Hacking
Working in Cyber security can expose you to all kinds of information. I’m an offensive and defensive security architect and occasional (haha that’s daily right!) pew pew slinger (pentester) and I am also a threat intelligence practioner (CTI) (we need The Many Hats Club back!). Which is why sometimes when things appear on the internet I think I decide to take a look.
Read more “The Manual Version 2.0”
Education
Some friends and I did some testing this evening with TOX clients. We wanted to take a look at PERSEC/OPSEC considerations for using TOX. I also had a sneaky suspicion that it might out of the box leak more than people would appreciate (just a hunch and you don’t know until you test right!).
So, we setup a test. In the test we had:
Read more “Some TOX Clients Leak Egress IP addresses”
Threat Intel
Last update we had was when LockBit released a transcript of a chat alleged to be between LockBit and the RoyalMail ransomware negotiator.
Thanks to Domonic far tagging me, we can see an update has occurred on the LB site:
Read more “The RoyalMail Ransomware Saga”
Threat Intel
Ransomware this, ransomware that! The problem is, you can be tired of the subject but that doesn’t mean the threat has gone away! So what are the currently active ransomware groups posting victims?
Well here’s a list of currently active group (Both Ransomware and Marketplaces) names who have ONLINE “DARK WEB” (TOR) hidden services online and who are posting victims or are markets:
Read more “Active Cybercrime Groups”
Education
The loss of availability Ransomware causes is enough to make your day/week/s bad, the loss of data, bad month/quarter or longer.
Lockbit posted “Royal Mail need new negotiator.” Followed by “ALL AVAILABLE DATA PUBLISHED !”
What we actually found is that they published the chat history:
Read more “Lockbit 3.0 and Royal Mail – Chats Published”
Vulnerabilities
I knocked this up quickly but I “think” it’s accurate. Use at own risk etc.
Let me know if you find any errors/changes required etc.
Guides
Did you ever read about ransomware actors? They often use mega upload to exfiltrate data! So I figured, why would we not detect this with MDE?
I mean sure we should probably block this with a custom indicator using Web Content Filtering and sure it would probably get blocked by Protective DNS but let’s say for whatever reason you don’t have those in place, let’s look at a really simple query to find mega connections in MDE:
Read more “Ransomware + Mega = Mega Cyber Pain”
Uncategorized
A common way to deploy an encryption routine used in Ransomware scenarios is to create a scheduled task to launch a cyptor exe. This is commonly deployed via a Group Policy Object (GPO).
So I wanted to look at how with Microsoft Defender for Endpoint (MDE) we could detect this both on domain controllers but also on CLIENT devices (MEMBER SERVERS/PCs)
Read more “Hunting for New Group Policies Where Scheduled Tasks are used”
Uncategorized
A very common technique in ransomware scenarios is the deployment of Scheduled Tasks via Group Policy object.
So I thought I’d start to post some content around this. To start with I was looking locally to enable the following:
“Show me all the command lines used in scheduled tasks on Windows with PowerShell”
So I knocked up this really simple proof of concept (there are other ways to write this obvs)
Read more “Malicious Scheduled Tasks”
Threat Intel
breaking news: Royal mails international tracking services are down and have been for > 24 hours:
The ICO have been contacted! The NCSC and NCA have been contacted! What should you do?
Read more “Royal Mail Cyber Attack! What should you do?”