Topic
Threat Intelligence
RQ Threat Advisory Report: HAFNIUM/Exchange Zero-Days
On March 2, 2021, Microsoft Security Response Center released updates related to vulnerabilities affecting on-premises deployments of Microsoft Exchange Server 2013/2016/2019. Microsoft also revealed details around active exploitation of these vulnerabilities using zero-day exploits. The exploited vulnerabilities span several classifications, including server-side request forgery (SSRF), deserialization, and a set of arbitrary file write vulnerabilities; all […]
Detect Solorigate and SUNBURST Attacker Techniques with the MITRE ATT&CK Framework—We’ll Get You Started
As folks are continuing to work to address the Solorigate/ SUNBURST compromise, our team has been mapping the tactics and techniques used by the attackers to the MITRE ATT&CK framework, and building detection content to deploy for our customers. If you haven’t already, please read this blog first to get the basics. What follows is […]
Solorigate, SUNBURST aka FireEye and SolarWinds Compromise – Recommended Actions to Limit Your Exposure
Threat Advisory On December 13th, a disclosure was made for a compromise in the SolarWinds IT Management software suite code base that made a supply chain attack possible for all SolarWinds customers. Attackers implanted backdoors in legitimate, signed DLL files contained in update packages for SolarWinds Orion in March and June of 2020 that were then used to breach customers who upgraded to the affected versions (versions 2019.4 HF 5 […]
Threat Hunting Use Case: DNS Queries
In one of our previous Threat Hunting Use Case blogs, Firewall Targeting DNS, we focused on using firewall data to observe outbound DNS traffic in an environment to identify threats and potential security hygiene issues. One specific objective involved identifying potential endpoints bypassing internal DNS forwarders, in order to address any gaps in security controls or […]
Credential Dumping Part 2: How to Mitigate Windows Credential Stealing
Credential theft is part of almost all attacks within a network, and one of the most widely known forms of credential stealing is surrounding clear-text credentials by accessing lsass.exe. However, this is only a piece of the bigger picture of the Windows credential model. In Part 1 of the Credential Dumping Series, I took a closer look […]
Credential Dumping Part 1: A Closer Look at Vulnerabilities with Windows Authentication and Credential Management
For many of us in cybersecurity, we know that credential theft is part of almost all attacks within a network. Arguably, one of the most known forms of credential stealing is surrounding clear-text credentials by accessing lsass.exe. Almost synonymous with credential stealing is the popular tool Mimikatz, which is able to access the LSASS (Local Security Authority Subsystem […]
Top 3 Techniques for Improving Your Threat Intelligence Alerting
Threat intelligence is invaluable for any organization; the ability to leverage the security community’s combined knowledge of threats can take an organization’s security program to the next level. This shared information usually takes the form of indicators of compromise (IOCs), which can be IP addresses, domains, hashes, or other data types related to a threat. […]
Insider Threat: Top 3 Indicators of Data Exfiltration from Your Organization’s Cloud Applications
We usually expect attackers to come from outside of the organization. However, imagine that you now received word of sensitive data about your organization being discovered out in the wild. There was never an external entity accessing any critical systems or data shares. Yes, the attack originated from an employee of your organization. Could you […]
Mining for Better Threat Intelligence: Cryptominer Pools
Cryptomining has become a popular method for attackers to profit from compromised systems. By installing cryptocurrency mining software on a host, attackers can utilize the host’s CPU and GPU resources to “mine” cryptocurrency, which can then be exchanged for non-digital currency or used for purchases. The attack has become so prevalent, it has earned its […]
No results
