Twitter | Search | |
Search Refresh
JAMESWT Sep 18
Reply Retweet Like
JAMESWT Sep 23
Reply Retweet Like
John Sep 21
It was good fun watching and Co. drop more and more of these domains in our internal channel! The lesson I learnt from watching this is to keep an eye on other TLDs when tracking domains, as it can be a gold mine.
Reply Retweet Like
Kyle Cucci 28m
Can AV vendors please stop calling and similar tools "riskware" or "PUA's/PUP's"? I think by now these "tools" are being used more often by threat actors than by pentesters...
Reply Retweet Like
Ptrace Security GmbH Sep 21
Reply Retweet Like
Bryce Sep 23
"update.dockerresearchlabs[.]com" registered 2020-09-14, resolves to 45.77.253.233 🌶 Self-signed SSL: "C=TR, ST=Istanbul, L=Istanbul Buyuksehir Belediyesi, O=EsT Country, OU=ESTTKEY, CN=alahuakber" (⚡️ )
Reply Retweet Like
Kyle Cucci Sep 21
Today’s fresh beacons being delivered here! Happy Monday :)   hxxp://185.207.154[.]19:8077/U5aq hxxp://43.251.158[.]68:23231/Hf5z cc
Reply Retweet Like
Kyle Cucci Sep 18
Fresh beacons delivered here, with a Windows Update theme. Happy Friday! hxxps://101.32.46[.]240/ Likely C2 domain: windows-update[.]nz cc
Reply Retweet Like
Kris McConkey Sep 21
With great separate Cobalt Strike detection papers recently released by and , and and tagging some DoppelPaymer (), it seems like a good time to burn their recent 'Akamai' cluster.
Reply Retweet Like
Bryce 23h
teamservers with fake " Internet Security" self-signed SSL certs: - 108.177.235.223 (Leaseweb) - 23.106.124.136 (Leaseweb) "C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"
Reply Retweet Like
THE WEEK Sep 16
The installed on Indian government-protected computers
Reply Retweet Like
Bryce Sep 16
Fake " CDN" beacon C2 using ... Cloudflare 🥇 - C2 -> cdn-cloudflare[.]org ☁️🔥 - Amazon malleable C2 Payload:
Reply Retweet Like
ᵖRͥoͤmͭaͬnͦo ツ Sep 21
Reply Retweet Like
Bryce Sep 23
⚡️Now using code signing CA -- 🔊 C2 -> conwaytools[.]me 🔐 Signed -> "KLAKSON, LLC" Same custom loader from here, low AV % detected h/t
Reply Retweet Like
Chainkit - Hot New #RSAC2020 Product Sep 21
Gr8 paper from on Chainkit would welcome the opportunity to enhance this important research with elusive detection, popularized by Cobalt Strike:
Reply Retweet Like
Nocturnus Sep 17
We are seeing multiple -gang interactive hacking operations, featuring a new Loader, delivering an additional Bazar Loader (!) ,performing their signature reconnaissance activity and deploying . IOCs:
Reply Retweet Like
Dr.FarFar Sep 20
Proactive juice is always worth the squeeze: 🔊 C2 -> toproy[.]com 2020-09-01: Domain creation_date 2020-09-08: Proactive discovery for 2020-09-11: Beacon DLLs found in VirtusTotal
Reply Retweet Like
Ptrace Security GmbH 5h
Reply Retweet Like
_re_fox Sep 18
Replying to @_re_fox
from 9ecc0e4b28a59643eb56bd0e33ee120e Likely C2: 39.103.129[.]174 User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40
Reply Retweet Like
Bryce Sep 16
When you eat the celery that comes with the wings
Reply Retweet Like