This blog is a little bitter, but it's what it is🫠

Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way

https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql

#ThreatHunting #DetectionEngineering

New post in the Logwatcher's Zenit category has been published. It's the first part about how VS Code is a great tool for Cyberthreat Analysts. We're starting with key commands to speed up the workflow.

#threathunter #threathunting #threatanalysis #cybersecurity #blog

https://threathunter-chronicles.medium.com/logwatchers-zenit-01-vs-code-for-analysts-part-1-b7ead9123ed9

Happy Wednesday everyone!

I stumbled across this interesting report from Flare that took an in-depth look at the relationship between Session Hijacking and Account Takeovers. The article put into perspective how lucrative and common these attacks are and really helped me understand the threat by providing a bunch of contextual information. I enjoyed it and hope you do too! Happy Hunting!

The Account and Session Takeover Economy
https://flare.io/learn/resources/the-account-and-session-takeover-economy?utm_campaign=11744626-2025%20-%20ASTP&utm_source=Media&utm_medium=HackerNews&utm_content=From%20Infection%20to%20Access%3A%20A%2024-Hour%20Timeline%20of%20a%20Modern%20Stealer%20Campaign

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

My first post is up on my new blog, ThreatHunter Chronicles. It mainly just describes what I want to publish on the blog and what you can expect.

The first post in the Logwatcher’s Zenit category is scheduled at 10am CEST tomorrow (29th of May).

https://medium.com/@threathunter-chronicles

#cybersecurity #threathunting #blog

Good day everyone!

If you are in the threat hunting community, want to join, or simply have questions regarding threat hunting, we at Intel 471 want to hear them! Toss us your questions to possibly get featured in our new series "Lee-Git Threat Hunting: Your Questions, Answered"! Simply put your question in the form and add your name if you want! I look forward to seeing them! Enjoy and Happy Hunting!

https://docs.google.com/forms/d/1fYIKFwNGuwYzl3-ktMa7gRz4Uxl2vOUHbAj2CuiuQ4M/edit

Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Honored to be part of Cyber Spartan 24 🇬🇧, the UK’s top cyber defense exercise! Joined Blue Teams from 🇧🇷🇮🇹🇩🇪🇵🇱🇧🇳 in a live cyber war scenario with threat hunting, SIEM, system hardening & Hack Back ops. Amazing challenge, global scale 💻⚔️
Grateful for the opportunity and to God for guiding every step 🙏
#CyberSpartan24 #CyberSecurity #BlueTeam #ThreatHunting #SIEM #CPT #HackBack

Happy Friday everyone!

With the news breaking that the #DanaBot was disrupted, it got me thinking: How do these pieces of malware function and how do they stay on the victim's machines? And when you think of what a botnet operator really needs is repeated access to the compromised machine which gets me thinking about persistence. So, I poked around my favorite resources, the MITRE ATT&CK Matrix, looked at as many bot malware they have, and looked at what they had in common from a perspective of persistence. Two of the most common techniques used were T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder and T1053.005 - Scheduled Task/Job: Scheduled Task. So, if you are hunting for bots, you may want to start there! Enjoy the read and Happy Hunting!

DanaBot malware disrupted, threat actors named
https://intel471.com/blog/danabot-malware-disrupted-threat-actors-named

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Thank you CISA, NCSC, @bsi et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
#threathunting #threatintel

Good day everyone!

I don't know how I missed this one but here is your #readoftheday:

The DFIR Report published an article on Monday that details an attack that started with a vulnerable Confluence server and ended with the deployment of the ELPAC-team ransomware. There were multiple tools that were used that are publicly available, including Anydesk.exe, Mimikatz, ProcessHacker, and Impacket Secretsdump. Side note, they mention that this case is featured in one of their labs, so go check it out! Also, go find out all the details that I couldn't post here and read the article! Enjoy and Happy Hunting!

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#impact

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

https://wardenshield.com/cve-2025-29927-cracks-nextjs-wide-open-middleware-meltdown

#CVE #ThreatHunting #threatintelligence #ThreatDetection #threats #Bugs #BugBounty #bugbountytips

Happy Wednesday!

Today's #readoftheday is an article from Sophos researchers provide details on an attack that involved the #3AM ransomware strain. With what started with email-bombing, led to social engineering and Microsoft Quick Assist, and a Windows 7 virtual machine. What I really enjoy about this article is the technical details about the "pre-ransomware" activity which can be seen in the Discovery and Defense Evasion sections. These normally involve some LOLBINs (Living-Off-The-Land Binaries) and use the tools that can help provide the adversary with information about the system. Enjoy and Happy Hunting!

A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist
https://news.sophos.com/en-us/2025/05/20/a-familiar-playbook-with-a-twist-3am-ransomware-actors-dropped-virtual-machine-with-vishing-and-quick-assist/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Got that hunger for #ThreatHunting again. Thinking about buying a month of Xintra Labs again. :blob_grinning_sweat:

Or should I go hunting #TanJangLin's work in the wild. :blob_gnikniht:

#ItsNewFeatureTuesday! (That’s a thing, right?) 😎
You can now share searches with 3rd parties without them needing to authenticate to view the results! It’s a neat feature that will save time and hassle.

Here's how it works ⤵️
1) User (authenticated!) searches on hunting.abuse.ch
2) Click the "share" button next to the search button
3) This creates a unique link and copies it to clipboard, for example:
https://hunting.abuse.ch/hunt/68274cdcde549/betbot.mchbee.cloud/

✨ Ta da! Any user with this link can see these results without the need to authenticate!

Happy Hunting (and sharing) enjoy! 🫶

#SharingIsCaring #ThreatIntel #ThreatHunting #CTI

Why threat hunting is more vital than ever [Q&A] #QandA #CyberSecurity #ThreatHunting

https://betanews.com/2025/05/19/why-threat-hunting-is-more-vital-than-ever-qa/

Quick Guide to Open-Source Intelligence 🔎🌍🕵️‍♂️

Open-Source Intelligence (OSINT) is the art of gathering publicly available information for research, investigation, or cyber defense.

Why it matters:
OSINT is essential for cyber defense, threat hunting, and digital investigations — when used ethically and legally.

Disclaimer: This content is for educational and ethical use only. Always respect privacy laws and platform terms of service.

#OSINT #OpenSourceIntelligence #CyberSecurity #InfoSec #EducationOnly #DigitalInvestigation #ReconTools #ThreatHunting #PrivacyAwareness

🛠️ Cyberbro has now a #MISP connector!

Use your MISP events to check observables:

- last seen
- first seen
- top 5 latest MISP events
- Research link in MISP

#ioc #cti #threathunting

⬇️⬇️⬇️

https://github.com/stanfrbd/cyberbro/

Poke @misp @circl

It's one of those rare moments in time when exposing the Yekaterinburg's based Plastika Recording Studio which is the primary advertising and marketing creative supplier for the Conti #Ransomware Gang is the right thing to do. Is it Никита Жаринов, Евгений Самсонов, Ice Costa or W8D8digital? We have it all named researched and properly sorted out.

So here it goes. This is my EXIF and attribution reproduction analysis based on their originally leaked and publicly accessible internal communication - https://archive.org/download/rewards-for-justice-01/Dancho%20Danchev%20Conti%20Ransomware%20Gang%20Attribution%20Reproduction%20Analysis.pdf [PDF] here's more - https://dn721806.ca.archive.org/0/items/rewards-for-justice-01/Dancho_Danchev_Conti_Ransomware_Gang_Analysis_2024_01.pdf [PDF] here's more - here's more - https://dn721806.ca.archive.org/0/items/rewards-for-justice-01/Dancho_Danchev_Conti_Ransomware_Gang_Analysis_2024_02.pdf [PDF] here's more - https://dn721806.ca.archive.org/0/items/rewards-for-justice-01/Dancho_Danchev_Conti_Ransomware_Gang_Analysis_2024_03.pdf [PDF] here's most - https://dn721806.ca.archive.org/0/items/rewards-for-justice-01/Dancho_Danchev_Conti_Ransomware_Gang_Analysis_2024_04.pdf [PDF] here's more - https://dn721806.ca.archive.org/0/items/rewards-for-justice-01/Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_In_Depth_OSINT_Analysis.pdf [PDF] and here's even more - https://dn721806.ca.archive.org/0/items/rewards-for-justice-01/Who%27s%20Behind%20the%20Conti%20Ransomware%20Gang%20-%20Part%20Two.pdf [PDF].

Here's the actual connection.

Conti -> Plastika -> +7 (992) 004-54-45 -> Yekaterinburg, Kirova Street, 9 -> https://yandex.eu/maps/org/plastika/224842683989/?ll=60.566922%2C56.839297&z=17 -> https://vk.com/plastika.space -> http://plastika.space/ -> W8D8digital -> https://vk.com/id452512822 -> icecostabeats.connect@gmail.com -> t.me/icecostabeats -> https://www.instagram.com/icecosta/ -> https://vk.com/kidsocial -> https://vk.com/eugene_creative_power -> https://vk.com/icecosta -> https://vk.com/lungo999 -> https://vk.com/icecostabeats

and here's my YouTube video reproduction analysis - https://www.youtube.com/watch?v=ILgaZfcRww4 and here's the full research - https://archive.org/details/rewards-for-justice-01

#security #cybercrime #malware #CyberSecurity #cybersécurité #DataProtection #SecurityOperations #securitySystems #security_compliance #security_research #securitynews #securitybreach #cyberattack #CyberFraud #threatintel #threatintelligence #threathunting

New weekend-hobby-idea (after gifting Lumma C2 Steam-Accounts Reward-Stickers):

Tracing Mastodon-Accounts to APT-Tool-Devs.

#threatintel #APT #threathunting

Here's a little svchost tip:
If you ever looked at an svchost process and wondered what something like C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc means:

-k runs a group of services. A request is made to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

-p turns on process mitigation policies

-s runs a specific service from a group (so wscsvc is a service within LocalServiceNetworkRestricted)

#ThreatHunting #Infosec

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules🕵️‍♂️

https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules

#infosec #cybersecurity #threatintel #threathunting #azure #sentinel #kql