Do you miss @cobaltstrikebot? If so, here's a blog post showing how you can pull Cobalt Strike SpawnTo and watermark info with Shodan and some PowerShell: https://forensicitguy.github.io/squeezing-cobalt-strike-intel-from-shodan/

A fun yearly endeavor for me is contributing to the Red Canary Threat Detection Report, and the 2025 edition is out today! distilled into one report!

Get your free copy of our 2025 Threat Detection Report now. ⬇️
#ThreatReport #SecOps #ThreatIntel
https://redcanary.com/threat-detection-report/

New blog post- not about Crowdstrike, but about tearing into a JPHP-based loader https://forensicitguy.github.io/decompiling-jphp-loader-binwalk-cfr/

#Malware

New blog post! In this one I look at a Java-based dropper for Pikabot that TA577 used in mid-February 2024.
https://forensicitguy.github.io/dissecting-java-pikabot-dropper/
#malware #pikabot #ta577

New blog post! Building on my last post about malware distro via VHD, I walk through creating a simple timeline of the VHD with Plaso to show how you can get more data for intelligence. https://forensicitguy.github.io/timelining-malware-vhd-intelligence/

#malware #plaso

@MegaMichelle It's so slick and I love how simple it makes things

Do you want to learn a little about infostealer malware, how it works, and which families Red Canary see most often? Because that's exactly what I'll cover in the next Threat Detection Series webinar on August 2! Come on in and get your seat here: https://redcanary.com/resources/webinars/grand-theft-creds-malware/?utm_source=speaker&utm_medium=referral&utm_campaign=grand-theft-creds-webinar

#malware #infostealer

New blog post! I love when adversaries use VHD files to distribute malware because VHDs can potentially contain a lot more data than the adversary intends to distribute. To see what I mean, check out this post: https://forensicitguy.github.io/vhd-malware-an-excellent-choice/

#malware #vhd

I’m excited to launch our latest online course, YARA for Security Analysts.

We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intelligence research.

In the course, you’ll learn how to use YARA to detect malware, triage compromised systems, and collect threat intelligence. No prior YARA experience is required.

You can learn all about the course and register here: https://www.networkdefense.co/courses/yara/.

It's discounted right now for launch.

#Yara #DetectionEngineering #DFIR #Malware #Infosec

New blog post! In this one I take a quick look at how you can use YARA to quickly do things like generating hashes and possibly replace some initial triage tools. #yara https://forensicitguy.github.io/faster-malware-triage-yara

I'm happy to say I'm presenting actionable insights into information stealer malware next week at the Threat Detection Series Live in SF! Register now for the event on May 11 – space is limited.

https://redcanary.com/resources/events/threat-detection-series-live-sf/?utm_source=bambu&utm_medium=social&utm_campaign=threat-detection-series-event

On fenced/walled intel and other content there needs to be a checkbox that says "I have no purchasing authority, please don't email me"

I'm excited to share something new...

I just opened up access to my Analyst Skills Vault. 🚀

The Vault is a subscription-based service that provides access to our growing collection of standalone video lessons.

You can learn more and register here: https://www.networkdefense.co/skillsvault/

Not everything needs its own course, so I'm excited to be able to provide some bite-sized knowledge across a variety of defensive security topics design to help you level up just a bit more with each one you watch.

We're adding new videos every month. Some of those are from me, but you'll also recognize other AND course authors and see a few new faces!
We've got lots of things already there, including w clipboard forensics tutorial from Joshua Brower, an AsyncRAT malware analysis walkthrough from Tony Lambert, and a few things from like how to create event baselines in Excel, how to use Chainsaw in your investigations, and a lot more.

Something else... you'll also get access to previews of new courses. For example, the vault already includes a lesson from our new Splunk for Security Analysis course.

One more thing... If you've ever purchased one of our full-length courses, your subscription extends/reactivates access to any of those courses as long as it's active.

Skills Vault Access is also a great way to support our work. It's $20/month or $220/year (you get a free month with the annual subscription).

Even more to come soon, but I'm excited to get this one open and available to everyone. I hope you enjoy what we've put together for you. 🚀

#DFIR #SOC #cybersecurity #infosec

If you have to build your own #Qbot coverage, you can build best-in-class detection capabilities with the details from @pr0xylife https://github.com/pr0xylife/Qakbot. They update the repo regularly with IOCs and behaviors.

ATTN NERDS:

1) We're at #BSidesTampa and would love for you to come say HI! So swing by our booth tomorrow!

2) @eric_capuano and @shortstack are giving a talk @ 12 ET! Check it out if you want to learn some more about secops w/ @velocidex!

Can't wait to see everyone ✌️💙🤓

Insured through #Cigna or #UnitedHealthcare?

ProPublica & Capitol Forum have investigated how these #health #insurance companies fight to reduce spending on patient care.

Join us Tuesday, 3/28 to learn our findings.

RSVP to this free online event here:

https://www.propublica.org/events/medically-necessary?utm_content=buffer17cf4&utm_medium=social&utm_source=mastodon&utm_campaign=mastodon-post

The Red Canary 2023 Threat Detection Report is now available! My favorite part is always the detection analytics, dig in and help an adversary have a bad day :D

https://redcanary.com/resources/guides/threat-detection-report/?utm_source=bambu&utm_medium=social&utm_campaign=tdr2023&blaid=4319932

An international law enforcement operation involving the FBI and police agencies worldwide led to the arrest of the suspected administrator of the NetWire remote access trojan and the seizure of the service's web domain and hosting server.

https://www.bleepingcomputer.com/news/security/police-seize-netwire-rat-malware-infrastructure-arrest-admin/

Have you ever wanted to keep track of offensive security project updates in your RSS reader? That's precisely what I do with this: https://github.com/ForensicITGuy/handy-cti/blob/main/offensive-security-tool-updates.opml

Note: may cause your Feedly basic to hit 100 feeds

New blog post! In this one I take a look at a malicious installer that installs NetSupport Manager onto an unwitting victim, and I walk through artifacts you can find when it's used as malware.

https://forensicitguy.github.io/netsupport-manager-malicious-installer/

#netsupportmanager #malware