A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)Read more “Malicious Scheduled Tasks”
I’m totally in the middle of doing some work but this alert just came in so I have quickly dumped the data:
This came in via a Confluence exploit (not sure which CVE yet). I’ve not got time to analyse but thought I’d share this as an educational excercise for people! It’s a good excercise to see the apache tomcat logs and then decode, obtain samples and analyse the activity/imapct (as well as yoink IOCs etc.)Read more “Learn to SOC: Cryptominer Analysis”
This is a fast publish!
Confirmed all Office (ISO Install/PRO and 365) when using the Rich Text Format (RTF) method.
Office 365 has some sort of patch against the .DOCX format.
WGET ExecutionRead more “Office Microsoft Support Diagnostic Tool (MSDT) Vulnerability “Follina””
Business email compromise can be a prelude to a range of attacks but commonly it’s either Ransomware of Scammers. In this post we are focsing on scammer activity which uses a ‘man in the mailbox’ attack to get in between two parties in an email converstation with the aim of attempting theft by fradulently altering a wire transfer so that the third party sends funds to the scammers not to the victim. There are cleary other avenues that can be leveraged (the compromised mailbox may be used to phish or email malware to another victim).
To gain access to the mailbox a range of techniques can be employed which includes:
- Credential stuffing
- Phishing and credential harvesting
Once they have your logon credentials, they now will attempt to access your mailbox.
Avoiding Geo Location Alerts
A scammer may use a public VPN service (such as services from AVAST etc.) to move their internet connection the target mailbox region. They can usually locate a person through some OSINT.
By moving to the normal area of the user they are less likely to trip geo location alerts. Read more “Business Email Compromise in Office 365”