🆕micro emulations just dropped
- User Execution of OneNote File
-Remote Application Exploitation
-Reflective Code Loading
-Clear Windows Event Logs
-Data Exfiltration
-DLL Side-loading
Special shoutout to the dev team ♥️🤘
🔐🌩️ Storm-0558 update — Microsoft's recent findings raise new questions!
📊 New discoveries, along with actionable takeaways for proactive cloud security, are right here:
Microsoft has uncovered a supply chain attack by North Korean threat actor Diamond Sleet (ZINC) involving the modification of an installer file from software maker CyberLink. The payload calls back to attacker infrastructure for instructions. Learn more:
🛡️ Understanding adversary behavior is often the first step in protecting networks & data. Check out
@CISAgov
’s latest additions to the Best Practices for
@MITREattack
Mapping guide at to more proactively strengthen the security of your network!
Beware of LUCR-3! 🚨 Threat actor that overlaps with Scattered Spider, Oktapus, UNC3944, & STORM-0875, they exploit IDPs for initial access & aim to steal IP for extortion. They use victims' tools and evade detection with expertise.
@permisosecurity
📅 Initial Access (Oct 2, 2023):
The Threat actors exploited WS_FTP CVE-2023-40044. They established a foothold using Sliver beacons, specifically with executable files cl.exe and sl.exe. Command and control traced back to 45[.]93[.]138[.]44:3131.
Microsoft has identified highly targeted social engineering attacks by the threat actor Midnight Blizzard (previously NOBELIUM) using credential theft phishing lures sent as Microsoft Teams chats. Get detailed analysis, IOCs, and recommendations:
Organizations with JetBrains TeamCity software are urged to read the new advisory we published with US and Polish partners. Russian SVR cyber actors are using CVE-2023-42793 to exploit servers using this software.
2️⃣5️⃣ days of techniques🎄
1️⃣- T1480 is restricting payload exec based on matching expected traits of the victim, maybe less relevant to defend vice being insightful for CTI & annoying for RE
Seeing this more in red team tools too 🦺
Additional TTPs from Midnight Blizzard campaign
“Due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of…activity”
👆👆
The 2023 Microsoft Digital Defense Report highlighted over 200% increase in human-operated ransomware attacks and 12% increase in tracked ransomware as a service (RaaS) affiliates.
⚠️unsolicited⚠️ but hopefully helpful (career) advice:
take genuine (if even temporary) interest in what the people around you do, especially towards understanding how they see things 🧘
running micro adversary emulation plans (this one is mounting a malicious iso) using ezEmu (which also tracks child processes)
not super 🤯, but neat to play around with
Our latest cybersecurity advisory provides findings from a 2022 Red Team assessment at a large organization. Review the advisory for recommended actions and mitigations that can protect your network and systems from similar adversarial activity:
⚠️ Cloudflare disclosed a breach via creds stolen during the Okta incident, which exposed their self-hosted Atlassian server. Intrusion blamed on suspected “nation state attacker”
Welcome to the first Huntress Threat Report 🚨🦸♀️
An in-depth review of real world intrusions @ small & mid-sized businesses. Follow
@HuntressLabs
for more.
2️⃣5️⃣ days of techniques is back ❤️🎄
1️⃣ - T1654 reminds us that there is a constant battle for ℹ️ between adversaries and defenders
Verify & harden your sources 🪵🔒
Learn from MITRE ATT&CK subject matter expert Jamie Williams as he explores various examples of using adversary emulation to identify and deliver impactful business outcomes on Thursday, April 27, 10:15-11:40 PT at
@RSAConference
.
Clustering != Attribution
"But luckily, people are typically creatures of habit"
~"Look for narrowly focused details that would be hard for anyone besides the adversary to replicate" 🔍
@MorganDemboski
#CTISummit
Just a little bit more detail on the MS cloud breach in this official blog post.
But a key sentence:
"They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key."
😲
A threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infra. Read our analysis in collaboration with
@citizenlab
:
'if a detection hasn't been tested, does it work?'
'focus on high benefit/low regret response automation'
'no one (even the most senior) is above SOPs'
-Carson Zimmerman
#shmoocon
💙🐝💪
FWIW we track this as Stage Capabilities: SEO Poisoning () to enable Drive-by Compromise ()
If anyone has additional ideas for relevant defenses, we'd love to share that with the community 🔊💙
Continued innovation in opsec makes APT29 one of the hardest groups to track. They seem to know more about Microsoft 365 than most and can blend their activities with standard admin actions in your org.
The financially motivated threat actor tracked by Microsoft as Octo Tempest, whose evolving campaigns leverage tradecraft not seen in typical threat models, represents a growing concern for organizations. Get TTPs and protection info:
📢New
#APT
profile: APT28
APT28 is allegedly tied to Russian military intelligence (GRU). Landmark incidents include the 2015 German Federal Parliament
#hack
and the hack of French President Macron’s 2017 electoral campaign
➡️
#cyber
#CyberSec
#CyberAttack
🚨apropos of nothing🚨
how do folks know when it's time to change jobs?
There's obviously leaving toxic people/environments, but i feel like I've always struggled with even helping friends keep up opportunities & their potential
my mom (born, raised, and now back in Louisiana), just shared this with me.
100% (subject to interpretation) with only a 10 minute timer, I would definitely fail.
What an amazing honor and reminder of how lucky I am to be a part of the
@MITREattack
family. This is 1000% a recognition of MANY passionate + dedicated individuals (no list sorry, but you know who you are😉), so on behalf of everyone thank you!
Really excited to release this one 💜
Focus was on easy to develop + execute + learn from adversary emulation plans that target specific defensive challenges 🎯
Micro Emulation Plans accelerate improvement in defensive posture. They offer a focused, intel-driven approach to validating defense based on critical threats.
🚨 ATT&CKcon 4.0 CFP closes 27 June 🚨
There's good guidance highlighting examples of what we are looking for on the site (), but also check out talks from previous years ()
Looking forward to seeing y'all, & thanks in advance!!! 🎃
super neat read, gotta love real threat data 🥰
the key idea that stands out to me is that they're seeing the same TTPs, but {informed/enhanced/aided/supported/assisted/...} by AI 🤖
Microsoft, in collaboration with OpenAI, is publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others. Learn more:
helping folks map to ATT&CK never gets old 🥰
mostly because instead of ATT&CK itself, we end up focusing on data analysis leading to storytelling 🔍📜
learn ATT&CK as you go, don't try to 💯% memorize everything 😅
ATT&CK is looking for our next CTI lead! You'd be in charge of our Groups/Campaigns/Software, ATT&CK's CTI strategy, which reports we add, the team who adds/updates CTI in ATT&CK, and final review of procedures. You can check out the posting and apply at:
🚨 Exciting news, my first blog under
@redcanary
is out! 📢 Suspected exploitation of the latest Confluence CVE-2023-22518 exploit leading to Cerber ransomware.
Pleasure working with
@ForensicITGuy
and others at Red Canary on this. Give it a read!
Our team
@Mandiant
is releasing details on 🇨🇳
#UNC5325
, who exploited CVE-2024-21893 and CVE-2024-21887 to deploy novel malware in an attempt to remain embedded in compromised Ivanti appliances even through factory resets, system upgrades, and patches.
"Focus Threat Intel Capabilities at Detection Engineering (Part 4)" <- our series on detection engineering (DE) continue with Part 4 that looks at the intel flows from CTI/TI to DE.
#ElasticSecurityLabs
is tracking a threat targeting Vietnamese Agriculture and Financial industries. We’ll share their TTPs with emphasis on newly-discovered
#Malware
, and tell you who we think is behind it. Check out the latest here:
Just released by the Center for Thread-Informed Defense - Sensor Mappings to ATT&CK is a methodology and mapping to connect conceptual data sources represented in MITRE ATT&CK to concrete sensors and events that collect security-relevant information.
Yesterday, I presented
@jsecurity101
and my Malware Morphology workshop at
@NorthSec_io
. Thanks to the organizers and everyone who attended.
If you missed it, you’re in luck the recording is available!
📼 Video:
🗒️ GitHub:
The very awesome people from Microsoft DART have put together a collection of one-page Windows forensics guides to help you understand various artefacts you can use during your investigations. Check them out -
Microsoft has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, & Storm-1674, misusing the ms-appinstaller URI scheme (App Installer) to distribute malware. Get TTPs and protection info:
Evolving content, improved coverage, and a date for ATT&CKcon 4.0 🎉
We've just released our 2023 Roadmap where
@supremrobertson
highlights 2022 changes as well as our plans for the current year!
Check it out at !
Deciding which technique to map got you down? Today
@CISAgov
released an open-source tool to guide you through mapping to ATT&CK. We were happy to provide help and advice in coordination with
@MITREcorp
's
#HSSEDI
.
📰
🔧
Today, me and
@ateixei
are releasing the EDR Telemetry project. This project aims to compare and evaluate the telemetry of various EDR products.
✅Introductory blog post:
✅GitHub Repo:
✅Comparison Table:
🚀 Exciting News Coming Soon! 🌟
🔍 We're launching an innovative platform to help boost your DFIR skills!
🙏 Thanks to our beta testers - your feedback was invaluable!
✨ Curious for a sneak peek? Head to our site to see what's coming!