Josh Lemon

It also uses SQL-based queries to perform analysis, similar to #OSquery.

blog.trailofbits.com/2026/02/25/m...

Memory Analysis for #Linux has always been a bit hit-or-miss. Trail of Bits has released a tool called #mquire that doesn't require debug symbols for the originating Kernel.

#MemoryForensics #IncidentResponse #DFIR #DigitalForensics

Ex-L3Harris exec jailed for selling zero-days to Russian exploit broker The former head of Trenchant, a specialized U.S. defense contractor unit, was sentenced Tuesday to more than seven years in federal prison for stealing and selling zero-day exploits to a Russian broke...

How would your organisation fare in detecting IP theft via a hard drive connected to a sensitive system?

"Williams used a portable external hard drive to transfer the exploits out of secure networks at Trenchant's offices in Sydney and Washington, D.C."

www.bleepingcomputer.com/news/securit...

The move to IAKerb and local KDC for local and cached authentication will be....interesting.

Falling back to NTLM for authentication using IP addresses instead of FQDNs, I suspect, will keep NTLM in most environments, but overall this is a hopeful step in the right direction.

Microsoft is moving to disable NTLM by default, with some exceptions.

If implemented, this will have a significant impact on threat actors abusing credentials within a network.

#SecOps #IncidentResponse #ThreatDetection #SOC

🔗 techcommunity.microsoft.com/blog/windows...

This year I’ve pulled together a comparison from last year's data and tried to break down some of the results by organisation size.

Got some time at the end of the year? We’ve just published the SANS Institute Detection and Response Survey results.

Free Download (requires login only)
🔗 go.sans.org/detection-re...

#DnR #ThreatDetection #IncidentResponse #CSIRT #SOC #CERT #Cybersecurity

I'm not sure how accurate this is, but The Verge is reporting that #SysMon will be integrated into Windows 11 early next year.

This will be a massive win for #DFIR and #SecOps people everywhere if it's correct.

www.theverge.com/news/821948/...

I'm not sure this will have a significant impact on what Threat Actors do with WMI, however, it'll at least force a Threat Actor to use PowerShell where there is better built-in visibility (if it's enabled), compared to WMIC.

Wow, Microsoft is removing #WMIC from Windows!
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.

🔗 techcommunity.microsoft.com/blog/windows...

#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT

That's a bit nasty - a threat actor uses #Velociraptor as their primary C2 implant on the victim's system.

You think they might also let the victim use it for responding to the compromise as well? 😂

news.sophos.com/en-us/2025/0...

#DFIR #IncidentResponse #ThreatDetection #ThreatIntel

🚨 Alert on new credentials added to SPs.
🔥 Monitor changes to federated domains (federationConfiguration).
🕵🏼‍♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.

#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection

"I SPy" Entra ID Global Admin Escalation Technique

Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.

🔗 securitylabs.datadoghq.com/articles/i-s...

Here are some recent TTPs for Scattered Spider as well.
www.crowdstrike.com/en-us/blog/c...

#ScatteredSpider are particularly good at #SocialEngineering their way via a third-party to other victims.

For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.

M&S confirms social engineering led to massive ransomware attack M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack.

This is a timely reminder to ensure any third-parties with access to your systems follow the same cyber policies you'd expect your internal staff to follow.

www.bleepingcomputer.com/news/securit...

#IncidentReponse #DataBreach #CSIRT

💡 On a side note, this is a great write up on #container #DFIR analysis if you're interested.

🕵🏼‍♂️ This malicious #container uses TENEO heartbeats to effectively earn credits. TENEO's ledger isn't exactly public so tracking the tokens isn't simple, there also doesn't appear to be a way to cash out...yet.

This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.

🔗 www.darktrace.com/blog/obfusca...

NSW man charged over ‘serious data breach’ that exposed thousands of sensitive court documents More than 9,000 files downloaded from NSW JusticeLink system but authorities say no personal data compromised

Here's an update on the data breach of court documents from the NSW JusticeLink website.

tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.

www.theguardian.com/australia-ne...

🕵🏼‍♂️ Detect .LNK files making external connections, they are particularly easy to tune.

🕵🏼‍♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).

Happy #ThreatHunting

🔗 blog.sekoia.io/detecting-mu...

This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.

🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.

signature-base/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar at master · Neo23x0/signature-base YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base

- Make sure you go #ThreatHunting for compromised systems, prioritise public facing systems.

🕵🏼‍♂️ YARA signature: github.com/Neo23x0/sign...

ℹ️ Public disclosure: www.openwall.com/lists/oss-se...

⚙️ PoC Demo: x.com/Horizon3Atta...

🚨 New Critical RCE in Erlang/0TP SSH (CVSS 10)

- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub

Google's Threat Intelligence Group published details last month of Russian #APTS targeting #Signal

➡️ Maliciously getting victims to scan QR codes
➡️ Maliciously cloning incoming messages with a Linked Device
➡️ Stealing the message database off a device

With all the talk about the use of #Signal by government officials in the US, it's worth remembering #ThreatActors will target what they need to steal the data they want.

🔗 cloud.google.com/blog/topics/...

Microsoft recommended driver block rules View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.

Vuln Driver Blocklist: learn.microsoft.com/en-us/window...

Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.

Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.

Recent Vuln Driver: www.bleepingcomputer.com/news/securit...

Known Vuln Drivers: www.loldrivers.io

Image

#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!

#IncidentResponse #ransomware #ThreatDetection

Join me for SANS Institute #Perth Community Night today!

📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm

🎤 Presentation
6pm – 7pm

Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/

📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000