Good day everyone! The Microsoft Threat Intelligence team has discovered activity from a group known as #FlaxTyphoon. They are a nation-state group from China that targeted organizations in Taiwan. While the group leverages tools that are commonly used, like #ChinaChopper, #MetaSploit, and #Mimikatz, they also rely on abusing #LOLBINS, or Living-off-the-land binaries and scripts (tools that exist and come with the native operating system). Some of their TTPs include using registry key modification for persistence, using #powershell, #certutil, or #bitsadmin to download tools, and accessing #LSASS process memory and Security Account Manager registry hive for credential access. This is a great article that not only provides high-level details but it provides a starting point for any organization to start threat hunting by using the technical details provided! Enjoy your weekend and #HappyHunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #readoftheday

Alla scoperta di mimikatz: l’arma a doppio taglio tra red-team e cybercrime

Benjamin Delpy ha originariamente creato #Mimikatz come proof of concept (#PoC) per dimostrare a #Microsoft che i suoi #protocolli di #autenticazione erano #vulnerabili a un #attacco.

Invece, ha inavvertitamente creato uno degli #strumenti più utilizzati e scaricati dagli attori delle minacce degli ultimi 20 anni.

#redhotcyber #informationsecurity #ethicalhacking #dataprotection #hacking #cybersecurity #cybercrime #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #privacy #infosecurity

https://www.redhotcyber.com/post/alla-scoperta-di-mimikatz-larma-a-doppio-taglio-tra-red-team-e-cybercrime/

#Eurovision #Mimikatz?

Die Angriffe werden einem chinesischen Cyberspionage-Akteur zugeschrieben, der an einer langlaufenden Kampagne beteiligt ist, die aufgrund von Überschneidungen bei den Werkzeugen als Operation Soft Cell bezeichnet wird.

Quelle: https://www.infosecurity-magazine.com/news/operation-tainted-love-targets/

Den ausführlichen Beitrag finden Sie auf unserer News Website unter: https://news.neto.consulting/#hacker_Tele_China

#datenschutz #hackerangriff #hacker #cybersecurity #itsicherheit #cina #telekommunikation #mimikatz

Good one 🤣

If you get it, share it

#rustlang #rust #infosec #mimikatz

Benjamin Delpy wrote #Mimikatz a bit later, which provided a way for the relative novice to dive into DPAPI, and get a better understanding of EFS. With this tool I was able to at least enumerate the certificate chain that my files were encrypted with. And back at the end of 2021 I found that, despite reissuing all the certs on the machine there remained an intermediate RSA private key that used a 40bit RC4 session key.
#hacking #it #cryptography

#CrowdStrike - shout out to all my SOC and IR friends who spend the last 6 hours tracking down the false #Mimikatz alerts due to a change in Chrome.

Hey CrowdStrike, please try a bit harder to keep your detection signatures up to date with software changes.

Attacking Kerberos - I have just completed this room! Check it out: https://tryhackme.com/room/attackingkerberos #tryhackme #Kerberos #Active Directory #Exploitation #Windows #Privilege Escalation #mimikatz #rubeus #kerbrute #Impacket #Kerberoasting #AS-REP Roasting #Golden Ticket #Silver Ticket #Kerbrute #Pass the Ticket #Attacking Kerberos #windows #attackingkerberos via @RealTryHackMe

#mimikatz #pentest #infosec

Also be sure to turn on these monitoring policies in #DefenderForCloudApps so you can #CatchTheHacker before they get too deep, whether you switch to #Kerberos or not. #NetworkSegregation is also a great #LayeredDefense method to ensure if one system is compromised the attacker can't use #SMBtraversal to get to all your computers, globally. #EternalBlue source code is still being used to get to #DCs via #Trikbot evolutions, after #Phishing a user with #LocalAdmin privileges, to execute #mimikatz against #ActiveDirectory to steal all the objects. #YesThisHappened

Defeating Credential Guard #CredGuard #Windows #Defeat #MimiKatz #Isolated #LSASS https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22

For the #ITAdmin #sysadmin types...

If you have a fresh install of Windows 10 22h2 then run updates (especially Defender updates) before installing 3rd party #antivirus apps (Trellix, in my case).

Otherwise, don't be surprised/panic when Defender flags a file as #MimiKatz.

📬 Antiviren-Software: Datenverlust durch Microsoft, Avast und AVG
#Hacking #AikidoWiper #AvastAntivirus #AVGAntivirus #Echtzeitschutz #MicrosoftDefender #Mimikatz #SentinelOneEDR https://tarnkappe.info/artikel/hacking/antiviren-software-datenverlust-durch-microsoft-avast-und-avg-260713.html

Ho, hi Citrix!👋

Could you, please, stop capture Windows user credentials when using SSON?

#mimikatz 🥝loves credentials

Administrator or not (here, *no admin rights*, again...), this is NOT a way to make SSO... especially when you bypass Credential Guard

RT @gentilkiwi
Ho, hi @citrix!👋

Could you, please, stop capture Windows user credentials when usin SSON?

#mimikatz 🥝loves credentials

Administrator or not (here, *no admin rights*, again...), this is NOT a way to make SSO... especially when you bypass Credential Guard

Ringing in Black Friday by landing a domain controller in my OSCP lab. Pivoted through three machines to get here, but I've arrived! I'd like to thank my friends: mimikatz (an outdated version), autorecon, an unpatched web app with default creds, crackmapexec, certutil, reg save, john, kerberoasting, OneNote, vscode. The list of tools goes on and on. :---) #OSCP #mimikatz #autorecon #crackmapexec #JohnTheRipper #Kerberoasting #pentesting

I was playing around with AtomPePacker 🧙‍♀️

Works like a charm with EDR 👀

https://github.com/ORCx41/AtomPePacker

#Packers #EDR #malware #BypassingAntivirus #mimikatz

Hey #soc and #blueteam, if I have to hunt for #mimikatz executed from #cobaltstrike using #osquery, what are the tables I need to correlate? Though I figured out few events from security logs, I want to use OSQUERY logs for hunting. Any suggestions?

#threathunting #threatintel

Yesterday CISA and the FBI published a joint advisory on an Iranian #APT compromising FCEB (Federal Civilian Executive Branch) systems. The threat actors exploited #Log4Shell in an unpatched VMware Horizon server, installed #XMRig crypto mining software, moved laterally to the DC, compromised credentials with #Mimikatz, and then backdoored with #Ngrok on several hosts to maintain persistence.

My question is, why the hell they would go out of their way to install XMRig as part of this attack? Was it,

• for Lulz?
• to obfuscate their intent?
• financial motive?

From what I know, "for the Lulz" really isn't part of the APT playbook, and the only APT with financial motive that I'm ware of is North Korea, where cybercrime is literally part of their GNI (Gross National Income). My guess is to obfuscate, but I'd love to hear other people's thoughts on this.

#CTI #DFIR

Yesterday CISA and the FBI published a joint advisory on an Iranian #APT compromising FCEB (Federal Civilian Executive Branch) systems. The threat actors exploited #Log4Shell in an unpatched VMware Horizon server, installed #XMRig crypto mining software, moved laterally to the DC, compromised credentials with #Mimikatz, and then backdoored with #Ngrok on several hosts to maintain persistence.

My question is, why the hell they would go out of their way to install XMRig as part of this attack? Was it,

• for Lulz?
• to obfuscate their intent?
• financial motive?

From what I know, "for the Lulz" really isn't part of the APT playbook, and the only APT with financial motive that I'm ware of is North Korea, where cybercrime is literally part of their GNI (Gross National Income). My guess is to obfuscate, but I'd love to hear other people's thoughts on this.

#CTI #DFIR