The calendar for the Fall/Winter Virtual Research Workshop Series is out: eccri.eu/eccri-virtual-…

OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB… 👇

🚨 ITW Zero-Day Vulnerability Discovery: #APT37 (#Scarcruft) 🚨 For Responsible Disclosure, we disclose relevant details at this time: Unmasking CVE-2024-38178 The Silent Threat of Windows Scripting Engine 🔗 medium.com/s2wblog/unmask… 🔍 Key findings: - The attack used a freeware

My DEF CON 32 talk "Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels" is up on YouTube! youtube.com/watch?v=T5K4AB…

📣SPEAKER ANNOUNCEMENT📣 We're excited to announce our next #BlueHat speakers: Mark Parsons (security_dumpster) and Colin Cowie from Sophos. They will be presenting a talk titled “Patterns in the Shadows: Scaling Threat Hunting and Intelligence for Modern Adversaries.” Mark is a

Great approach’s lined out👇, highly recommend the read

Recent trick related to .RDP files used by the SVR 🇷🇺 is worth threat hunting for. Basically they’re doing what this Black Hills Information Security blog demoed in 2022: blackhillsinfosec.com/rogue-rdp-revi… Reports: 1. cert.gov.ua/article/6281076 2. aws.amazon.com/blogs/security… 3. microsoft.com/en-us/security…

#ThreatHunting

This has been one of my favorites for a while, but now it's time to let it go. Here's my preferred way of getting the KeePass db that we often hunt for: downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database.

Sophos detailed to me its 5-year cat-and-mouse game with Chinese hackers repeatedly exploiting its firewalls. The company resorted to installing spy "implants" on devices the hackers were testing on—tracing them to a university and contractor in Chengdu. wired.com/story/sophos-c…

Hey :) We published a blog talking about ORB networks and a summarise of the purpose, use cases and more: team-cymru.com/post/an-introd… This blog is also a teaser for more blogs to come 👀 Team Cymru Threat Research

"China’s ‘mind-boggling’ space capabilities worry US, says Space Force chief Beijing’s tech is more concerning than reports of Russian space nukes, said General B. Chance Saltzman." 1/ politico.eu/article/china-…

🔥 New from Phil Stokes ⫍🐠⫎ , Raffaele Sabato and Tom Hegel: 🇰🇵 BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence sentinelone.com/labs/bluenorof…

My Microsoft BlueHat talk "Deprecating Azure AD Graph API is Easy and Other Lies We Tell Ourselves" is now on Youtube! Link to recording & slide deck at aadinternals.com/talks/

My (and my copresenter Colin Cowie) Microsoft BlueHat talk “Patterns in the Shadows: Scaling Threat Hunting and Intelligence for the Modern Adversary” is on YouTube, hope you enjoy! youtu.be/n7GVxDxwOUc?fe…

Me when I saw the theatre showing The Fifth Element on a random Sunday night

In November, Sophos MDR noted a rapid decline in detections for the Rockstar2FA phishing as a service platform. Its rise was documented in a report by Trustwave on November 26. /1 trustwave.com/en-us/resource…

Just put out this research on MiTM PaaS kits Rockstar/ FlowerStorm. While my name is on this, the primary researchers Josh Rawles (Josh ) and Jordon Olness deserve the lions share of credit. They’re both brilliant to work with and hats off to them news.sophos.com/en-us/2024/12/…

Sophos MDR has observed 2 distinct social engineering campaigns using a technique referred to as ClickFix spiking during March. Both of these campaigns—one surging on 2 March & the other 12 March—attempted to deploy SecTopRAT malware. We are tracking this activity as STAC6380./1

Sophos analysts are investigating a new infection chain for the GOLD BLADE cybercriminal group’s custom RedLoader malware, which initiates command and control (C2) communications.