In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID & Kakbot VNC backdoor variants NVISO observed. We'll follow by exposing common TTPs before revealing information leaked through the attackers' clipboard data.
Author: Maxime Thiebaut
Enforcing a Sysmon Archive Quota
This blog post will create a Sysmon archive quota through WMI event consumption to avoid storage exhaustion.
Detecting & Preventing Rogue Azure Subscriptions
In this blog post we will cover why rogue subscriptions are problematic and revisit a solution published a couple of years ago on Microsoft's Tech Community. Finally, we will conclude with some hardening recommendations to restrict the creation and importation of Azure subscriptions.
Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester
In one of the smaller campaigns we monitored last month (September 2021), the threat actor inadvertently exposed Telegram credentials to their harvester. This opportunity provided us some insight into their operations; a peek behind the curtains we wanted to share.
Anatomy and Disruption of Metasploit Shellcode
In April 2021 we went through the anatomy of a Cobalt Strike stager and how some of its signature evasion techniques ended up being ineffective against detection technologies. In this blog post we will go one level deeper and focus on Metasploit, an often-used framework interoperable with Cobalt Strike. Throughout this blog post we will … Continue reading Anatomy and Disruption of Metasploit Shellcode
Anatomy of Cobalt Strike’s DLL Stager
This blog post will cover the Cobalt Strike DLL stager's anatomy, design choices and highlight ways to reduce both log footprint and time-to-shellcode.