We've been tracking DEV-0537 since 2021 (overlaps: Lapsus$, UNC3661). Here's a comprehensive 🆕 BLOG 📰 covering observed TTPs: microsoft.com/security/blog/…
#MSTIC and Defender threat intel collab
➕#DART 👻 incident response team experience from the trenches [1/3]
The blog highlights varied initial access vectors and a slew of [inconsistent?] end goals: data theft, extortion, chaos...
One way to interpret "this actor's TTPs and infrastructure are constantly changing" is that they are loosely-organized (see:
Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).
You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
Sep 10, 2020 • 7 tweets • 5 min read
How many of the 719 Pokémon can you capture in a single regular expression that fits in a tweet?
Here are awesome regex resources: raw.githubusercontent.com/aloisdg/awesom… [this same text blob will also be used to measure FPs😊]
If you haven't done something like this before, here's a [crappy] bash one-liner to start:
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
Apr 1, 2020 • 9 tweets • 5 min read
🧾Stock Tax Tip
For years, I've seen teammates pay double taxes on stock grants. And *many* individuals & tax advisors prepare it incorrectly. ☹️
If you're fortunate enough to have sell-to-cover Restricted Stock Unit (RSU) grants – this probably needs adjusted.
Here's the fix:
There may be a tiny caveat in your broker's documentation suggesting you will be double taxed. I heard it was due to a rule change in 2014 (sfgate.com/business/netwo…).
Pictured: the single note in an eTrade PDF.
The impact can be several thousands of dollars overpaid each year...
Mar 9, 2020 • 4 tweets • 3 min read
🧐Fascinating .XLS file just uploaded to VT: virustotal.com/gui/file/64a23…
In addition to some wild 🈸️Chinese phrase translations, its macros drop an [InternetShortcut] file to disk:
The shortcut's URL (stored within Sheet2) is this GIF⤵️ of how to launch the .xls file
1⃣ - 🩳✂️: ThisWorkbook macro dropping the instructional GIF .url to disk
2⃣- 🌐🖼️: Sheet2 contains the .url shortcut's remote GIF location
3⃣ - 🚗🏃🏽: tdole macro allowing helpful translation spreadsheet to auto-run
3 of these XLSMs uploaded to VT in last 2 days. Fresh one from this afternoon: virustotal.com/gui/file/fc243…
❔Interview question: is this “malware” & why do you say that? If your job was to decide whether to let it through, alert, or block it globally – what’s your pick? [polls below]
👆🏼Is this “malware” & why? <replies welcome>
Feb 18, 2020 • 4 tweets • 5 min read
Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.
👇🏼Episode Recap Thread! 🧵
We start with tracking pixels: ◻️ <spacer.gif>
We break down how marketing tools are used by attackers looking to learn more about their planned victim's behavior and system - prior to sending any first stage malware.
For some background, see this thread: