Mat Gangwer @MatGangwer - Twitter Profile

Mat Gangwer @MatGangwer

over 4 years ago

@NeilJacobs Good thing I listened to 2011 Mat.

0

12

2

0

MatGangwer retweeted

Will @BushidoToken

over 4 years ago

⚠️Emerging Ransomware or data-theft-extortion groups to track: 🔒💰 AlphV/BlackCat (written in Rust) Quantum (XingLocker variant) Rook (Babuk variant) Entropy (linked to Dridex) NightSky HolyGhost RobinHood Admin Locker (no leak site) 📂💰 Karakurt Hotarus Group Lapsus$

2

105

43

16

0

Mat Gangwer @MatGangwer

over 4 years ago

@BlaineOh @rogredhat @mrd0x @Sophos I didn't want to end the conversation while we investigate without a near-term solution for you. This DataLake query can be setup on a schedule to identify potential abuse of ProcDump. It looks back 2 days for the suspicious flags mentioned. https://t.co/9gVVGdmhN8 3/3

1

0

Mat Gangwer @MatGangwer

over 4 years ago

@BlaineOh @rogredhat @mrd0x @Sophos I would still standby my initial assessment that the original reported bypass (folder/path) is prevented, and this is a different method altogether. That being said, knowing and understanding visibility and prevention limitations is still critically relevant. 2/3

2

0

Who to follow

Justin Rogosky

@CptSexy

Not really sure what's going on...

SJP 👨🏿‍💻

@SJP1804

Site Reliability Engineering Leader - @Pagerduty. Tech Investor & Advisor. Can talk Photography & Woodworking all day 🇭🇹

Bas Steins

@bascodes

SWE working on @stelviodev🐍, podcast host @basdotfm🎙️, coffeechatter☕, conference speaker🎤

Mat Gangwer @MatGangwer

over 4 years ago

@BlaineOh @mrd0x Please do. I’m happy to provide any help if you need it. I saw the screenshot you shared and will try in the lab with those options.

0

1

0

Mat Gangwer @MatGangwer

over 4 years ago

@BlaineOh @mrd0x Would you be able to validate the policy being applied? With "Prevent credential theft" enabled, I'm observing LSASS access being blocked as expected. There is not an alert that will pop-up, but no file will be written. Full Disclosure: I work at Sophos

MatGangwer's tweet photo. @BlaineOh @mrd0x Would you be able to validate the policy being applied?

With "Prevent credential theft" enabled, I'm observing LSASS access being blocked as expected. There is not an alert that will pop-up, but no file will be written.

Full Disclosure: I work at Sophos https://t.co/nByzgPEFY5

2

35

5

1

0

Mat Gangwer @MatGangwer

almost 5 years ago

@ShawnAxsom 👋 would be happy to be of assistance, if I can. My DM’s are open!

1

2

0

Mat Gangwer @MatGangwer

about 5 years ago

@blueteamblog Yeah - this is an excellent post. Thanks for sharing I'm thinking we extract specific examples of each technique we identified in our article and dive into what we observed, how we detected it, and how we responded.

0

MatGangwer retweeted

Sophos X-Ops @SophosXOps

about 5 years ago

Read the full report from @john_shier, @MatGangwer, @secbug, and @AltShiftPrtScn :https://t.co/19Yr9RW9U6 11/11

1

3

2

1

0

Mat Gangwer @MatGangwer

over 5 years ago

@reegun21 There definitely hasn’t been enough discussion around this aspect of investigating the script output. Do you have any log samples of the exploit being successful in extracting email messages? Thanks for sharing.

0