep. 174: Pacific Rim) offers a look at state-sponsored groups targeting perimeter infrastructure & edge devices. Thanks @JackRhysider for mentioning our work! @Volexity’s detection and response efforts combined network visibility, host-based analysis, #threatintelligence & #memoryforensics, enabling us to discover these complex #0days being exploited in the wild. Read our blog post for the original research mentioned: volexity.com/blog/2022/06/1…

.@volatility New Release: #volatility3 v2.28.0 - visit github.com/volatilityfoun… for details and downloads. #memoryforensics #dfir

I am excited to announce that I will be speaking at @bsidesnash on May 15th. Be sure to attend to see all the latest @volatility 3 plugins against the most sophisticated and devastating malware from the wild!

Memory-only malware leaves no trace on the file system & is commonly used by threat actors ranging from criminal organizations to ransomware operators to APTs. In our @volatility 3 training, students gain deep hands on experience analyzing such threats: memoryanalysis.net/courses-malwar…

We have announced the winners of the 2025 @volatility #PluginContest! And the First Place is: Daniel Baier for XFRM Inspector Read the full Contest Results in our blog post: volatilityfoundation.org/the-2025-volat… Congrats to all winners & thank you to all participants! #DFIR #memoryforensics

.@Volexity recently released GoResolver v1.4, bringing significant updates to our #opensource tool for recovering symbol data from obfuscated Go binaries. This release is available on GitHub: github.com/volexity/GoRes… [1/8]

.@volatility #PluginContest #Contender Devarjya Purkayastha: PEScan provides an alternative method for analyzing PE files in a memory sample, assigning a threat score to each memory region that contains a PE file & summarizing high/critical regions. #DFIR #memoryforensics

.@volatility #PluginContest #Contender Jan-Hendrik Lang: MemoryInvestigator specializes in Windows memory analysis & integrates #Volatility3 and LLMs, including Retrieval-Augmented Generation (RAG) and an enhanced Tree-of-Table Algorithm #DFIR #memoryforensics

.@volatility #PluginContest #Contender Daniel Baier: XRFM Inspector includes a suite of #Volatility3 plugins that perform the extraction of VPN (IPSEC) related artifacts and cryptographic keys from the XFRM Linux subsystem. #DFIR #memoryforensics

.@volatility #PluginContest #Contender Thomas Clark: The EA App Artifacts, MetaHorizonWorlds & SteamArtifacts plugins help investigators with incidents involving popular gaming platforms by scanning memory for relevant processes and artifacts. #DFIR #memoryforensics

.@volatility #PluginContest #Contender Kartik Iyer: APCWatch & MalAPC together provide the capability to identify & analyze APC injection attacks in Windows memory forensics, one of the most sophisticated code injection techniques employed by modern malware #DFIR #memoryforensics

.@volatility #PluginContest #Contender Diyar Saadi Ali: This submission includes a suite of detection plugins & tools to identify suspicious processes + artifacts within the memory sample of a suspected system using a variety of heuristics & indicators. #DFIR #memoryforensics

.@volatility #PluginContest #Contender Kyrre Wahl Kongsgård: Arrow & Parquet Renderers allows #Volatility3 plugin output to be written via the Arrow + Parquet renderers, enabling the output to be integrated into tools for modern data analysis workflows. #DFIR #memoryforensics

.@volatility #PluginContest #Contender Théo Letailleur: Journald Extractor automates extraction of Linux journal files cached in memory, along with analysis via the open-source go-journalctl tool to obtain parsed versions of these files from memory. #DFIR #memoryforensics