MyDFIR @MyDFIR

@TCMSecurity Sure!

𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗜𝗢𝗖𝘀 (𝗥𝗲𝗺𝗼𝘁𝗲-𝗧𝗼𝗼𝗹 𝗗𝗲𝗹𝗶𝘃𝗲𝗿𝘆 𝗣𝗮𝘁𝗵) Lure domain @anyrun_app observed: 🔸 vallparty[.]de (sitting behind Cloudflare) 🔸 Lure page: /winedine.html 🔸 Payload served from: vallparty[.]de/ScreenConnect.ClientSetup.exe (~5 MB) 🔸 SHA256: 66CA66CAE93C34E60A9A328B082FC7AA5396CC046BCFC5A14681D072128B9BE7 Lure HTML: 🔸 winedine.html SHA256: D52B32EA18EEB88C7EE2EBBBECE4705D81F2EBBBB50518E765C1D84466989732 🔸 MSI staged under %Temp%\ScreenConnect Credential-theft variant endpoints: 🔸 /processmail.php, /process.php, /pass.php, /mlog.php, /check_telegram_updates.php Suricata hits worth building alerts on: 🔸 ET REMOTE_ACCESS Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain 🔸 REMOTE [ANY.RUN] ScreenConnect Server Response One fake invite can end in a compromised mailbox, a stolen OTP, or a remote tool running as SYSTEM. And your team might not connect those dots until the foothold is already there. This is where a sandbox earns its keep. When a suspicious link hits your queue during triage, you can detonate it somewhere safe instead of guessing. Within seconds you can see whether it is a fake invite, a credential form, an OTP prompt, or a remote tool quietly downloading itself. And as it runs, you are watching the actual behavior. The network calls, where the credentials get posted, what files drop, and whether anything reaches out for remote access. Get special 10th anniversary offers from ANY.RUN: app.any.run/plans?utm_sour… #Phishing #ANYRUN #ExploreWithANYRUN #CISO #SOCAnalyst

𝗪𝗵𝗼 𝗧𝗵𝗲𝘆 𝗔𝗿𝗲 𝗚𝗼𝗶𝗻𝗴 𝗔𝗳𝘁𝗲𝗿, 𝗮𝗻𝗱 𝗛𝗼𝘄 𝘁𝗼 𝗖𝗮𝘁𝗰𝗵 𝗜𝘁 Most of the ANY.RUN submissions for this campaign came out of the United States. And the industries getting hit are the ones you would expect: 🔸 Education 🔸 Banking 🔸 Government 🔸 Technology 🔸 Healthcare Look at what those have in common. Email, identity, and remote administration are just part of the normal workday. A remote management tool showing up on a machine in a hospital IT shop or a university help desk does not look strange. As of late April, around 160 suspicious links were analyzed and around 80 phishing domains were observed. Most sat on .de TLDs, which is a little odd for a campaign aimed at US orgs and worth watching for on its own. A lot of them were built from the same phish kit and some sessions even had instructions left in for the operator on how to edit the page. That reused infrastructure is good news for us. When attackers mass produce lure sites from one kit, they leave similar fingerprints everywhere. Here is what to hunt for and be sure to baseline your environment first. 🔸 An RMM (Remote Monitoring and Management) client install (ScreenConnect, ConnectWise, ITarian, Datto, LogMeIn, etc.) 🔸 An RMM service reaching out to a relay you do not recognize as your own 🔸POST requests to /processmail.php, /process.php, /pass.php, /mlog.php (likely noisy which is why baseline is important here) A quick win is to find every RMM in your environment and note the ones that belong. After that, any new RMM install should get flagged for a closer look. Pivot from this campaign's lure signature in ANY.RUN TI Lookup: intelligence.any.run/analysis/looku… IOCs in 3/3 👇

𝗙𝗮𝗸𝗲 𝗜𝗻𝘃𝗶𝘁𝗲𝘀, 𝗥𝗲𝗮𝗹 𝗔𝗰𝗰𝗲𝘀𝘀: 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 @anyrun_app researchers tracked a large campaign going after organizations with fake event invitations. Here is the remote-tool path, detonated in the sandbox. 🔸 User clicks the invite link 🔸 A Cloudflare CAPTCHA loads 🔸 Page auto-downloads a remote management installer, pulled straight from the lure domain 🔸 In one version there is not even a button. The download just starts on its own. 🔸 The installer runs through msiexec 🔸 The remote client installs as a Windows service running as SYSTEM 🔸 That service beacons out to a relay the attacker controls That last step allows the attacker to have hands on keyboard access through a signed, legitimate allowlisted tool. Full ANY.RUN analysis #1: app.any.run/tasks/dcbc4301… Full ANY.RUN analysis #2: app.any.run/tasks/4c2687da… Targeting, what to hunt for, and IOCs👇 #Phishing #ANYRUN #ExploreWithANYRUN #SOCAnalyst #DFIR #CISO #ad

I broke down a #socanalyst job posting and showed you exactly what they expect + how you can start learning each skill so you’re actually prepared when applying. If you’ve ever looked at a #soc posting and thought: “Where do I even start learning all of this?” This video is for you. youtu.be/Ygca5xdNK-A #cybersecurity

@Odus_olaa Proud of you for taking action and completing this!! Keep it up and I look forward to seeing more 🙌

@Oriaonm Always happy to help 🙌

Can you spot the suspicious activity? This is a snippet of the MFT (Master File Table) artifact data from a forensic investigation scenario. Been building this out as part of the DFIR course for the MYDFIR Forge. Total of 14 modules with a mix of Windows, Linux, network, memory and cloud (Azure) forensics including a capstone investigation. This is a big course and will include a lot of theory + labs! Can't wait to release it. I'll be providing more details in the free SOC community as we get closer to the release! skool.com/mydfir-communi…

@WallStBitcoiner @vivoplt Thank you 💙

@IamTheCyberChef @bankrollsmitt Appreciate you 💙

@Damm_cyber Thank you 💙

I kept getting messages from beginners saying they wanted to become SOC analysts but not sure where to start so I built a free community that’ll give them a good starting point called The MYDFIR SOC Community: Inside has 4 structured modules (fundamentals → portfolio projects) No paywall. No catch. skool.com/mydfi-communit…

ICYMI: Here is one of many walkthroughs from our monthly capture the flag events in the MYDFIR SOC Community. Learn how to investigate and build your own investigative methodology! WATCH: SOC Analyst Full Compromise Investigation | MYDFIR SOC Community lnkd.in/euxQaJms

@RussianPanda9xx 😭😭 might as well be at this point!!!

While building a lab for the community, I ran into something weird. Setup: Attacker PC: Windows 10 22H2 (UTC): 1) Created a timestomped LNK file (Year 2028) 2) Zipped it with password-protected 7-Zip Target PC: Windows 11 24H2 (PST) 1) Extracted the file 2) Examined the MFT - SI records 2028 && FN records 2026 (so far so good) 3) Shift + Right-Click LNK > Run as Administrator The weird part: After running it as Administrator, the FN timestamp, what use to be 2026 is now blank which if I am not mistaken would indicate it is the same time as SI. Has anyone else seen this behavior? Not sure if this is a known thing or something new with 24H2. Anyways, another reason to be sure to correlate with other artifacts! #DFIR

keyboard_arrow_left Previous keyboard_arrow_right Next

@Kostastsale Awesome job 👏

@shortxstack @eric_capuano 🐐

@UK_Daniel_Card