• VSCode Detections
    Detecting Abuse of VSCode Remote Tunnels
    The article discusses Microsoft VSCode Remote Tunnels, emphasizing their potential for misuse by threat actors to gain access to corporate coding environments. It outlines how remote tunnels work, detailing a specific attack scenario involving a malicious LNK file and a Python script. Furthermore, it suggests detection and mitigation strategies to prevent such abuses.
  • Microsoft Dev Tunnels: Tunnelling C2 and More
    Attackers utilize Microsoft Dev Tunnels to establish undetected command and control (C2) channels, taking advantage of legitimate traffic. Their methods include using tunnel domains that pass through security systems due to trust in Microsoft. Detection remains difficult because the attacker’s software may not be present on victim machines, complicating cybersecurity efforts.
  • svchost analysis
    SVCHost.exe and Internet Sharing Triage
    Intro I recently had an interesting case, which involved some digging into SVCHost.exe and command line parameters parsed to it. The Scenario It started with an alert for a large number of DNS requests associated with an InfoStealer, ViperSoftx, from a user laptop. There were thousands of requests to the domains in a 90-minute period. Looking at the Endpoint telemetry available for the device, I could see… Read more: SVCHost.exe and Internet Sharing Triage
  • Virtual Machine Aware Phishing Sites
    The Phish Page Recently I came across an interesting phishing page which when I browsed to, showed nothing but a white blank page. There was no 404, or server not found error, just an empty page. I found this curious, so I observed the source code for the page. Much of the page was junk, however, after scrolling to the bottom, I did notice a script that… Read more: Virtual Machine Aware Phishing Sites
  • Threat Hunt Guide
    A Guide to Threat Hunting in a SOC
    Introduction You’d be forgiven for thinking that Threat Hunting is just another Cyber Buzz Word/Phrase spreading throughout the industry, the latest term used to push more product and managed services on a SOC. The reality, however, is that Threat Hunting is an extremely valuable skill and one that every SOC should have. In fact, I believe that Threat Hunting provides more value than the traditional approach that… Read more: A Guide to Threat Hunting in a SOC