Author | Lightnews

Josh Lemon @joshlemon.bsky.social · Sep 18

I'm not sure this will have a significant impact on what Threat Actors do with WMI, however, it'll at least force a Threat Actor to use PowerShell where there is better built-in visibility (if it's enabled), compared to WMIC.

2

Josh Lemon @joshlemon.bsky.social · Sep 18

Wow, Microsoft is removing #WMIC from Windows!
But they aren't removing the underlying WMI framework, so threat actors will have to use PowerShell to access WMI.

🔗 techcommunity.microsoft.com/blog/windows...

#IncidentResponse #ThreatDetection #ThreatIntel #CSIRT #CERT

1 2

Josh Lemon @joshlemon.bsky.social · Aug 28

That's a bit nasty - a threat actor uses #Velociraptor as their primary C2 implant on the victim's system.

You think they might also let the victim use it for responding to the compromise as well? 😂

news.sophos.com/en-us/2025/0...

#DFIR #IncidentResponse #ThreatDetection #ThreatIntel

Josh Lemon @joshlemon.bsky.social · Jul 19

🚨 Alert on new credentials added to SPs.
🔥 Monitor changes to federated domains (federationConfiguration).
🕵🏼‍♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.

#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection

Josh Lemon @joshlemon.bsky.social · Jul 19

"I SPy" Entra ID Global Admin Escalation Technique

Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.

🔗 securitylabs.datadoghq.com/articles/i-s...

1

Josh Lemon @joshlemon.bsky.social · Jul 9

Here are some recent TTPs for Scattered Spider as well.
www.crowdstrike.com/en-us/blog/c...

Josh Lemon @joshlemon.bsky.social · Jul 9

#ScatteredSpider are particularly good at #SocialEngineering their way via a third-party to other victims.

For clarity, #ScatteredSpider are considered the initial access group, #DragonForce #ransomware is the malware deployed once #ScatteredSpider are inside your network.

Josh Lemon @joshlemon.bsky.social · Jul 9

This is a timely reminder to ensure any third-parties with access to your systems follow the same cyber policies you'd expect your internal staff to follow.

www.bleepingcomputer.com/news/securit...

#IncidentReponse #DataBreach #CSIRT

M&S confirms social engineering led to massive ransomware attack

M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack.

www.bleepingcomputer.com

2

Josh Lemon @joshlemon.bsky.social · Apr 28

💡 On a side note, this is a great write up on #container #DFIR analysis if you're interested.

Josh Lemon @joshlemon.bsky.social · Apr 28

🕵🏼‍♂️ This malicious #container uses TENEO heartbeats to effectively earn credits. TENEO's ledger isn't exactly public so tracking the tokens isn't simple, there also doesn't appear to be a way to cash out...yet.

1

Josh Lemon @joshlemon.bsky.social · Apr 28

This is an interesting write up on a slightly different #Docker #container #malware attack from the Cado Security and Darktrace teams.

🔗 www.darktrace.com/blog/obfusca...

1 2 1

Josh Lemon @joshlemon.bsky.social · Apr 23

Here's an update on the data breach of court documents from the NSW JusticeLink website.

tl;dr - it was an individual that was able to download +9k documents over two months, it doesn't appear they were leaked anywhere publicly.

www.theguardian.com/australia-ne...

NSW man charged over ‘serious data breach’ that exposed thousands of sensitive court documents

More than 9,000 files downloaded from NSW JusticeLink system but authorities say no personal data compromised

www.theguardian.com

Josh Lemon @joshlemon.bsky.social · Apr 23

🕵🏼‍♂️ Detect .LNK files making external connections, they are particularly easy to tune.

🕵🏼‍♂️ Detect mshta.exe running suspicious executables (i.e. cmd.exe).

Happy #ThreatHunting

🔗 blog.sekoia.io/detecting-mu...

Josh Lemon @joshlemon.bsky.social · Apr 23

This is a really nice write up from Sekoia with lots of #ThreatDetection details, regardless of the #EDR you're using.

🔎 Of particular note, this attack is aided with a .LNK file pulling in a .HTA via a remote location.

1 1

Josh Lemon @joshlemon.bsky.social · Apr 19

- Make sure you go #ThreatHunting for compromised systems, prioritise public facing systems.

🕵🏼‍♂️ YARA signature: github.com/Neo23x0/sign...

ℹ️ Public disclosure: www.openwall.com/lists/oss-se...

⚙️ PoC Demo: x.com/Horizon3Atta...

signature-base/yara/vuln_erlang_otp_ssh_cve_2025_32433.yar at master · Neo23x0/signature-base

YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base

github.com

Josh Lemon @joshlemon.bsky.social · Apr 19

🚨 New Critical RCE in Erlang/0TP SSH (CVSS 10)

- CVE-2025-32433
- Exploitable without authentication needed
- Exists in Erlang's built-in SSH server
- Commonly found in loT and Teleco gear
- Exploit model now in Metasploit and on GitHub

1

Josh Lemon @joshlemon.bsky.social · Mar 25

Google's Threat Intelligence Group published details last month of Russian #APTS targeting #Signal

➡️ Maliciously getting victims to scan QR codes
➡️ Maliciously cloning incoming messages with a Linked Device
➡️ Stealing the message database off a device

Josh Lemon @joshlemon.bsky.social · Mar 25

With all the talk about the use of #Signal by government officials in the US, it's worth remembering #ThreatActors will target what they need to steal the data they want.

🔗 cloud.google.com/blog/topics/...

1

Josh Lemon @joshlemon.bsky.social · Mar 2

Vuln Driver Blocklist: learn.microsoft.com/en-us/window...

Microsoft recommended driver block rules

View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.

learn.microsoft.com

Josh Lemon @joshlemon.bsky.social · Mar 2

Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.

Recent Vuln Driver: www.bleepingcomputer.com/news/securit...

Known Vuln Drivers: www.loldrivers.io

Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks

Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.

www.bleepingcomputer.com

1

Josh Lemon @joshlemon.bsky.social · Mar 2

#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!

#IncidentResponse #ransomware #ThreatDetection

1

Josh Lemon @joshlemon.bsky.social · Feb 12

Join me for SANS Institute #Perth Community Night today!

📋 Registration
Thurs, 13 Feb 2025
5:30pm – 6pm

🎤 Presentation
6pm – 7pm

Register Here: https://www.sans.org/mlp/community-night-perth-february-2025/

📍The Pan Pacific Perth Hotel, 207 Adelaide Terrace, Perth WA 6000

Josh Lemon @joshlemon.bsky.social · Jan 15

I just found this amazing repository of credential stealer system info files by #MalBeacon, along with #YARA sigs for them.
Useful to ID a cred stealer or going #ThreatHunting.

github.com/MalBeacon/wh... #threatintel #infosec #malware #DFIR

GitHub - MalBeacon/what-is-this-stealer: A repository of credential stealer formats

A repository of credential stealer formats . Contribute to MalBeacon/what-is-this-stealer development by creating an account on GitHub.

github.com

Josh Lemon @joshlemon.bsky.social · Jan 15

Remember this is just one botnet of #PlugX it's still used in the wild by many other threat actor groups.

For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.

Josh Lemon @joshlemon.bsky.social · Jan 15

The #FBI mass-removed #PlugX #malware from infected US computers. The infections were attributed to #MustangPanda (aka #TwillTyphoon).

https://buff.ly/3PBmOpe
#IncidentResponse

FBI wipes Chinese PlugX malware from over 4,000 US computers

The U.S. Department of Justice announced today that the FBI has deleted Chinese PlugX malware from over 4,200 computers in networks across the United States.

www.bleepingcomputer.com

1