In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. We'll follow by exposing common TTPs before revealing information leaked through the attackers' clipboard data.
This blog post will create a Sysmon archive quota through WMI event consumption to avoid storage exhaustion.
In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. Throughout this blog post we will … Continue reading Anatomy and Disruption of Metasploit Shellcode
This blog post will cover the Cobalt Strike DLL stager's anatomy, design choices and highlight ways to reduce both log footprint and time-to-shellcode.
