Today @ianthiel and I published Part 1 of our thesis for the future of detection and prevention in the post-Mythos world. It is an architectural shift, not just better models. It's informed by building in this space at @sublime_sec for the past several years.
Our intent with this series is to share our thinking in the hope that it reaches the right people, so we can collectively get better as defenders and protect what matters most from those who wish us harm.
I hope you'll take a look and share your thoughts: https://t.co/CGaINzO7Qb
Thank you to Zack Allen, @DAlperovitch, Haider Dost, @mark_dufresne, @filar, @riskybusiness, @rpargman, @samkscholten, @vector_sec, and @mr_cwitter for reading drafts of this.
if you can somehow watch this and walk away from it saying something like “yup that’s my guy that’s who i’m gonna vote for” then i want you to know that you are just a full-on idiot
Excited to share my latest research about FIN7 🔥
The discovery of a new abuse for the Windows built-in driver ProcLaunchMon.sys (TTD Monitor driver) to tamper with EDRs has been an interesting surprise.
Enjoy the read 👇
https://t.co/15R4CKdb0h
Yesterday I learned that @SentinelOne blocks the Windows application white listing and digital signature bypass that I’ve been using for 10 years. Now I’ll need to find a new way to digitally sign any binary as Microsoft (on S1 customers).
Well done @SentinelOne.
Our analysis on the intriguing #liblzma supply chain case 🔥
By following all the interactions we provided an interesting angle on the TA's motivations and plan to Inject Further Vulnerabilities. It was a pleasure to work with @vx__notduck1e on this!!
https://t.co/FtgTKxufXG
⚔️ Here are the top threats our WatchTower team observed and investigated in 2023—and a look ahead to the 2024 threat landscape. From the top bad actors, to the top vulnerabilities exploited, to the top threats by OS, and more.
Read the report: https://t.co/yiioZt9pmO
Back in 2021, the Babuk source code leaks fascinated me. At the time, it was unprecedented ransomware drama. 🍿 Like any self-respecting malware archivist, I grabbed the zip file and threw away the key for a few years. 1/?
We’ve been working at breakneck pace to release IOCs for ongoing software supply chain campaign that we call SmoothOperator. Attackers trojanized installers for #3CX PBX software. We’ve blocked thousands of attempted infections as of March 22nd. Details 👇🏻
https://t.co/Jz3dTy6UQQ
New SentinelLabs Research on WIP26 - https://t.co/tTYD2ILjCE
🟣 New actor targeting telco in the Middle East
🟣 Abuses Microsoft 365 Mail, Google Firebase, and Dropbox for C2
🟣 Targeted WhatsApp msgs -> Dropbox -> loader -> backdoors
@milenkowski@CollinFarr@joeychen@QTrust
Our team has been observing an intrusion in Southeast Asia over the last few weeks. We have seen bunch of TTP's including:
- Malicious IIS Modules (#DoorMe update)
- Webshell usage
- Exfiltrating mailboxes
- New .NET malware #SiestaGraph
- Dropping vulnerable drivers
#ElasticSecurityLabs is tracking an active intrusion by multiple threat actors into the Foreign Affairs office of an Association of Southeast Asian Nations (ASEAN) member. Find out more in this post: https://t.co/ECojhCThCA
We’re proud of the #ElasticSecurityLabs team and the incredible amount of work that went into creating the 2022 Elastic Global Threat Report. @mark_dufresne shares a behind-the-scenes look into how the report was built. Read more here: https://t.co/03Duommryj
Our team had tons of fun participating in this year’s #FlareOn9 Challenge. Check out our write-up on how we solved them! Thanks @Mandiant for all your effort putting it together.
https://t.co/Gd8M943xPw
Happy Friday, Twitter! If you don't know @_xDeJesus let me correct that-- Terrance is a member of the Threat Research and Detection Engineering team @elastic.
His most recent publication to Elastic Security Labs is part one of three on Google Workspaces: https://t.co/TIrfkbtAEn
We have just pushed #Elastic lab to our #CertifiedCyberDefender course 👉https://t.co/eOa5SUiAog
Real dataset, fiddle around with #Kibana queries/dashboards, enroll elastic #EDR into endpoints (formally known as Endgame) & write #MITRE-mapped #SIEM use cases.
#DFIR#BlueTeam
Amazing write-up on a dynamic emotet config extractor by @rsprooten. He uses a combination of YARA, the SMDA decompiler, @unicorn_engine, @LIEF_project and more to get the job done. Read it! And then read it again. And maybe again. https://t.co/PSfpwmn4kJ.
Check out REF2731 research - a 1, 2, 3...4...5 stage(!) intrusion set for two PARALLAX + NETWIRE campaigns. Malware & campaign analysis and an open-source payload extractor. Collab w/@DanielStepanic@soolidsnakee@bluish_red_ Enjoy, it's a journey. https://t.co/5nJKPbppDw
Had some fun with this - exploiting the Process Explorer driver for kernel code execution. Will msft ever add to their own blocklist? 🤔
https://t.co/7Xj0Fm7Yk2