Wow, Microsoft is removing #WMIC from Windows!
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.

🔗 techcommunity.microsoft.com/blog/windows...

#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT

That's a bit nasty - a threat actor uses #Velociraptor as their primary C2 implant on the victim's system.

You think they might also let the victim use it for responding to the compromise as well? 😂

news.sophos.com/en-us/2025/0...

#DFIR #IncidentResponse #ThreatDetection #ThreatIntel

"I SPy" Entra ID Global Admin Escalation Technique

Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.

🔗 securitylabs.datadoghq.com/articles/i-s...

This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.

🔗 www.darktrace.com/blog/obfusca...

This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.

🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.

With all the talk about the use of #Signal by government officials in the US, it's worth remembering #ThreatActors will target what they need to steal the data they want.

🔗 cloud.google.com/blog/topics/...

#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!

#IncidentResponse #ransomware #ThreatDetection

Join me for SANS Institute #Perth Community Night today!

📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm

🎤 Presentation
6pm – 7pm

Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/

📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000