Josh Lemon
@joshlemon.bsky.social
Chief of DIFR at SoteriaSec | SANS Institute Principal Instructor | SANS FOR509 co-author | Director MDR Uptycs | Digital Forensics & Incident Response geek.
Wow, Microsoft is removing #WMIC from Windows!
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.
🔗 techcommunity.microsoft.com/blog/windows...
#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.
🔗 techcommunity.microsoft.com/blog/windows...
#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT
September 18, 2025 at 1:37 AM
Wow, Microsoft is removing #WMIC from Windows!
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.
🔗 techcommunity.microsoft.com/blog/windows...
#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.
🔗 techcommunity.microsoft.com/blog/windows...
#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT
That's a bit nasty - a threat actor uses #Velociraptor as their primary C2 implant on the victim's system.
You think they might also let the victim use it for responding to the compromise as well? 😂
news.sophos.com/en-us/2025/0...
#DFIR #IncidentResponse #ThreatDetection #ThreatIntel
You think they might also let the victim use it for responding to the compromise as well? 😂
news.sophos.com/en-us/2025/0...
#DFIR #IncidentResponse #ThreatDetection #ThreatIntel
August 28, 2025 at 6:16 AM
That's a bit nasty - a threat actor uses #Velociraptor as their primary C2 implant on the victim's system.
You think they might also let the victim use it for responding to the compromise as well? 😂
news.sophos.com/en-us/2025/0...
#DFIR #IncidentResponse #ThreatDetection #ThreatIntel
You think they might also let the victim use it for responding to the compromise as well? 😂
news.sophos.com/en-us/2025/0...
#DFIR #IncidentResponse #ThreatDetection #ThreatIntel
"I SPy" Entra ID Global Admin Escalation Technique
Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.
🔗 securitylabs.datadoghq.com/articles/i-s...
Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.
🔗 securitylabs.datadoghq.com/articles/i-s...
July 19, 2025 at 4:18 AM
"I SPy" Entra ID Global Admin Escalation Technique
Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.
🔗 securitylabs.datadoghq.com/articles/i-s...
Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.
🔗 securitylabs.datadoghq.com/articles/i-s...
This is a timely reminder to ensure any third-parties with access to your systems follow the same cyber policies you'd expect your internal staff to follow.
www.bleepingcomputer.com/news/securit...
#IncidentReponse #DataBreach #CSIRT
www.bleepingcomputer.com/news/securit...
#IncidentReponse #DataBreach #CSIRT
M&S confirms social engineering led to massive ransomware attack
M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack.
www.bleepingcomputer.com
July 9, 2025 at 6:07 AM
This is a timely reminder to ensure any third-parties with access to your systems follow the same cyber policies you'd expect your internal staff to follow.
www.bleepingcomputer.com/news/securit...
#IncidentReponse #DataBreach #CSIRT
www.bleepingcomputer.com/news/securit...
#IncidentReponse #DataBreach #CSIRT
This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.
🔗 www.darktrace.com/blog/obfusca...
🔗 www.darktrace.com/blog/obfusca...
April 28, 2025 at 10:46 AM
This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.
🔗 www.darktrace.com/blog/obfusca...
🔗 www.darktrace.com/blog/obfusca...
Here's an update on the data breach of court documents from the NSW JusticeLink website.
tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.
www.theguardian.com/australia-ne...
tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.
www.theguardian.com/australia-ne...
NSW man charged over ‘serious data breach’ that exposed thousands of sensitive court documents
More than 9,000 files downloaded from NSW JusticeLink system but authorities say no personal data compromised
www.theguardian.com
April 23, 2025 at 1:59 PM
Here's an update on the data breach of court documents from the NSW JusticeLink website.
tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.
www.theguardian.com/australia-ne...
tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.
www.theguardian.com/australia-ne...
This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.
🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.
🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.
April 23, 2025 at 12:50 PM
This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.
🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.
🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.
🚨 New Critical RCE in Erlang/0TP SSH (CVSS 10)
- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub
- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub
April 19, 2025 at 5:12 AM
🚨 New Critical RCE in Erlang/0TP SSH (CVSS 10)
- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub
- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub
With all the talk about the use of #Signal by government officials in the US, it's worth remembering #ThreatActors will target what they need to steal the data they want.
🔗 cloud.google.com/blog/topics/...
🔗 cloud.google.com/blog/topics/...
March 25, 2025 at 11:39 PM
With all the talk about the use of #Signal by government officials in the US, it's worth remembering #ThreatActors will target what they need to steal the data they want.
🔗 cloud.google.com/blog/topics/...
🔗 cloud.google.com/blog/topics/...
#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!
#IncidentResponse #ransomware #ThreatDetection
Make sure you're #ThreatHunting for new Vulnerable Drivers!
#IncidentResponse #ransomware #ThreatDetection
March 2, 2025 at 9:54 PM
#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!
#IncidentResponse #ransomware #ThreatDetection
Make sure you're #ThreatHunting for new Vulnerable Drivers!
#IncidentResponse #ransomware #ThreatDetection
Join me for SANS Institute #Perth Community Night today!
📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm
🎤 Presentation
6pm – 7pm
Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/
📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000
📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm
🎤 Presentation
6pm – 7pm
Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/
📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000
February 12, 2025 at 11:00 PM
Join me for SANS Institute #Perth Community Night today!
📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm
🎤 Presentation
6pm – 7pm
Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/
📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000
📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm
🎤 Presentation
6pm – 7pm
Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/
📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000
I just found this amazing repository of credential stealer system info files by #MalBeacon, along with #YARA sigs for them.
Useful to ID a cred stealer or going #ThreatHunting.
github.com/MalBeacon/wh... #threatintel #infosec #malware #DFIR
Useful to ID a cred stealer or going #ThreatHunting.
github.com/MalBeacon/wh... #threatintel #infosec #malware #DFIR
GitHub - MalBeacon/what-is-this-stealer: A repository of credential stealer formats
A repository of credential stealer formats . Contribute to MalBeacon/what-is-this-stealer development by creating an account on GitHub.
github.com
January 15, 2025 at 10:42 PM
I just found this amazing repository of credential stealer system info files by #MalBeacon, along with #YARA sigs for them.
Useful to ID a cred stealer or going #ThreatHunting.
github.com/MalBeacon/wh... #threatintel #infosec #malware #DFIR
Useful to ID a cred stealer or going #ThreatHunting.
github.com/MalBeacon/wh... #threatintel #infosec #malware #DFIR
The #FBI mass-removed #PlugX #malware from infected US computers. The infections were attributed to #MustangPanda (aka #TwillTyphoon).
https://buff.ly/3PBmOpe
#IncidentResponse
https://buff.ly/3PBmOpe
#IncidentResponse
FBI wipes Chinese PlugX malware from over 4,000 US computers
The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.
www.bleepingcomputer.com
January 15, 2025 at 9:15 PM
The #FBI mass-removed #PlugX #malware from infected US computers. The infections were attributed to #MustangPanda (aka #TwillTyphoon).
https://buff.ly/3PBmOpe
#IncidentResponse
https://buff.ly/3PBmOpe
#IncidentResponse
#Ransomware threat actors are increasingly abusing #AWS Server-Side Encryption (SSE-C) to encrypt S3 buckets. Most recently a TA known as #Codefinger is using this technique.
🕵 Monitoring S3 & encryption activity via CloudTrail & GuardDuty.
www.halcyon.ai/blog/abusing...
#CloudForensics #FOR509
🕵 Monitoring S3 & encryption activity via CloudTrail & GuardDuty.
www.halcyon.ai/blog/abusing...
#CloudForensics #FOR509
Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C
The Halcyon RISE Team has identified a unique ransomware technique that encrypts Amazon S3 buckets with no known method to recover unless a ransom is paid...
www.halcyon.ai
January 14, 2025 at 3:46 AM
#Ransomware threat actors are increasingly abusing #AWS Server-Side Encryption (SSE-C) to encrypt S3 buckets. Most recently a TA known as #Codefinger is using this technique.
🕵 Monitoring S3 & encryption activity via CloudTrail & GuardDuty.
www.halcyon.ai/blog/abusing...
#CloudForensics #FOR509
🕵 Monitoring S3 & encryption activity via CloudTrail & GuardDuty.
www.halcyon.ai/blog/abusing...
#CloudForensics #FOR509