I love how statements like:
"Currently, there is no evidence to suggest exploitation of CVE-2025-5777."
... is NOT comforting at all. It pretty much sounds just like... "we found NO vulnerabilities in our LLM-generated application".
... and how on earth would Netscaler see targeted exploitation? Exactly... Netscaler wouldn't, you might however with appropriate monitoring.
@nopatience Exactly. Can’t have evidence of exploitation if you don’t have the logs to see it. I hate weasel words in wordsmithed bulletins written by lawyers.
Devils Haircut Stylist by Beck #MicroBusinessASongOrPoem
#HashTagGames
New from 404 Media: ICE is using a new facial recognition app to identify people, leaked emails show. Point camera at person, reveal their identity. It uses the CBP system that records peoples' faces as they enter or exit the U.S. Now, turned inwards to be used by ICE https://www.404media.co/ice-is-using-a-new-facial-recognition-app-to-identify-people-leaked-emails-show/
Pulaski at Night by Andrew Bird #CityPerksSongsOrPoems
#HashTagGames
@codinghorror Awesome and fun build. Where did you buy the lighting? I can’t justify paying 100 bucks for the Milky Way galaxy lighting from lightmybricks.com.
One of my daughters did all the work on this one! Hell, why not, let’s build the entire frickin Milky Way Galaxy, should only take 6 to 8 weeks
Huh. I wonder who that is for?
When folks casually reference ATT&CK IDs instead of the technique name...
"Looks like some T1547.001"
Bless your heart, nobody is memorizing all those.
Investigation Scenario 🔎
A macOS system performed a DNS query for a .onion domain.
The system doesn't have an EDR available -- only native logging.
What do you look for to investigate whether an incident occurred?
Alibaba O’Riley by The Who #GenericKnockOffSongsOrPoems
#HashTagGames
Important Message
@saltmyhash Probably.
A source working with Aflac on the incident explained explained that the threat actors did not identify themselves but the characteristics of the attack bear the hallmarks of Scattered Spider
https://therecord.media/aflac-cyberattack-potential-data-breach
Hello #Fediverse it is once again #NewMusicFriday and time for #FletchsFridayReleases. As mentioned, a slightly shorter list this week but that doesn’t mean there isn’t gold in them there hills. #Metal #HeavyMetal #DeathMetal #BlackMetal #ThrashMetal #DoomMetal
@HailsandAles Cryptopsy’s An Insatiable Violence shortlisted for metal album of the year for me. Only complaint is it’s 33 min long. Highly recommended.
Investigation Scenario 🔎
A host on your network executed a process whose parent process is mftrace.exe.
What do you look for to investigate whether an incident occurred?
@chrissanders88 mftrace.exe is a legitimate trace log generation tool but is considered a living-off-the-land binary on Windows OS. Specifically, it allows for proxy execution of binaries which is a technique frequently used by threat actors. These utilities are signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. Knowing this, analysts should carefully investigate the child process of mftrace.exe, understanding that its usage may be benign.
First, I would ensure mftrace.exe is being executed out of its typical Windows file directory and not an attacker-controlled location. The LOLBAS project lists the following execution paths for mftrace.exe. Any execution outside of the standard Windows location warrants scrutiny as to how mftrace.exe got there in the first place.
Paths:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86\mftrace.exe
C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\mftrace.exe
C:\Program Files (x86)\Windows Kits\10\bin\x86\mftrace.exe
C:\Program Files (x86)\Windows Kits\10\bin\x64\mftrace.exe
Next, closely examine the spawned child process, looking for file hash hits in threat intelligence platforms or suspicious child process spawns, network connections, registry edits, or file modification events. I would also determine how the child process was initially spawned. Finally, I would examine the host this is occurring on and who it belongs to. Context on whose host this belongs to is also a useful indicator. Developers may call mftrace.exe for legitimate event tracing for windows (ETW) activities. Seeing mftrace.exe execution on an unusual host such as accounting or the help desk warrants additional scrutiny.
Detection Opportunities:
Depending on the frequency of mftrace.exe execution in your environment, you might want to monitor for any time mftrace.exe executes a payload. A sample Sigma rule (see below) provides a decent jumping-off point for custom detection logic.
References:
LOLBAS Entry for mftrace.exe:
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
Sigma Rule for suspicious mftrace execution:
https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
MITRE Map:
T1127: Trusted Developer Utilities Proxy Execution
https://attack.mitre.org/techniques/T1127/
