#ThreatDetection

2025-06-14

Up next on the busy #Graylog conference circuit we have... #AWSreInforce starting this Monday! (Party ON ๐Ÿฅณ) And on Tuesday at the show, the amazing Rich Murphy will talk about taming your alert avalanche, at 1:30 PM. ๐Ÿšจ ๐Ÿ”๏ธ ๐Ÿซข

Learn how to tune out false positives, consolidate redundant alarms, and apply risk-based filtering so that high-fidelity alerts rise to the top. ๐Ÿ’ฏ

We'll also have Sam Parikh, Quinn Kroll, and Justine Simpson on-site to connect with you. See us there in booth #423.

Learn more: registration.awsevents.com/flo #TDIR #threatdetection #incidentresponse #cybersecurity

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-06-11

Happy Wednesday everyone!

A "fully undetected #infostealer malware sample written in Rust" was identified by Trellix researchers while conducting a proactive hunt! The distribution should not come as any surprise, fraudulent gaming websites! This is not an old tactic and something that I have read about from many vendors (Remember, downloading cracked or "free" games from sites normally means you just aren't paying with money!). In this case, the "game" files were distributed as password-protected rar files which contained the stealer executable with some legitimate game-related files. This is another tactic that is commonly used to "assure" the user that they downloaded something legitimate.

The researchers also discussed the capabilities of the malware and here are just a few:
- It displayed a fake window to the user to fool them into it being a legitimate application.
- It terminates a list of processes, some that relate to browsers.
- Steals passwords, cookies, autofills, and saved credit card information from applications like Discord and Chrome.
- Drops a copy of itself in the \AppData\Roaming directory and saves a .lnkk file in the startup directory for persistence. The attackers link the executable and the .lnkk through registry keys so it can execute the .exe file properly.

Thanks goes to the researchers (who if you want tagged in here let me know!) for the great report and details! I hope you enjoy the read as much as I did and go check out the details I left out, its worth it! Happy Hunting!

Demystifying Myth Stealer: A Rust Based InfoStealer
trellix.com/en-in/blogs/resear

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Overture Rede Private LimitedOvertureRede
2025-06-11

๐Ÿšจ Urgent Hiring โ€“ Threat Detection & Response Trainer! ๐Ÿšจ
Remote | Experience : 10+ years | Duration: Project-Based

๐Ÿ“ฉ Email: amritk1@overturerede.com ๐Ÿ“ž Call/WhatsApp: 9289118667

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-06-10

Good day everyone!

This is a really interesting read from SentinelOne Labs . Back in October 2024 they dealt with a reconnaissance operation that was related to the activity cluster tracked as #PurpleHaze and then in 2025 "they helped disrupt an intrusion linked to a wider #ShadowPad operation". The activity was attributed to China-nexus threat actors.

The article gives an in-depth view of what it looks like when an organization that is responsible for "IT services and logistics" gets compromised, which we could call a supply-chain attack. The article also provides a TON of technical details about tools and infrastructure that was used, indicators of compromise to scan for in your environment, and behaviors and commands that were observed throughout. This one may take a while to read but its worth it! Thanks to the researchers Dr Aleksandar Milenkoski and Tom Hegel for this report! I hope you all enjoy it as much as I did. Happy Hunting!

Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
sentinelone.com/labs/follow-th

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

2025-06-10

๐ŸŽ‰ Just dropped a new Kunai release! ๐ŸŽ‰

We've been working hard on some exciting new features and performance boosts that we can't wait for you to try out! Here's what's new:

New Features:
๐Ÿ” Track io_uring operations with new io_uring_sqe events!
๐Ÿ“ Get more context with parent command line information for execve and execve_script events.
๐Ÿ”Ž Get information about matching filtering rules in final events.
๐Ÿงช Test your filters with ease using the new test command.

Improvements:
โšก Experience performance boosts thanks to changes in the event matching engine and code refactoring.

Ready to dive in? Check out the full release notes here: github.com/kunai-project/kunai

Don't hesitate to give Kunai a try and share your feedback! Let's make Kunai even better together!

#Linux #ThreatHunting #ThreatDetection #DFIR #DetectionEngineering #OpenSource

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-06-09

Happy Monday Everyone!

Researchers at Cisco Talos "observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling โ€œ#PathWiperโ€". The article states "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints".

The researchers also provided technical details, some IOCs, capabilities of the wiper, and some hints at behaviors. In this incident a batch (BAT) file was dropped on the compromised machine and ran a command that leveraged WScript.exe to execute a VBScript (uacinstall.vbs) from the C:\Windows\Temp\ directory. After the execution, the PathWiper executable appears in the C:\Windows\Temp\ directory with the name of "sha256sum.exe". So assuming this is how the malware or actor operates, you can hunt for new scripting files or executables in the C:\Windows\Temp directory. Now this is not a fool proof method as behaviors can change, but it could be a great start when hunting for this threat! Thank you to the researchers and I hope you enjoy the article! Happy Hunting!

Newly identified wiper malware โ€œPathWiperโ€ targets critical infrastructure in Ukraine
blog.talosintelligence.com/pat

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

2025-06-09

Blue Teams, are you ready for a game-changer? Discover how Wazuhโ€™s real-time threat detection and seamless tool integrations can revolutionize your defensive playbook. Curious?

thedefendopsdiaries.com/enhanc

#blueteam
#wazuh
#cybersecurity
#threatdetection
#incidentresponse

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-06-05

Good day everyone!

As you know I am a big advocate for threat hunting and I like to post the articles that I read related to it but there is a bigger picture that I normally leave out because of my perspective. As a threat hunter I like to look at behaviors and artifacts (Indicators of Attack) and the MITRE ATT&CK Matrix but something I should probably start talking more about is the overall picture of the Threat Hunting Life-cycle. Really, this was brought about because of the joint advisory from Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) as well as the Australian Government they released on the #Play Ransomware. This isn't the first time that I have read it and hopefully wont be the last simply because of these couple of lines:

"June 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting." Above it they mention that the original advisory was published in December 18, 2023 but the fact that they are returning to the these and updating them with new TTPs and providing new IOCs is a GREAT example of the Threat Hunting Life-cycle.

So if you do have a threat hunting program in your environment, maybe implement something similar to your hunts if you haven't do so already. Revisit the hunts that have been conducted already in your environment and see if the information within is still current and if not, update it accordingly! Have a wonderful day and Happy Hunting!

#StopRansomware: Play Ransomware
cisa.gov/news-events/cybersecu

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #ransomware #readoftheday

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-06-03

Good day everyone!

If you are interested in Threat Hunting and happen to be at the SANS Institute DFIR Summit in Utah, Arun Warikoo and I will be discussing when to use structured and unstructured hunts and what that would look like! I look forward to it and hope to meet a ton of new people! Have a wonderful day and Happy Hunting!

DFIR Summit & Training 2025
sans.org/cyber-security-traini

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

2025-06-03

AI-powered systems are now spotting cyber threats in real time, slashing response times and easing huge workloads. Curious how automation is rewriting the playbook on cybersecurity? Check out the revolution in threat detection.

thedefendopsdiaries.com/the-tr

#cybersecurity
#automation
#ai
#machinelearning
#threatdetection

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-06-02

Happy Monday everyone!

The Google Threat Intel Group (GTIP) discovered that a government website was hosting malware being used to target multiple other government entities and, with high confidence, attributed the activity to hashtag#APT41 (a.k.a. HOODOO). The group used a piece of malware dubbed #Toughprogress which executes on the compromised host and uses the Google Calendar for command-and-control (C2) communications. The initial access vector was a spear-phishing email that contained a link to a ZIP file which held an LNK masquerading as a pdf, and a directory, which all played their part in the attack. This was a great read and I hope you enjoy it too! Happy Hunting!

Mark Your Calendar: APT41 Innovative Tactics
cloud.google.com/blog/topics/t

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

halil denizhalildeniz
2025-06-02

Hello everyone.
In today's article, I share with you the methods we can use to maximize our security

I wish everyone a good read:
denizhalil.com/2025/06/02/rans

2025-06-02

๐Ÿš€ New Blog Post: Kunai vs io_uring (why.kunai.rocks/blog/kunai-vs-) ๐Ÿš€

๐Ÿ’ก Ever wondered how io_uring revolutionizes I/O operations in the Linux kernel? Inspired by Armo's blog post (armosec.io/blog/io_uring-rootk) about a PoC rootkit using io_uring, we explored this feature's security implications and how tools like Kunai can monitor these operations.

๐Ÿ” Key Takeaways:
๐Ÿ”น io_uring boosts I/O performance by reducing system call overhead and enabling asynchronous operations
๐Ÿ”น Security tools struggle to monitor io_uring due to its unique handling of operations
๐Ÿ”น Kunai now provides visibility into io_uring operations, though blocking malicious activities remains challenging
๐Ÿ”น Recent kernel versions have introduced auditing and security controls for io_uring, but these are still limited

๐Ÿ“– Read more: why.kunai.rocks/blog/kunai-vs-

#Linux #io_uring #Security #OpenSource #ThreatDetection #SOC #DFIR

2025-05-30

๐ŸŽฆ Join us for a webinar next week on @suricata and CrowdSec!

CrowdSec Ambassador @flaviuvlaicu will walk you through the steps of integrating Suricata with CrowdSec with Pushover notifications for robust, real-time threat detection and automated response.

Register now: app.livestorm.co/crowdsec/proa

#Suricata #cybersecurity #infosec #threatdetection

Kiara TaylorKiara07
2025-05-30

Confused about the difference between XDR, MDR, EDR, and NDR? This episode breaks down each cybersecurity solution, helping you identify the best fit for your organization's security needs.

stonecast.transistor.fm/episod

2025-05-29

Network for Rent: How Outdated Routers Fuel Cybercrime

Old routers arenโ€™t just riskyโ€”theyโ€™re actively powering global cybercrime and can put your organization at risk.

Malware like TheMoon is helping attackers hijack outdated routers from brands like Linksys, Cisco, and ASUS, turning them into anonymous proxies. Attackers can rent these U.S.-based IPs to bypass geofencing, IP filtering, and detection tools to bypass some of your security defenses.

Read our new blog for details and advice on how you can reduce your organizationโ€™s risk: lmgsecurity.com/network-for-re

#RouterSecurity #Cybersecurity #TheMoonMalware #FacelessProxy #Infosec #ThreatDetection #ITSecurity #CISO #IT #Infosec #Cyberattack

App Anatomyappanatomy
2025-05-29

Cyberattacks can strike anytime. Learn how real-time protection keeps you safe the moment threats emerge.

appanatomy.com/post/real-time-

Just Another Blue TeamerLeeArchinal@ioc.exchange
2025-05-28

Happy Wednesday everyone!

I stumbled across this interesting report from Flare that took an in-depth look at the relationship between Session Hijacking and Account Takeovers. The article put into perspective how lucrative and common these attacks are and really helped me understand the threat by providing a bunch of contextual information. I enjoyed it and hope you do too! Happy Hunting!

The Account and Session Takeover Economy
flare.io/learn/resources/the-a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst