Discover and read the best of Twitter Threads about #Threat_Hunting

Most recents (2)

Many security teams scrutinize inbound connections, but they tend to overlook traffic leaving the network. Here are a couple of things I consider when #Threat_hunting for ExMatter or similar tools: 🧵👇

1⃣Create your baseline:
It is difficult to find anomalous activity if...
...you don't know what normal looks like.
🔹Gather historical network data of outbound connections. The longer the baseline, the better the results.

....⤵️
2⃣Initial Analysis
🔹Query for outbound connections towards protocols that are used for transferring files and data over a network, e.g. SSH, FTP, TELNET, SFTP etc.
🔹Filter out expected traffic with the help of your baseline.
🔹Checkout the most & least frequent conn occurrence
Read 10 tweets
Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:

👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host ImageImageImage
Using Action1, they are seen executing commands, scripts and binaries. To do that, they must first create a "policy" or an "app". The name of those will show up in the command line during execution:

⚙️App Deployment:
➡️action1_agent.exe -> <binary running as system> Image
⚙️Command/Script execution:
➡️action1_agent.exe -> powershell.exe/cmd.exe
💡The action1_agent.exe cmdline contains the name of the policy set by the TAs.(see screenshot for details)
💡Command/Script will run with SYSTEM privs Image
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!