MyDFIR

𝗪𝗵𝗼 𝗧𝗵𝗲𝘆 𝗔𝗿𝗲 𝗚𝗼𝗶𝗻𝗴 𝗔𝗳𝘁𝗲𝗿, 𝗮𝗻𝗱 𝗛𝗼𝘄 𝘁𝗼 𝗖𝗮𝘁𝗰𝗵 𝗜𝘁 Most of the https://t.co/TydYfoF5wq submissions for this campaign came out of the United States. And the industries getting hit are the ones you would expect: 🔸 Education 🔸 Banking 🔸 Government 🔸 Technology 🔸 Healthcare Look at what those have in common. Email, identity, and remote administration are just part of the normal workday. A remote management tool showing up on a machine in a hospital IT shop or a university help desk does not look strange. As of late April, around 160 suspicious links were analyzed and around 80 phishing domains were observed. Most sat on .de TLDs, which is a little odd for a campaign aimed at US orgs and worth watching for on its own. A lot of them were built from the same phish kit and some sessions even had instructions left in for the operator on how to edit the page. That reused infrastructure is good news for us. When attackers mass produce lure sites from one kit, they leave similar fingerprints everywhere. Here is what to hunt for and be sure to baseline your environment first. 🔸 An RMM (Remote Monitoring and Management) client install (ScreenConnect, ConnectWise, ITarian, Datto, LogMeIn, etc.) 🔸 An RMM service reaching out to a relay you do not recognize as your own 🔸POST requests to /processmail.php, /process.php, /pass.php, /mlog.php (likely noisy which is why baseline is important here) A quick win is to find every RMM in your environment and note the ones that belong. After that, any new RMM install should get flagged for a closer look. Pivot from this campaign's lure signature in https://t.co/TydYfoF5wq TI Lookup: https://t.co/HH5tHPPbV0 IOCs in 3/3 👇

Can you spot the suspicious activity? This is a snippet of the MFT (Master File Table) artifact data from a forensic investigation scenario. Been building this out as part of the DFIR course for the MYDFIR Forge. Total of 14 modules with a mix of Windows, Linux, network, memory and cloud (Azure) forensics including a capstone investigation. This is a big course and will include a lot of theory + labs! Can't wait to release it. I'll be providing more details in the free SOC community as we get closer to the release! https://t.co/yBCytV7Eig

I kept getting messages from beginners saying they wanted to become SOC analysts but not sure where to start so I built a free community that’ll give them a good starting point called The MYDFIR SOC Community: Inside has 4 structured modules (fundamentals → portfolio projects) No paywall. No catch. https://t.co/tXYoqEbnbn

While building a lab for the community, I ran into something weird. Setup: Attacker PC: Windows 10 22H2 (UTC): 1) Created a timestomped LNK file (Year 2028) 2) Zipped it with password-protected 7-Zip Target PC: Windows 11 24H2 (PST) 1) Extracted the file 2) Examined the MFT - SI records 2028 && FN records 2026 (so far so good) 3) Shift + Right-Click LNK > Run as Administrator The weird part: After running it as Administrator, the FN timestamp, what use to be 2026 is now blank which if I am not mistaken would indicate it is the same time as SI. Has anyone else seen this behavior? Not sure if this is a known thing or something new with 24H2. Anyways, another reason to be sure to correlate with other artifacts! #DFIR