Which IP addresses/hosts was the traffic redirected to? Can we get a list of IOCs please?

Recovering a Linux backdoor that is still running but was deleted off disk:

  • Check the /𝗽𝗿𝗼𝗰/𝗣𝗜𝗗 directory for the running process
  • If it has 𝐫𝐞𝐜𝐨𝐯𝐞𝐫𝐞𝐝_𝐞𝐱𝐞 in it, thats the reconstructed executable.

It may not always be there, but is great when it is!

#linux #forensics #dfir

Microsoft Quick Assist is Under Attack: What You Need to Know Microsoft Quick Assist is a great tool for streamlining IT support. Unfortunately, it’s also becoming a popular target for hackers trying to break into you...

Did you know there are 𝐭𝐰𝐨 𝐯𝐞𝐫𝐬𝐢𝐨𝐧𝐬 𝐨𝐟 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐐𝐮𝐢𝐜𝐤 𝐀𝐬𝐬𝐢𝐬𝐭, one of which doesn't log anything?

On 𝗔𝘂𝗴 𝟭𝟯 𝗮𝘁 𝟭𝟮 𝗣𝗠 𝗘𝗦𝗧, I am presenting on MSQA, how we're seeing it used in attacks. More importantly, how to perform investigations into MSQA.

𝐅𝐫𝐞𝐞 𝐭𝐨 𝐚𝐭𝐭𝐞𝐧𝐝 - register here:
ow.ly/TvlR50WxW5A

Extra Life | Change Kids' Health, Change the Future I'm raising funds with #EXTRALIFE for kids treated at my Children's Miracle Network Hospitals! I need your help to reach my fundraising goal. Please donate today to change kids' health.

A friend of mine - @openheartgames.bsky.social - is running a D&D game all day for Extra Life. Drop by their stream and donate to a good cause!

www.extra-life.org/index.cfm?fu...

#dnd #rpg #charity #extralife

BSidesROC 2025 - Microsoft Quick Assist - Tyler Hudak YouTube video by BSidesROC

This past weekend I had the opportunity and speak at B-Sides Rochester (NY).

My talk was on forensically analyzing Microsoft Quick Assist and the issues associated with attempting to do so. If anyone is interested:

- Slides: github.com/secshoggoth/...
- Video: www.youtube.com/watch?v=l9Kq...

I've had to analyze several MS Quick Assist compromises and found challenges during each one. Threat Hunting for malicious activity thru QA is not easy either.

So I wrote a blog post on what to look for: inversion6.com/resources/bl...

#dfir #forensics #incidentresponse #threathunting

Today marks the official launch of the Inversion6 Incident Response (IR) team, and I couldn't be more excited! Ready to tackle challenges, protect, and respond like never before. Let’s go!

#IncidentResponse #CyberSecurity #DFIR

inversion6.com/resources/ne...

My fallback plan is being a cranberry farmer or running a tiki bar in the Caribbean.

Now there is so much to learn and understand. Granted, there is also more training, free content, technology, and education. But in a way that may make it more overwhelming.

To anyone jumping into the depths of this ocean now, you have my sympathies but I also share your excitement. (2/2)

I do not envy those coming into Information Security now.

When I started, there were no formal programs, no degrees, and little training. It was the wild west and we were making a lot of it up as we went. In a way, it was easier. (1/2)

Feels like an appropriate response to me.

What is everyone's favorite place for a starting sysmon config template?

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the “Nearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world. 
 
Read more here: www.volexity.com/blog/2024/11...

Sextortion | Federal Bureau of Investigation Sextortion is a crime that involves adults coercing kids and teens into sending explicit images online. The FBI has several resources to help caregivers and young people better understand what sextort...

Here are some more resources. If anyone knows of any more, please comment them.

www.fbi.gov/how-we-can-h...
ojjdp.ojp.gov/publications...
www.thorn.org/blog/identif...

Save or 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁 𝘁𝗵𝗲𝗶𝗿 𝗺𝗲𝘀𝘀𝗮𝗴𝗲𝘀 (screenshots, etc.) to help law enforcement if they are brought in.

𝗚𝗲𝘁 𝗵𝗲𝗹𝗽 from someone you trust. Contact law enforcement. They can help stop this.

I know this may be embarrassing, but they have the resources to help you out.

𝗕𝗹𝗼𝗰𝗸 𝗮𝗻𝗱 𝗿𝗲𝗽𝗼𝗿𝘁 𝘁𝗵𝗲𝗶𝗿 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀.

They will try to message you on every platform they can find using different accounts.

Blocking and reporting them means its more likely their accounts will be taken down.

Don't send them anything and 𝗱𝗼𝗻'𝘁 𝗽𝗮𝘆 𝘁𝗵𝗲𝗺 𝗮𝗻𝘆 𝗺𝗼𝗻𝗲𝘆.

If you pay them, it won't go away. They will just ask for more.

If you did pay them money, try to 𝗿𝗲𝘃𝗲𝗿𝘀𝗲 𝘁𝗵𝗲 𝘁𝗿𝗮𝗻𝘀𝗮𝗰𝘁𝗶𝗼𝗻. You may have to call your bank, but the faster you do it the more likely the reversal can happen.

Yesterday I received a call from a friend who was a victim of sextortion. This is all too common but fortunately there are things you can do if you fall victim to this.

Remember 𝘆𝗼𝘂 𝗮𝗿𝗲 𝗻𝗼𝘁 𝗮𝘁 𝗳𝗮𝘂𝗹𝘁. The person doing this is truly one of the worst types of criminals. You are a victim.
🧵

What's one more social media site to check out?