https://twitter.com/1ZRR4H/status/1655014346307559428

https://twitter.com/1ZRR4H/status/1655014346307559428

Most recents (2)

Many security teams scrutinize inbound connections, but they tend to overlook traffic leaving the network. Here are a couple of things I consider when #Threat_hunting for ExMatter or similar tools: 🧵👇

1⃣Create your baseline:
It is difficult to find anomalous activity if...

https://twitter.com/1ZRR4H/status/1655014346307559428

...you don't know what normal looks like.
🔹Gather historical network data of outbound connections. The longer the baseline, the better the results.

....⤵️

2⃣Initial Analysis
🔹Query for outbound connections towards protocols that are used for transferring files and data over a network, e.g. SSH, FTP, TELNET, SFTP etc.
🔹Filter out expected traffic with the help of your baseline.
🔹Checkout the most & least frequent conn occurrence

Read 10 tweets

Kostas

@Kostastsale

Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:

👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host

Using Action1, they are seen executing commands, scripts and binaries. To do that, they must first create a "policy" or an "app". The name of those will show up in the command line during execution:

⚙️App Deployment:
➡️action1_agent.exe -> <binary running as system>

⚙️Command/Script execution:
➡️action1_agent.exe -> powershell.exe/cmd.exe
💡The action1_agent.exe cmdline contains the name of the policy set by the TAs.(see screenshot for details)
💡Command/Script will run with SYSTEM privs

Read 6 tweets

Discover and read the best of Twitter Threads about #Threat_hunting

Most recents (2)

Related hashtags

Discover and read the best of Twitter Threads about #Threat_hunting

Most recents (2)

Related hashtags

Did Thread Reader help you today?