You can reduce the initial access attack surface by disabling mounting of image containers like ISO files. The policy : •Computer Configuration => Administrative Template => System => Device Installation => Device Installation Restriction #threathunting

APT28 has been targeting Iranian Embassy in Albania with the Browser In The Browser (BITB) phishing technique. Kudos to CERT-UA for first discovering this.

Initial Access with Compiled HTML File (CHM) have been used by different TAs including APT37 and APT41. For hunting/detecting them you should check hh.exe spawning mshta.exe or any other related LOBINs in Event ID 1 of Sysmon or 4688 See the execution flow in the following pics

You can either hunt for it or check and apply our Sigma rules If you're unsure whether a detection idea is already covered by an existing rule, you can use the sigmasearchengine.com, which was developed by my team member @ph_t__ We've also integrated the API of that service

1) Great talk in Positive hack days about OPSEC mistakes, challenges and techniques for my dear partnerships from positive technologies. I have talked about various Threat Intelligence tips and tricks and OPSEC mistakes like NOBUS WebShell, Operations Security (OPSEC),

Enterprise Threat Hunting to catch and follow Lazarus recent campaign with passive DNS. Validin provides extensive passive DNS records, which map domains to their associated IP addresses over time. This allows analysts to see where a domain has been hosted and track any changes.

F5 The Perfect Place to Hide China Threat Group Abuses F5 Load for Persistence. The investigation confirmed that the threat actor maintained a presence in the organizations on-premise network for about three years. The overall goal to the target network for espionage. SygniaTeam

CHM files are being used for Initial Access (Phish-to-Persist), particularly by DPRK-attributed threat actors and more recently in cybercrime operations. #threatintelligence #threathunting

APT29 and APT28 separately targeted diplomatic entities within a year using decoy and phishing tactics, including a car sale lure. Each group employed distinct methods, such as hosting payloads on public services like webhook. #threatintelligence Thanks Unit42

Security vendors with remote command capabilities could be a potential source of lateral movement and command execution.

Does anyone know which threat actor is attributed to stealing IIS machine keys for persistence (executing commands on a web server remotely through IIS insecure serialization)? #threatintel

Whenever you encounter a combination of interviews, video calls, and macOS, you might be targeted by a Lazarus campaign!

🚨 After seeing the Snake driver sniff inbound traffic from a mail server using an incredible technique, now we encounter something new: a Linux kernel module that hijacks inbound network traffic to compromised systems. Innovation in attack vectors is relentless.

How do you know this is Chinese? Just because of aliexpress?