Olivia
Online
ProtectWise 401TRG
@401TRG
Threat Research Group at @ProtectWise. Analyst to analyst content on malware, DFIR, threat intelligence and much more.
Denver, CO
Joined September 2017
150 Following
699 Followers
102 Posts
Pinned Tweet
New Post! An Introduction to Exploratory Data Analysis with Network Forensics by Jeff van Geete (@d8aninja) https://t.co/7hVmzbYN6s
The same goes for anyone releasing a blog or paper with network traffic who would like to include a coordinated ET open ids rule release
Note:TA505 != Dridex. They were massively spreading it, with, as customer, Necurs. Dridex 125 then 220 and 7200, but also Locky 3, Trickbot mac1 before moving to ServerHelper and FlawedAmmyy. Other actor are spreading Dridex. Smilex was part of the team spreading Dridex 120.
Who to follow
Steve YARA Synapse Miller
@stvemillertime
AI threat intelligence @google
writing & sharing on adversary tradecraft, malware, threat detection, AI-nexus intel and all things #yara
Tom Hegel
@TomHegel
@LabsSentinel Research Lead, Hunting nation-state threats @SentinelOne, bending intelligence tech to shape real-world outcomes with @ValidinLLC
Michael Ligh (MHL)
@iMHLv2
CTO @Volexity. Malware Analyst's Cookbook. Art of Memory Forensics. The @Volatility Project. Thoughts are those of my employer, not mine, they made me say it.
Check it!
https://t.co/DPr8EvDdXF
Thanks @MalwareKiwi!
Great post @jms_dot_py! Related: Do a Google search (in Chrome) and your machine does a DNS and HTTP request to the top result without clicking on it. Decent way to let someone know your looking into a domain or unique string. Disable “prediction service” setting! #OPSEC
The amount of victims identified by the @newegg #magecart incident is quite staggering. Large percent of our @protectwise customers had victim users. Great work @ydklijnsma @RiskIQ @Volexity !
NEW joint BLOG post by @jaytezer & @ChristiaanBeek reflecting months of research highlighting code similarities shared between samples believed to be DPRK. Read more on the connections between different attacks over the course of 11 years in this blog: https://t.co/0mKbBvEPYm
Great work here from @amnesty & @citizenlab - NSO Group Infrastructure Linked to Targeting of Amnesty International and Saudi Dissident:
1. https://t.co/0fVpbpNo97
2. https://t.co/N12q42FfK0
Thanks to all who were able to attend!
Had a great time presenting at @RiskIQ’s #ThreatHunting workshop today for @ProtectWise. Heard a great talk from @ydklijnsma on #Magecart. Awesome venue!
Use of googl URL shortening from the CN actors behind the @401TRG #Winnti Umbrella report continue to occur against US & East Asia orgs. Use is primarily on a per-target basis instead of the original per-campaign basis. Love to see how they continue improving. #CTI #ThreatIntel
Great event with some great trainers coming to Denver - come learn some traffic and infrastructure analysis techniques https://t.co/rVfJ2xoZQP
I will be presenting at a Threat Hunting Workshop with @RiskIQ, @FlashpointIntel, and @TryPhantom on July 31st in Denver, CO. If you are interested in doing some network forensics and infrastructure analysis check out the sign up page. https://t.co/Dv8NHD3sI7
“Our primary telemetry consists of months to years of full fidelity network traffic captures.” New report by @401TRG on Chinese cyber ops shows the value of instrumenting your network HT @schneierblog #networksecuritymonitoring https://t.co/VaKzskCyvJ
A quick fun #APT28 blast from the past, here's some sample sourcecode of the "CHOPSTICK" aka "Xagent" proxy piece, which used Python and the Gmail API to for implant C2. Unfortunately I've got no #dailypcap for this one :( See also: https://t.co/2GaMo0k1Wz
Going to be a fun time, looking forward to it! https://t.co/7v5wVobLGD
** URGENT SECURITY WARNING ** Please share.
Today, version 3.7.2 of eslint-scope (https://t.co/Gkc9XhDRN6) was found to contain malicious code that steals your NPM credentials. Take action now if you are using version 3.7.2.
Snyk DB entry: https://t.co/dAhhA3cZQP
Legit Services C2: The Saga Continues. We run some snort rules on sandboxed pcap to ID files that attempt DNS+SSL to legit svcs. Heres one to https://t.co/dxGhJ7UoiE: Launch.docx does ole/vbs/ps to download an Empire stager from a Dropbox acct #dfir #dailypcap #threatintel
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.2M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers