In today’s episode of #RabbitHoleWednesday, I stumbled upon this tweet — — about APT28’s activities. While several points were intriguing, two items particularly caught my eye: The use of a headless browser (which isn’t exactly groundbreaking, but perhaps not widely recognized?). The mention of mockbin sites. I decided to…

In the intricate battleground of cybersecurity, the defense against malicious bootloaders, or bootkits, has always been a relentless game of cat and mouse. As defenders work tirelessly to understand, identify, and revoke these concealed threats, adversaries continue to exploit and advance their craft. Enter Bootloaders.io, a monumental stride exposing bootkits! …

Introducing LOLDrivers 2.0: A significant milestone that refines the user experience and expands upon our comprehensive threat detection capabilities. The landing page is now more accessible with the addition of categories and individual download buttons for each hash, and despite a brief hiatus, the search function is back by popular…

First — We want to thank everyone for the feedback and comments! We really appreciate it. Introduction Since its inception, the Living Off The Land Drivers (LOLDrivers) project has seen tremendous growth and success. As a reminder, the project aims to provide a comprehensive and well-maintained repository of drivers with known…

Today, we are excited to announce the release of the Living Off The Land Drivers project. This project aims to consolidate as many vulnerable and malicious drivers as possible into a single location, making it accessible for everyone to find and learn from. This invaluable resource empowers organizations to better…

On September 28th it was disclosed by GTSC that there was a possible new zero day being abused in the wild beginning in early August. Although this campaign looked very similar to the previously abused vulnerability in Microsoft Exchange, dubbed ProxyShell at the time, comprising 3 CVEs ( CVE-2021–34473, CVE-2021–34523…

What was dubbed Follina (or CVE-2022–30190) came and went. It was many things, but the part that may be of most interest was the use of protocol handlers. A protocol handler is an application that knows how to handle particular types of links. As an example, a mail client is…

Red Canary Threat Research released 2 new AtomicTestHarnesses — Invoke-ATHDumpLsass and Invoke-ATHLogonUser Today I am going to showcase Invoke-ATHDumpLSASS and how I validated my current coverage. As a defender, this really assists with validating depth of coverage with an EDR product or SIEM content. Lots of moving parts here, but…

I recently listened to a Red Canary sponsored Risky Business podcast. The topic was around Atomic Red Team. A term kept being tossed around that attacker emulation is for the security 1%. Now, maybe I am reading into it too much, but since July 6th I can’t stop thinking about…