Email

December 22, 2023 - 3 mins read

300 Emails? It was 24 hours! I would have never thought as a front line manager of a small team that I could receive as much email as I do. It’s so overwhelming, I’ve taken to putting my Out of Office as “Due to the volume of email, I will be deleting all email received in my absence. Please hold important correspondence til my return on 3 January 2024”! So, how do we communicate to our peers and leaders if they’re also receiving this much email, or multitudes more?

Velociraptor Offline Collector

December 1, 2023 - 3 mins read

This is a living document and may be incomplete. Updated 1DEC2023 Locating Evidences of Execution using Prefetch, Velociraptor, and Zimmerman’s PECmd Prefetch is a common Windows artifact used for determining the first and last incidences of a program being executed. This file is a binary blob stored at $:\Windows\Prefetch and consists of a series of files named APPLICATION-GUID.pf. These files contain the name of the executable, the last n run date time groups a hash of the executable and path, and a list of files accessed by the .

Show And Tell

November 12, 2023 - 10 mins read

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them.

2023.10.17.News You Should Know

October 17, 2023 - 4 mins read

CDW investigating ransomware gang claims of data theft (therecord.media) - #Ransomware #ThreatActor - CDW acknowledges breach of a subsidiary of a division of a business area. Threat actors miffed over $1m offer after $80m demand. HTTP/2 ‘Rapid Reset’ zero-day exploited in biggest DDoS yet • The Register - #Research #ThreatActor - Largest ever DDoS…from smallest ever botnet? 20k bots (multitudes smaller than previous botnets) were able to abuse HTTP/2 streaming to request hundreds of assets from a server over a single TCP stream (a feature of HTTP/2) then cancel those request midstream and request a hundred assets again.

LibWebP (CVE-2023-4863)

September 28, 2023 - 6 mins read

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms.

2023.03.21.News You Should Know

March 22, 2023 - 4 mins read

Silicon Valley Bank collapsed this month causing credit ratings of major banks to drop and another to fail. While a multitude of information about this is available we find it most interesting because threat actors are using the collapse as pretext for scam emails. These emails are sent to trusted third-party businesses asking for updates to the accounts payable or EFT details to threat actor controlled accounts. E.g.; “Our SVB account isn’t good anymore please use Threat Actor National Savings and Loan account 12345”

2023.02.28.News You Should Know

February 28, 2023 - 3 mins read

Mobile World Congress will feature highlights of mobile networks being utilized in the Russo-Ukrainian conflict Discussions will be held around Ukraine and Russia’s use of civilian mobile network infrastructure, the dangers of geo-location data, and the largest roaming disablement in mobile networking history. NIST is accepting comments on the newest version of the Cyber Security Framework {PDF} This version will seek to expand the below capabilities and provide additional guidance:

Malicious OneNote

January 24, 2023 - 4 mins read

Anatomy of a Malicious Email Attachment With Microsoft’s recent changes to macros within the Office and M365 suite, Threat Actors have changed their TTPs to utilize the OneNote (.one) file type for Malicious Code Delivery TL;DR (.one) files are a binary blob capable of embedding any file type. Threat actors are utilizing the prolific nature of OneNote to execute malicious code on endpoints. Block (.one) files from incoming email and dissociate commonly abused file extensions.

2023.01.17.News You Should Know

January 17, 2023 - 2 mins read

Microsoft is set to introduce significant changes to the Windows enterprise over the next year. With multiple security settings going from recommended to enforced. Highlights include the EOL for AD Connector 2.0.x, changes to MFA, and the end of standalone Office Apps for 2016/19. Caniphish’s Sebastian Salla published a review of thousands of misconfigured SPF records today allowing emails to be sent on behalf of foreign governments, the Massachusetts Institute of Technology, the University of Miami, among others.

2023.01.10.News You Should Know

January 10, 2023 - 3 mins read

House omnibus spending bill brings three interesting cybersecurity measures. Section 7030 will require cybersecurity to be a key consideration in the adoption of technology and specifically 5g technologies for members of the Digital Connectivity and Cybersecurity Partnership. The “No TikTok on Government Devices Act” bans the use of the Chinese-owned ByteDance company’s TikTok social media platform on goverment owned devices with power being given to the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to dictate how application management is performed.