🏫 Do you prefer live training events, we've got you covered! You can join us and ask all your questions at our select live training events. @brucon @defcon @BlackHatEvents . ✏️ Sign-up via:

Invictus 💙 K8S. 🆕 We have developed a new tool KubeForenSys, for Kubernetes forensics in AKS. Check out the blog and grab the tool .📜 🛠️ #stayInvictus #CloudIncidentResponse #kubernetes #aks.

🚨 Volume 3 | Profiling TradeTraitor (DPRK) 🚨 . Our latest and greatest blog in our series on Cloud Threat Actors. This one is on the the infamous DPRK-nexus crew behind billion-dollar cryptocurrency heists. Check it out: . #stayInvictus.

We've just published our latest threat actor profile on #LaundryBear.Check it out if you want to learn how they work, who they target and their TTPs. #stayInvictus #CloudIncidentResponse.

Thanks for reading and if you're interested in learning more about cloud incident response, make sure to follow us or reach out!.

Lessons learned:.- From a detection perspective the UAL is often ignored, make sure you build detections for Teams/SharePoint/Exchange activities.- Microsoft please close the visibility problems with the Global Address List (GAL). Almost anyone can download this and there's no.

This activity can be detected, but only if the Graph API is used to perform this activity, per Microsoft's documentation. (

The Microsoft blog mentions that the TA also goes for Microsoft Teams messages.

Another interesting observation is that this TA limits itself to the cloud only it doesn't try to move laterally to on-premise where the defenders have a better chance of catching the TA.

The AIVD/MIVD also mentions that the threat actor exfiltrates data from SharePoint, you can search for the FileDownloaded operation in the UAL to find individual file downloads. If the TA uses something like OneDrive to sync folders the Operation in the UAL will be

It's also mentioned that Laundry Bear tries to abuse Delegated access in Exchange to gain access to additional email accounts. You can search for 'Add-MailboxPermission' operation in the UAL to find this activity.

From a Forensics perspective a few things stand out, the Global Address List (GAL) was collected, that's how they got names, functions and addresses from (most) police officers. There is no evidence of this in any available logs, the Unified Audit Log (UAL) does not record this

From a CTI perspective it's interesting to see state State-sponsored actors (🇷🇺) relying on the cybercrime ecosystem to gain access to their targets. Possible motives are plausible deniability, because the techniques aren't unique which makes attribution difficult.

Initial Access via Session Cookies, this happens quite frequently either via AiTM attacks or other means. Detection for this is difficult because this is post-authentication and the identity provider (Entra ID) already verified the user and their claims.

Before we begin, the source of this information is the report by Dutch Intelligence 🇳🇱( .And Microsoft (.

Allright let's do this, a thread on Laundry Bear aka Void Blizzard. This group compromised the Dutch National Police. Let's dive into thing from a cloud IR/forensics perspective 🧵.

We've started a new series on Cloud focused threat actors, today Part I on #JavaGhost. Check it out, if you want to learn how they operate, who they target and how you can defend against them. #stayInvictus #CloudIncidentResponse #JavaGhost.

RT @cybershtuff: 🚨 New blog from @datadoghq on fresh AWS TTPs! Me and Team @InvictusIR pivoted & enriched their infra data to uncover the….

🚧 Dive into the final part of our blog series on preparing for cloud incidents. If you want to learn practical tips and things you can do right now to make Cloud Incident Response life easier this one is for you. .

🔄Time to update your favorite cloud IR tool, the Microsoft Extractor Suite! . 𝐔𝐩𝐝𝐚𝐭𝐞-𝐌𝐨𝐝𝐮𝐥𝐞 -𝐍𝐚𝐦𝐞 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭-𝐄𝐱𝐭𝐫𝐚𝐜𝐭𝐨𝐫-𝐒𝐮𝐢𝐭𝐞. Release notes for version 3.0.4. 🆕 .- Added -UserIds parameter to Get-Users for filtering by specific user IDs. -.

What do you get when you combine BlackBasta leaks and Scattered Spider? An awesome new blog, where we discuss how these two groups operate in the cloud and their TTPs. #stayInvictus #CloudIncidentResponse #CTI #DFIR.