Incident Response

Malware Type: Backdoor Trojan — IOCs(Indicators of Compromise): vasumov.dat, vasumov.exe, avvenne.ini, destinata.ini, ora.exe.com, qual.ini, IP Address: 195.58.48.252, C2s: suqklp53.top, xxxp://moraub06.top/index.php, xxxp://cazars09.top/downfiles/lv.exe File Information and Hashes: Stage 1: Triage A user attempted to torrent Microsoft Word. Crowdstrike Falcon detected the activity from the setup file that they downloaded. Instead of installing Microsoft Word it runs the following command from cmd.exe:

Hello Folks, In this article, we will be looking at detecting and hunting two types of webshells. Webshells abusing w3wp to execute malicious commands via cmd or powershell Webshells implanted by attackers of wordpress based websites. Lets Start! Before looking at the first type of webshells, lets understand what w3wp…

A quick review of Security Incidents this week.

Hi, hope you are well. I’m Muhammad Talha Arshad, a security researcher from Pakistan. This was my first project related to incident response and forensics along with Hamza Rabbani. So, a million-dollar organization was hit by the “hive” ransomware group. They pwned everything in their network and live there for…

SOURCE: HALOCK Breach Bulletin An overview of the breach: Description, Indicators of Compromise (IoC), Containment, Prevention DESCRIPTION Salusive Health, a California based healthcare firm, announced in early May that it had been the victim of a data breach. The digital healthcare startup, also known as myNurse, specializes in providing care…

Remotely investigate your endpoints with Velociraptor Intro Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It was developed by Digital Forensic and Incident Response (DFIR) professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of…

Introduction Hacker sophistication continues to outpace traditional defense technology such as SIEM, DLP, UEBA, and SOAR. The fallout of such breaches will continue to increase in magnitude due to widespread migration to multi-cloud platforms, server-less deployments and the large-scale adoption of SaaS applications. Complex scenarios require sophisticated automation, especially with…

We spent some time talking to Gergely Orosz about our thoughts on what happens when an incident is over, and you’re looking back on how things went. If you haven’t read it already, grab a coffee, get comfortable, and read Gergely’s full article Postmortem Best Practices. But before you do…