Lmst
Login
Just Another Blue Teamer

A threat hunter that has a passion for logs, especially endpoint logs, and for teaching the next generation of Threat Hunters to come!

I have recently been awarded the honor to be a trainer at #BlackHat 2023, which is an amazing opportunity and a goal I had set for myself. I am truly flattered!

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-28

Happy Wednesday everyone!

I stumbled across this interesting report from Flare that took an in-depth look at the relationship between Session Hijacking and Account Takeovers. The article put into perspective how lucrative and common these attacks are and really helped me understand the threat by providing a bunch of contextual information. I enjoyed it and hope you do too! Happy Hunting!

The Account and Session Takeover Economy
flare.io/learn/resources/the-a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-27

Good day everyone!

If you are in the threat hunting community, want to join, or simply have questions regarding threat hunting, we at Intel 471 want to hear them! Toss us your questions to possibly get featured in our new series "Lee-Git Threat Hunting: Your Questions, Answered"! Simply put your question in the form and add your name if you want! I look forward to seeing them! Enjoy and Happy Hunting!

docs.google.com/forms/d/1fYIKF

Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-23

Happy Friday everyone!

With the news breaking that the #DanaBot was disrupted, it got me thinking: How do these pieces of malware function and how do they stay on the victim's machines? And when you think of what a botnet operator really needs is repeated access to the compromised machine which gets me thinking about persistence. So, I poked around my favorite resources, the MITRE ATT&CK Matrix, looked at as many bot malware they have, and looked at what they had in common from a perspective of persistence. Two of the most common techniques used were T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder and T1053.005 - Scheduled Task/Job: Scheduled Task. So, if you are hunting for bots, you may want to start there! Enjoy the read and Happy Hunting!

DanaBot malware disrupted, threat actors named
intel471.com/blog/danabot-malw

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-22

If RMM tool abuse is something you are concerned about check out this community hunt package! This hunt package is designed to identify when a service is created to run AnyDesk, which was a tactic the adversary used in this report! Hope you enjoy and Happy Hunting!

AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
hunter.cyborgsecurity.io/resea

#huntoftheday #gethunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-22

Good day everyone!

I don't know how I missed this one but here is your #readoftheday:

The DFIR Report published an article on Monday that details an attack that started with a vulnerable Confluence server and ended with the deployment of the ELPAC-team ransomware. There were multiple tools that were used that are publicly available, including Anydesk.exe, Mimikatz, ProcessHacker, and Impacket Secretsdump. Side note, they mention that this case is featured in one of their labs, so go check it out! Also, go find out all the details that I couldn't post here and read the article! Enjoy and Happy Hunting!

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
thedfirreport.com/2025/05/19/a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-21

Happy Wednesday!

Today's #readoftheday is an article from Sophos researchers provide details on an attack that involved the #3AM ransomware strain. With what started with email-bombing, led to social engineering and Microsoft Quick Assist, and a Windows 7 virtual machine. What I really enjoy about this article is the technical details about the "pre-ransomware" activity which can be seen in the Discovery and Defense Evasion sections. These normally involve some LOLBINs (Living-Off-The-Land Binaries) and use the tools that can help provide the adversary with information about the system. Enjoy and Happy Hunting!

A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist
news.sophos.com/en-us/2025/05/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-04-17

Good day everyone!

Check Point Software researchers produced another great article that involves #APT29 and #phishing and a little bit of masquerading. This phishing campaign targeted European diplomatic entities that distributes fake invitations to diplomatic events and appears to be a continuation of a previous campaign run by the same actors. These phishing emails utilized a backdoor known as #Wineloader and also employs a new loader #Grapeloader. There is a lot to unpack here and I hope you enjoy!

Renewed APT29 Phishing Campaign Against European Diplomats
research.checkpoint.com/2025/a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-04-09

Happy Wednesday everyone!

Today's #readoftheday starts strong! "Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets." and their discovery involved #PipeMagic malware which was used to deploy ransomware. Enjoy and Happy Hunting!

Exploitation of CLFS zero-day leads to ransomware activity
microsoft.com/en-us/security/b

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-04-08

Good day everyone!

Today's #readoftheday involves Microsoft Office add-ins, masquerading, trojans, and MUCH MORE! Kaspersky researchers share the details about a project on SourceForge that was distributing malware. It appeared to be a project for Microsoft Office add-ins, that were copied from a legitimate project on GitHub, but in reality was a list of Microsoft Office applications that led to an archive that contained an installer file (.msi). Once that is run, a bunch of bad stuff happens (I'm not going to ruin it for you) and then you are left with a miner and the #ClipBanker malware that replaces cryptocurrency wallet addresses in the clipboard with the attacker's own, which is pretty interesting as well! I hope you enjoy it as much as I did! Happy Hunting!

Attackers distributing a miner and the ClipBanker Trojan via SourceForge
securelist.com/miner-clipbanke

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-04-07

Happy Monday everyone!

Just got done reading an incredible article from ESET researchers describing an APT group that was long thought to be inactive alive in well! #FamousSparrow is a China-aligned APT group that has had no publicly documented activity since 2022 and was found using two previously undocumented versions of their backdoor, SparrowDoor. They used a mix of publicly available and custom tools for their attack ultimately leading to the deployment of SparrowDoor and ShadowPad (a privately sold backdoor). This report gets more and more interesting as you go so please go take the time to read it! Enjoy and Happy Hunting!

You will always remember this as the day you finally caught FamousSparrow
welivesecurity.com/en/eset-res

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-03-26

Happy Wednesday!

I know this is a repeat of yesterday, but tomorrow is the day! You still have time to register and get your community HUNTER account before we begin! I look forward to seeing you there! Happy Hunting!
linkedin.com/events/threathunt

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #workshop #webinar

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-03-17

I know I was away for a while but I'll make it up to you! Check out our Hunt Package Collection that focuses on Volt Typhoon! We have multiple community edition hunt packages that can get you started! Now, the next steps are up to you! Happy Hunting!

Volt Typhoon Hunt Package Collection
hunter.cyborgsecurity.io/resea

#huntoftheday #gethunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-03-17

Happy Monday everyone!

Coming out of a brief lull in activity, I have a #readoftheday for you! This comes from a CYFIRMA article that takes a look at the APT #VoltTyphoon. They share vulnerabilities that have been recently exploited and (my favorite part) recent #TTPs and #behaviors that are associated with the group! I like how well it is documented that I am not even going to recreate it here! I will definitely diving back into their archives to see if there are more of these profile articles! Enjoy and Happy Hunting!

APT PROFILE – VOLT TYPHOON
cyfirma.com/research/apt-profi

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-03-03

Happy Monday everyone!

Today's #readoftheday is brought to you by Trend Micro and they share their findings related to #BlackBasta and #CactusRansomware adding a piece of malware known as #BackConnect to their toolbox.

The report states "The BackConnect malware is a tool that cybercriminals use to establish and maintain persistent control over compromised systems. Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine. This enables them to steal sensitive data, such as login credentials, financial information, and personal files."

Behaviors (MITRE ATT&CK):
Initial Access - TA0001:
Phishing: Spearphishing Voice - T1566.004 - The attackers conducted an email bombing campaign then contacted the victim posing as "IT Support" or "HelpDesk".

Command and Control - TA0011:
Remote Access Software - T1219 -
The attackers used QuickAssist to access the victim's environment once they were successfully social engineered.

Lateral Movement - TA0008:
Remote Services: SMB/ Windows Admin Shares - T1021.002 -
Remote Services: Windows Remote Management - T1021.006
The attackers leveraged both SMB, shared folders, and WinRM for lateral movement.

Go check out the rest of the technical details! Enjoy and Happy Hunting!

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal
trendmicro.com/en_us/research/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-02-28

Happy Friday everyone!

I feel like this has become a weekly PSA but Kaspersky Securelist researchers have identified hundreds of #GitHub projects that are serving up malicious code designed to steal saved credentials, cryptocurrency wallets, and browsing history. Sometimes this execution of code leads to the #ASyncRAT or #Quasar Backdoor, but the threat remains the same: blindly executing code from GitHub. I hope you enjoy and Happy Hunting!

The GitVenom campaign: cryptocurrency theft using GitHub

securelist.com/gitvenom-campai

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-02-27

Good day everyone!

An APT group known as Angry Likho (a.k.a. Sticky Werewolf) is being monitored by Kaspersky's Securelist researchers and they have identified hundreds of victims of a recent attack in Russia, several in Belarus, and additional incidents in other countries. They used an age-old technique of spear-phishing to gain initial access that had various attachments that would contain the legitimate bait file as well as other files, in some cases malicious LNK files. Execution would lead to a newly discovered implant named FrameworkSurvivor.exe.

As usual, check out all the juicy details that I left out and enjoy the read! Happy Hunting!

Angry Likho: Old beasts in a new forest
securelist.com/angry-likho-apt

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-02-25

AND A HUNT OF THE DAY!?! You know it! Looking at where the malware created their scheduled task you can tell it is a little phishy, but there are more locations that adversaries like to use/abuse! See what you can find in your environment with this! Yes, it is community and I hope it gets you off on your journey if you haven't started OR it adds another tool to your existing toolbox! Happy Hunting!

Scheduled Task Executing from Abnormal Location
hunter.cyborgsecurity.io/resea

#huntoftheday #gethunting #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-02-25

Good day everyone!

Forescout Technologies Inc. researchers identified a malware cluster that masqueraded as MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer that has been associated with the Chinese APT #SilverFox. When downloaded, these executables led to the deployment of the #ValleyRAT (Remote Access Trojan), a backdoor, keylogger, and a crypto miner on victim computers.

Behaviors (MITRE ATT&CK):
Discovery - TA0007
System Network Configuration Discovery: Internet Connection Discovery - T1016.001: Living-off-the-land binaries are used to check if the system can reach the C2 server.

Persistence - TA0003:
Scheduled Task/Job: Scheduled Task - T1053.003:
The malware creates a scheduled task that will trigger on logon for persistence.

Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers
lnkd.in/ghQS3nwv

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday #HappyHunting

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-02-24

Happy Monday everyone!

The AhnLab, Inc. Security Intelligence Center (ASEC) has been monitoring infostealer malware that is disguised as illegal software and keygens and found that most of the malware that is distributed in this manner has been the #LummaC2 infostealer BUT there has been an increase in distribution of the #ACRStealer as well. What is pretty interesting is the technique they use for C2. In this case they have used Steam, telegra.ph, Google Docs (Form) and Google Docs (Presentation). Enjoy and Happy Hunting!

ACRStealer Infostealer Exploiting Google Docs as C2
asec.ahnlab.com/en/86390/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-02-21

To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:

Powershell Encoded Command Execution
hunter.cyborgsecurity.io/resea

#huntoftheday #gethunting

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst