THRUNTING isn’t just a buzzword. It’s a mindset. 🐑
Inspired by Tim Peters’ 19 aphorisms for Python, THOR Collective Dispatch introduces "The Zen of Thrunting."
https://dispatch.thorcollective.com/p/the-zen-of-thrunting
Stay curious. Happy thrunting.
#threatintelligence #threathunting #cybersecurity #thrunting #detectionengineering #infosec #THORcollective
Happy Monday everyone and what a way to start it!
I encourage you to read the latest report from The DFIR Report where they document an attack that started with a "password spray attack against an exposed RDP server" and ended in the #RansomHub ransomware strain being deployed in the victim's environment and spread over SMB.
I am going to forgo the brief summary because I truly believe these reports need to be read by you! But a bunch of LOLBINs were leveraged, including PowerShell and Windows Command Shell, of course RDP connections, MimiKatz, the Advanced IP Scanner, and many more! One behavior I will point out is that Persistence was gained by the actors deploying the legitimate RMM tools AteraAgent and Splashtop and then created services to run them!
This is another great example of an extremely thorough report and I hope you enjoy it as much as I do! Enjoy and Happy Hunting!
Hide Your RDP: Password Spray Leads to RansomHub Deployment
https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
🌟New report out today!🌟
Hide Your RDP: Password Spray Leads to RansomHub Deployment
Analysis and reporting completed by @tas_kmanager, @iiamaleks and UC2
🔊Audio: Available on Spotify, Apple, YouTube and more!
https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
#dfir #digitalforensics #CyberSecurity #IncidentResponse #threathunting #ThreatIntel
I'm getting to the point of learning the Windows API where I feel like I just need to read the Windows Internals book in its entirety.
#Windows #ThreatHunting
Something I really enjoy about threat hunting after years of CTI is the more hands on approach. With threat hunting, I can focus on a feature like named pipes, create some connections in my lab and observe various sources of telemetry for baseline usage to get an idea of what a client/server connection looks like.
Then I can pivot into threat intel examples of how adversaries may have abused this feature to build a more nuanced hunt. That is a very important aspect which I don't see often.
I've always enjoyed this level of work but for years, it stayed at a hobbyist level since I couldn't tie it into a threat intel report.
#ThreatIntel #ThreatHunting #Homelab
Dispatch Debrief: June 2025
Everything’s fine… until it isn’t.
This month’s THOR Collective Dispatch served up a spicy mix of threat hunting, plugin paranoia, purple teaming insights, and a few thrunting curveballs to keep you sharp.
Grab your coffee, baseline your vibe, and dive in:
🌶️ https://dispatch.thorcollective.com/p/dispatch-debrief-june-2025
#thrunting #threathunting #THORcollective #cybersecurity #infosec
Nice an Event ID to monitor when an RPC was attempted: 5712
Hope is the thief of joy
#ThreatHunting
Happy Wednesday everyone!
I came across this article from Check Point Software's research team where they discuss a malware "prototype" they found that contained prompt injection to trick any LLM that it may be interacting with while it is being analyzed, aptly named Skynet. It attempted to sue the "Ignore all previous instructions" command adding another layer of sandbox evasion but was unsuccessful in this instance. The malware also contained an embedded TOR client which, when executed, can be later used and controlled by accessing the specified ports. After execution the malware component wipes the entire %TEMP%/skynet directory that was created. This was overall a very interesting read and could unfortunately be the first of many malware to attempt this technique. I hope you found this as interesting as I did and Happy Hunting!
In the Wild: Malware Prototype with Embedded Prompt Injection
https://research.checkpoint.com/2025/ai-evasion-prompt-injection/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #llm
Good day everyone!
A little while ago I stumbled across an article from Trend Micro that discussed the #Anubis ransomware and its abilities to act both as a ransomware and a wiper. Now it appears that the group has gained sensitive documents related to Disneyland Paris's plans for new rides and renovations (Anubis X post is in the article). Not trying to fear-monger or anything but it goes to show how these groups will adapt their TTPs and behaviors to get to any organization.
Anubis Ransomware Lists Disneyland Paris as New Victim
https://hackread.com/anubis-ransomware-lists-disneyland-paris-new-victim/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
🔌 That browser extension? That IDE plugin? Might not be doing what you think.
New on THOR Collective Dispatch: five hunt ideas + a PEAK deep dive into sneaky plugin abuse.
Start with visibility. Hunt what blends in.
📖 https://dispatch.thorcollective.com/p/your-plugins-and-extensions-are-probably-fine
#threathunting #thrunting #PEAKFramework #THORcollective #detectionengineering
Leveraging Windows Event Logs for Effective Threat Hunting: https://b1ackmamba.medium.com/leveraging-windows-event-logs-for-effective-threat-hunting-ca6be52e93e1
Convert Microsoft Defender Antivirus Signatures (VDM) into YARA rules🕵️♂️
https://github.com/dobin/defender2yara
In addition, it is possible to search for threats in the Defender DB using:
https://defendersearch.r00ted.ch
#infosec #cybersecurity #blueteam #threatintel #threathunting #malware
An interesting observation from this is public PORTMAP services can be helpful in uncovering mounted shares open to the internet. This Censys query helps to rule out empty NFS shares (mostly).
(services.parsed.portmap.portmap_entries_v3.shorthand=mountprog and services.parsed.portmap.portmap_entries_v3.shorthand=nfs_acl)
For hosts that look interesting:showmount -a < ip >showmount -e < ip >
https://censys.com/blog/poking-the-flodrix-botnet
#ThreatHunting
There's some cool sounding training on its way from @circl
CIRCL - Virtual Summer School (VSS) 2025
https://www.circl.lu/pub/vss-2025/
#MISP #AIL #LookyLoo #Lacus #Pandora #Kunai #DFIR #ThreatHunting #FlowIntel #Cerebrate #VulnerabilityLookup #GCVE
New guest post on THOR Collective Dispatch from @InfoSecSherpa:
Don’t Let Mis(s) Information Take the Crown 👑
Even threat hunters can get tripped up by polished propaganda.
This post shows how to apply the Intelligence Cycle to news, helping you filter bias, validate sources, and structure OSINT like a pro.
Read it: https://dispatch.thorcollective.com/p/dont-let-miss-information-take-the-crown
#threathunting #thrunting #threatintelligence #OSINT #infosec #THORcollective
Happy Wednesday all!
Sometimes its good to take it back to the basics! Cisco Talos shares their insights and trends on adversaries using legitimate tools with nefarious intent! They discuss Living-off-the-land binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools and the impact they can have! Enjoy and Happy hunting!
When legitimate tools go rogue
https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
New blog post coming tomorrow (Thursday). After the success and almost viral post about Atomic Red Team, it’s time to use histograms to analyse data and find repetition and silence.
Here’s the Atomic Red Team post:
https://threathunter-chronicles.medium.com/logwatchers-zenit-02-simulating-attacks-with-atomic-red-team-d9071d42eaeb
#cybersecurity #threathunting #threatdetection #loganalysis #incidentresponse #mvpbuzz #blog
Good day everyone!
Trend Micro provides us insight on a "A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025" named #Anubis. It has been designed to have "more destructive capabilities" that can wipe directories that "severely impact chances of file recovery". Researchers also provide MITRE ATT&CK mapping to help teams make this information actionable, so big thanks to them! Check out the details I missed, enjoy the article, and Happy Hunting!
Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Happy Monday Everyone!
It's that time again! Just pushing this out to the threat hunting community and beyond! If you had a question about threat hunting in the past or currently have one that is burning a hole in your brain, feel free to ask us at Intel 471! We are currently working through the back-log of all the other questions that we have, but feel free to throw yours in the ring and get it featured in a future video! Have a wonderful day and Happy Hunting!
Lee-Git Threat Hunting
https://docs.google.com/forms/d/1fYIKFwNGuwYzl3-ktMa7gRz4Uxl2vOUHbAj2CuiuQ4M/edit
Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting
🛡️ Meet the WardenShield MS9: Your Ultimate Malware Scanner 🦠⚔️
Say goodbye to hidden threats and hello to powerful protection.
👉 Learn more:
🔗 https://wardenshield.com/wardenshield-ms9-malware-scanner
#MalwareScanner #CyberSecurity #WardenShield #DigitalDefense #APTDetection #infosec #ThreatHunting #CyberThreats
