I have spotted this interesting tweet from Malwar3Ninja and decided to take a look and analyse the Cobalt Strike PowerShell payload. PowerShell Payload Analysis. We can spot the for function:

DLL Hijacking via Cobalt Strike & Attack Analysis. Agenda Hijack Execution Flow: DLL Search Order Hijacking. Payload extraction from the PCAP (VT, Triage, and CyberChef Analysis). Attack Analysis. DLL Hijacking via Cobalt Strike/Sysrep. Hijack Execution Flow Adversaries may execute their own malicious payloads by hijacking the way operating systems run…

Agenda: Malleable C2 — jQuery profiles. Cobalt Strike — SpawnTo and Rundll32. PCAP & VT Analysis — Rundll32 connecting over TCP to Cobalt Strike C2. Cobalt Strike Malleable C2 User-Agents. Malleable C2 — jQuery profiles. Malleable C2 profiles have been widely adopted and used by Cobalt Strike, a popular framework used by Red Teamers, APT’s…

Legit healthcare company. Bonner General Health and Hospital | Sandpoint, North Idaho, Washington, Montana Bonner General Health is a 25-bed Critical Access Hospital and healthcare network of outpatient clinics and services…bonnergeneral.org https://bonnergeneral[.]org/

Hunting malicious infrastructure: Muddy Water Cyberespionage Threat Actor from Iran 🇮🇷 In this short blog, I will show you one practical example of how you can pivot from one node to another and reveal Threat Actors' cluster infrastructure. First things first: Who is Muddy Water? MuddyWater is a cyber…

APT29/Nobelium Initial Access & ATT@CK Mapping TA0042: Resource Development T1650: Aquire Infrastructure T1584: Compromised Infrastructure T1587: Develop Capabilities T1587.001: Develop Capabilities: Malware T1588: Obtain Capabilities T1588.002: Obtain Capabilities: Tool APT29/Nobelium Cobalt Strike C2 setup with custom certificates and redirections (Pay attention to how similar threat actor communitypowersports[.]com domain is to the genuine sanjosemotosport[.]com).

Hunting QBot C2 and Brute Ratel C4 Infrastructure In this blog, I will explain my hunting methodology with two practical examples. QBot C2 Brute Ratel C4 I choose these two because despite the difference between Brute Ratel C4 and QBot this methodology (JARM and HTTP Response hash) is applicable to…

Static/Dynamic Analysis and Reversing Intro Right so again I will keep this intro very short. I have scanned (again) malicious infrastructure (maybe Threat Actors, maybe Red Teams, or maybe …)

Sliver C2 Implant Analysis Intro In this short blog, I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. …