Josh Lemon
@joshlemon.bsky.social
Chief of DIFR at SoteriaSec | SANS Institute Principal Instructor | SANS FOR509 co-author | Director MDR Uptycs | Digital Forensics & Incident Response geek.
I'm not sure this will have a significant impact on what Threat Actors do with WMI, however, it'll at least force a Threat Actor to use PowerShell where there is better built-in visibility (if it's enabled), compared to WMIC.
September 18, 2025 at 1:37 AM
I'm not sure this will have a significant impact on what Threat Actors do with WMI, however, it'll at least force a Threat Actor to use PowerShell where there is better built-in visibility (if it's enabled), compared to WMIC.
🚨 Alert on new credentials added to SPs.
🔥 Monitor changes to federated domains (federationConfiguration).
🕵🏼♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.
#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection
🔥 Monitor changes to federated domains (federationConfiguration).
🕵🏼♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.
#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection
July 19, 2025 at 4:18 AM
🚨 Alert on new credentials added to SPs.
🔥 Monitor changes to federated domains (federationConfiguration).
🕵🏼♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.
#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection
🔥 Monitor changes to federated domains (federationConfiguration).
🕵🏼♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.
#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection
Here are some recent TTPs for Scattered Spider as well.
www.crowdstrike.com/en-us/blog/c...
www.crowdstrike.com/en-us/blog/c...
July 9, 2025 at 6:15 AM
Here are some recent TTPs for Scattered Spider as well.
www.crowdstrike.com/en-us/blog/c...
www.crowdstrike.com/en-us/blog/c...
#ScatteredSpider are particularly good at #SocialEngineering their way via a third-party to other victims.
For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.
For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.
July 9, 2025 at 6:07 AM
#ScatteredSpider are particularly good at #SocialEngineering their way via a third-party to other victims.
For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.
For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.
💡 On a side note, this is a great write up on #container #DFIR analysis if you're interested.
April 28, 2025 at 10:46 AM
💡 On a side note, this is a great write up on #container #DFIR analysis if you're interested.
🕵🏼♂️ This malicious #container uses TENEO heartbeats to effectively earn credits. TENEO's ledger isn't exactly public so tracking the tokens isn't simple, there also doesn't appear to be a way to cash out...yet.
April 28, 2025 at 10:46 AM
🕵🏼♂️ This malicious #container uses TENEO heartbeats to effectively earn credits. TENEO's ledger isn't exactly public so tracking the tokens isn't simple, there also doesn't appear to be a way to cash out...yet.
🕵🏼♂️ Detect .LNK files making external connections, they are particularly easy to tune.
🕵🏼♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).
Happy #ThreatHunting
🔗 blog.sekoia.io/detecting-mu...
🕵🏼♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).
Happy #ThreatHunting
🔗 blog.sekoia.io/detecting-mu...
April 23, 2025 at 12:50 PM
🕵🏼♂️ Detect .LNK files making external connections, they are particularly easy to tune.
🕵🏼♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).
Happy #ThreatHunting
🔗 blog.sekoia.io/detecting-mu...
🕵🏼♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).
Happy #ThreatHunting
🔗 blog.sekoia.io/detecting-mu...
- Make sure you go #ThreatHunting for compromised systems, prioritise public facing systems.
🕵🏼♂️ YARA signature: github.com/Neo23x0/sign...
ℹ️ Public disclosure: www.openwall.com/lists/oss-se...
⚙️ PoC Demo: x.com/Horizon3Atta...
🕵🏼♂️ YARA signature: github.com/Neo23x0/sign...
ℹ️ Public disclosure: www.openwall.com/lists/oss-se...
⚙️ PoC Demo: x.com/Horizon3Atta...
signature-base/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar at master · Neo23x0/signature-base
YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base
github.com
April 19, 2025 at 5:12 AM
- Make sure you go #ThreatHunting for compromised systems, prioritise public facing systems.
🕵🏼♂️ YARA signature: github.com/Neo23x0/sign...
ℹ️ Public disclosure: www.openwall.com/lists/oss-se...
⚙️ PoC Demo: x.com/Horizon3Atta...
🕵🏼♂️ YARA signature: github.com/Neo23x0/sign...
ℹ️ Public disclosure: www.openwall.com/lists/oss-se...
⚙️ PoC Demo: x.com/Horizon3Atta...
Vuln Driver Blocklist: learn.microsoft.com/en-us/window...
Microsoft recommended driver block rules
View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
learn.microsoft.com
March 2, 2025 at 9:54 PM
Vuln Driver Blocklist: learn.microsoft.com/en-us/window...
Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.
Recent Vuln Driver: www.bleepingcomputer.com/news/securit...
Known Vuln Drivers: www.loldrivers.io
Recent Vuln Driver: www.bleepingcomputer.com/news/securit...
Known Vuln Drivers: www.loldrivers.io
Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks
Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.
www.bleepingcomputer.com
March 2, 2025 at 9:54 PM
Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.
Recent Vuln Driver: www.bleepingcomputer.com/news/securit...
Known Vuln Drivers: www.loldrivers.io
Recent Vuln Driver: www.bleepingcomputer.com/news/securit...
Known Vuln Drivers: www.loldrivers.io
Remember this is just one botnet of #PlugX it's still used in the wild by many other threat actor groups.
For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.
For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.
January 15, 2025 at 9:15 PM
Remember this is just one botnet of #PlugX it's still used in the wild by many other threat actor groups.
For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.
For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.