Blog

2024

• Oops, Supply Chain Compromise! - Part 1​ - 05-28-2024

  The year was 2022. Fresh into February and feeling good about the prospects for the days ahead . I had woken up around 7am, nothing unusual. Checking my email on my phone revealed news that was far more effective than any alarm clock. Much richer and full bodied than any cup of coffee. It was threat hunting notice. A legitimate executable. A suspicious, but otherwise clean, domain. Something darker was lurking beneath the surface…

• Microsoft Teams + DarkGate Malware = A Match Made In Heaven - Part 1​ - 04-19-2024

  It was quite a mundane Monday, I had just signed off for the day and was looking forward to dinner plans with my family, when a delightful email graced my inbox. It was an alert for some suspicious cscript activity on an endpoint that needed to be investigated. Not good.

• The Case Of The Missing Method​ - 02-01-2024

  Today is a quick and fun one, we are going to look at an unassuming .vbs file titled “Scanned-REF23CR1103BILLED.vbs”. Surely legitimate business, right?

2023

• Fake Software Abusing Real Software For Fun And Profit - Part 2!​ - 09-29-2023

  Picking up where we left off, from Part 1.

• Fake Software Abusing Real Software For Fun And Profit - Part 1!​ - 08-24-2023

  Today I want to look at an interesting infection that abuses legitimate software in an attempt to stay covert and perform malicious activity, unnoticed.

• Google Chrome Update? More Like Infected With Netsupport Rat!​ - 07-31-2023

  Today we received an alert about and endpoint running a suspicious commandline:

• Defeating Obfuscation With Dynamic Analysis And Powershell Logging​ - 06-13-2023

  It all started with ‘Creative Content Production.js’

• Multi-Language Script Execution Leads to Asyncrat​ - 03-17-2023

  Today I was reviewing Crowdstrike High and Critical detections for the entire org.