PinnedMember-onlyLAPSUS$ TTPsLAPSUSS TTPs & MITRE ATT&CK Mapping LAPSUS$ whimsical.com Two interesting techniques used by LAPSUS$ (Code Signing, Disable and Modify Tools) TA0005: Defence Evasion T1553.002: Subvert Trust Controls: Code Signing Subvert Trust Controls: Code Signing Adversaries may create, acquire, or steal code-signing materials to sign their malware or tools. Code signing provides…attack.mitre.org NVIDIA certificates used to sign malicious softwareCybersecurity4 min readCybersecurity4 min read
PinnedMember-onlyCobalt Strike PowerShell Payload AnalysisI have spotted this interesting tweet from Malwar3Ninja and decided to take a look and analyse the Cobalt Strike PowerShell payload. PowerShell Payload Analysis. We can spot the for function:Malware Analysis8 min readMalware Analysis8 min read
PinnedMember-onlyCobalt Strike Hunting — DLL Hijacking/Attack AnalysisDLL Hijacking via Cobalt Strike & Attack Analysis. Agenda Hijack Execution Flow: DLL Search Order Hijacking. Payload extraction from the PCAP (VT, Triage, and CyberChef Analysis). Attack Analysis. DLL Hijacking via Cobalt Strike/Sysrep. Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run…Cybersecurity6 min readCybersecurity6 min read
PinnedMember-onlyCobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 AnalysisAgenda: Malleable C2 — jQuery profiles. Cobalt Strike — SpawnTo and Rundll32. PCAP & VT Analysis — Rundll32 connecting over TCP to Cobalt Strike C2. Cobalt Strike Malleable C2 User-Agents. Malleable C2 — jQuery profiles. Malleable C2 profiles have been widely adopted and used by Cobalt Strike, a popular framework used by Red Teamers, APT’s…Cobalt Strike4 min readCobalt Strike4 min read
PinnedCobalt Strike Hunting — simple PCAP and Beacon AnalysisLegit healthcare company. Bonner General Health and Hospital | Sandpoint, North Idaho, Washington, Montana Bonner General Health is a 25-bed Critical Access Hospital and healthcare network of outpatient clinics and services…bonnergeneral.org https://bonnergeneral[.]org/Cobalt Strike4 min readCobalt Strike4 min read
Feb 20Member-onlyMalicious DLL AnalysisStatic/Dynamic Analysis and Reversing Intro Right so again I will keep this intro very short. I have scanned (again) malicious infrastructure (maybe Threat Actors, maybe Red Teams, or maybe …)Cybersecurity9 min readCybersecurity9 min read
Jan 12Member-onlySliver C2 Implant AnalysisSliver C2 Implant Analysis Intro In this short blog, I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. …Cybersecurity8 min readCybersecurity8 min read
Dec 30, 2022Member-onlyAdversaries Infrastructure-Ransomware Groups, APTs, and Red TeamsWhat you can learn from scanning adversaries' infra? — In this short blog, I will get straight to the point. I have been scanning the internet on a daily/weekly basis over the past few months/weeks using Shodan, Censys, Nmap, and my Python scripts, and would like to share my information/research. I will very briefly explain how the different Threat…Cybersecurity4 min readCybersecurity4 min read
Sep 1, 2022Member-onlyHunting C2Hunting C2/Adversaries Infrastructure with Shodan and Censys My research Cobalt Strike C2 Metasploit/MSF Covenant C2 Deimos C2 Posh C2 Brute Ratel C4 Mythic C2 Sliver C2 Evilginx Infrastructure Gophish Infrastructure IcedID Infrastructure Viper Infrastructure ARL/Assessment Reconsassaince Tool Infrastructure Night Hawk C2 NimPlant C2 ShadowPad C2 Infrastructure Async Rat C2 Infrastructure …Cybersecurity3 min readCybersecurity3 min read
Jun 29, 2022Member-onlyFollina (CVE-2022–30190) & Cobalt Strike C2 -Simple AnalysisFollina CVE-2022–30190 & Cobalt Strike C2 Simple Analysis using Twitter, Sublime Text, olevba, Shodan, VT, Triage, CyberChef, and DomainTools. Twitter Intel Initial Access Follina Exploit CVE-2022–30190Cobalt Strike3 min readCobalt Strike3 min read
