Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

ioc.exchange: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Just Another Blue Teamer

Happy Monday, or should I say, Happy !

That's right, The DFIR Report has dropped another one of their awesome reports, this time covering an attack that involved the ransomware. There was a dash of , , some encoded Powershell commands for defense evasion (and to keep you guessing on what the command really is!), LSASS access for credentials, and ultimately led to the ransomware being deployed. This report provides a great example of all the things the adversary needs to do to be successful in an attack and all the information they need from your environment to do it!

Stay tuned for your Threat Hunting Tip of the Day but while you wait, enjoy the article! Happy Hunting!

And I promise you I am not going to take the easy way out and hit you with the AutoRun registry key hunt package again!

BlackSuit Ransomware
thedfirreport.com/2024/08/26/b

Cyborg Security Intel 471

The DFIR Report · BlackSuit RansomwareKey Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged va…
Aug 26, 2024, 01:55 PM·Public·Web
0boosts·2favorites
Public
Just Another Blue Teamer

Here is your Threat Hunting Tip of the Day:

In the The DFIR Report the attackers abused to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the "-encodedcommand" parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?

You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!

I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!

Powershell Encoded Command Execution
hunter.cyborgsecurity.io/resea

Cyborg Security

hunter.cyborgsecurity.ioIntel 471 | HUNTER
ExploreLive feeds
About