Threat Intel
Last update we had was when LockBit released a transcript of a chat alleged to be between LockBit and the RoyalMail ransomware negotiator.
Thanks to Domonic far tagging me, we can see an update has occurred on the LB site:
Read more “The RoyalMail Ransomware Saga”
Education
The loss of availability Ransomware causes is enough to make your day/week/s bad, the loss of data, bad month/quarter or longer.
Lockbit posted “Royal Mail need new negotiator.” Followed by “ALL AVAILABLE DATA PUBLISHED !”
What we actually found is that they published the chat history:
Read more “Lockbit 3.0 and Royal Mail – Chats Published”
Guides
Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?
I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:
Read more “Ransomware + Mega = Mega Cyber Pain”
Threat Intel
Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:
Read more “Simulating Human Operated Discovery”
Uncategorized
A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).
So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)
Read more “Hunting for New Group Policies Where Scheduled Tasks are used”
Uncategorized
A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)
Read more “Malicious Scheduled Tasks”