Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Greg Lesnewich Profile picture
Greg Lesnewich
@greglesnewich
great, now I'm on twitter
Aug 28, 2023 5 tweets 2 min read
🚨 Job Openings!

Our team is looking to hire for 2 positions on our APT tracking team.

Primary responsibilities & day-to-day will be disrupting state-aligned or state-sponsored actors trying to deliver malware, phish, or otherwise engage with our customers, in email data. We're big on culture ADD - we'd love fresh and additive ideas that might challenge our assumptions & biases to help bonk the adversaries

members of this team have prev been network wizards, incident responders, computer scientists, developers, & traditional gubbymint analysts
Jul 26, 2023 8 tweets 3 min read
lots of important work in CTI on 🇰🇵 DPRK crypto-ops 🪙 going on at the moment!

I wanted to highlight a few talks that were very helpful for me in understanding how we got here!

1st, Katie Blankenship gave an excellent overview of DPRK cyber evolution Before we dive into crypto-ops fully, let’s take a step back and see where most of them evolved from: APT38 The folks at Mandiant gave an awesome talk on this back in the day:

Jul 5, 2023 7 tweets 3 min read
What, dear reader, are in your opinion, some of the best conference talks on discovering & tracking APT groups?

Think less “here’s a stock profile of this actor”, more “here’s how we found this thing”

I’ll start: No Easy Breach from @ItsReallyNick & @matthewdunwoody

Operation ShadowHammer from @craiu & @vkamluk https://t.co/7UzsRuansF

Mystery of the Metador from @juanandres_gs @AmitaiBs3 @milenkowski https://t.co/R5tMd7jqPj

Jan 25, 2023 7 tweets 5 min read
Baby’s first blog!

Check out our reporting on TA444 which has more AKAs than the Bodega Boys - but long story short they steal 💰cryptocurrencies for 🇰🇵

We rolled up their activity from 2022 where they rolled out new products, changed their GTM, and maybe tested in prod?? We saw TA444 try out a lot of chains in 2022, from their usual password.txt.lnk -> CageyChameleon, to MSIs, VHDs, CHMs, and ISOs.

We also saw them, very strangely, send out a phishing campaign that… kinda stunk? Typos everywhere, super broad targeting, real clunky feel
Jan 15, 2022 10 tweets 5 min read
Day 15 of #100DaysofYARA is all about named pipes! We'll be looking for both the \\.\pipe\ strings as well as common references to named and anonymous pipe methods and obfuscation methods. Lots malware fams use named pipes!

github.com/g-les/100Dayso… However, YARA is probably not the best way to keep track of these things on your network - check out Sysmon Event IDs 17 and 18!

@rpargman has some advice for using KQL to find some specific pipe names