 Hello everyone. Thank you for joining us today in threat report roulette. We have some amazing guests today and I'm going to go through the list really quick. We have Chris Russell and he's the head of information security for T zero group. We have Koran and he's a CTI analyst for a big for consulting cybersecurity firm. We have will Thomas with us and he is a security researcher for side jacks. We have me as in Olson or cheerio and I am a senior cybersecurity analyst at a fortune 500. And we have the stakeholders we have the blind hacker he's representing red team. And he's an info sec enthusiast and all around awesome dude. We have Danny D Henderson and he hails from being previously a CTI analyst but moving more in deeper so he's going to represent the deeper slash CTI angle of threat report roulette. We have Jorge and he's the most awesome unicorn joining us from side he represents red and purple is the CTO. And the co creator of the C2 matrix which I love and also a ton of other stuff and I'm a huge I stand Jorge like honestly I do. I can't help it he's awesome. And then finally we have Ricky Banda and he has a really fancy title he's the incident commander for Amazon security incident response team so all of these people are big deal super awesome season professionals coming in to share their knowledge and wisdom. For the threat reports that we have selected and for the purposes of this talk they are all TLP white. So we will not be discussing any TLP amber anything or TLP red or TLP green so. And also to the focus of this talk is and panel is more actionable takeaways taking the information to the next level and you know we wanted to bring Vegas to you in case you're not there in person so threat report roulette. And as you can see on the screen we have a threat report roulette wheel. And what we're going to do we're going to spin the wheel will call on an analyst. And then they will give their insights for a couple of minutes and then from there, we will have our stakeholders and the reason why we have stakeholders is because, well they're the consumers of all of the info. And if they don't like it, that's bad. So we want to make things that they like and want to consume and are actionable within their org. And for the sake of debate and all of that all of the reports we're going to assume are actionable and relevant to their organization as they're as the analysts are performing their analysis. All right, so is everyone ready to get started for threat report roulette. Yay. Okay, so, and audience just just before warned, I have a timer. And so I'm going to be timing the participants responses. And they have approximately five minutes to respond. So if they meet time I'm going to yell time. So don't just before warned that I will be very vocal in moving the session along. So I am going to spin the wheel. What's it going to be the deeper report number two. So I am going to the GitHub going to look at the deeper report number two. Oh, that's so to know kiwi and reval and in case you guys want to play along in the audience. It is at bit.ly or it's a bit.ly link DC 29 roulette DC 29 roulette and that takes you to the GitHub page. So, let's see deeper report to, and that goes to Kruster. And you have 15 seconds to organize your thoughts and I'm going to start the countdown right now. Excellent. So, right off the bat, these DFI reports are very extensive. These are the type of things that multiple consumers in your org can use from the technical and strategic side. So among the reports we've gone through I found these to be the most beneficial for the widest audience. In the particular report I went through and looked and saw some particular things that I would key on on for kind of creating some custom indicate indicators, aside from the static hashes and IPs and domains that we all know, change, pretty, pretty rapidly. So for this one with reval. One of the things I noticed during the processes is that they have Excel calling WMIC.exe. If you're not familiar with that process that's a kind of information kind of system gathering process. There's really no reason why an Excel document should ever be calling that in a normal environment. Maybe you have a developer or a sys admin that built their own custom tool but in that case you'd know about that and this would be something that would be, you know whitelist in some way but right off the bat if you have an Excel document calling WMIC.exe right off the bat if you create a word for that. That's one of the early stages of this kind of kicking off you can get an indicator there. But again, there'll be fringe case here and there with an admin that may be built an Excel spreadsheet with all their scripts, it's possible. Another thing here I noticed is that as we know with any of these with reval and either malware ransomware samples, they're going to want to maintain persistence so they're going to try and do some registry key modifications and whatnot. For this they're going to they created a run once key. And that's something that's you know pretty common for programs that want to boot up every time the system starts but they use an asterisk meaning that it is, it is also boots up in safe mode. So if you think about it what other applications that do you have users that want to have to open up during safe mode. So right off the bat if someone, you know, makes a registry modification for one once key and uses the asterisk that means it has to be open during safe mode, and that would be another thing I learned on because again what what user what what normal normal circumstance in your environment is that is that necessary. If this is like a custom server that has software that has to boot up during safe mode this is all going to be done during configuration this is all going to be created while you're not in an alerting mode. So, while these things in the wild and people are actually servers this isn't something a user and admin is going to make changes to they're not going to they're not going to have it boot up in safe mode unless they're in some sort of change window configuration menu period where you would know when if you saw the story when you're concerned about it with it. Another thing to do again changes schedule tasks, although you know changes schedule tasks as an indicator. That's a key thing to look at because how many of your common users are making changes to schedule tasks on their own it's just not that common you find that the situations where in the, you know, certain key value pairs that kind of indicate the schedule passes something that keeps your system since another good indicator. Let's see. Oh, another thing is, so prior to executing the ransomware to threat actors created GPO disabled windows defender cluster system. If you don't have some sort of alert that alerts when your any viruses turned off then you know that's kind of table stakes but that's another key one right there. So that's from, you know, GPO is being pushed in general they should be getting some sort of change window so it's being pushed from a non admin or a new account or something. So those are some of the, you know, aside from the obvious ones that I picked up on from the stock. Anyone have any thoughts. Awesome. So that is actually perfect within the time. So now our stakeholders will be able to comment on this particular report for the next five minutes. And I am going to start the timer and Jorge is raising his hand so please feel free. Awesome. Awesome review there. Thanks so much on something you said very briefly at the beginning that some of you might not have caught and that is that the deeper report is a great resource and goes to the widest audience and I think we're going to see this as we go through the roulette here. There are going to be some reports that target different audience some are targeted to people in the detection world some are targeted to red teams some are targeted to analysts looking up IOC and things like that right so that we love the deeper report. Sponsor them if you can I definitely sponsored them out of pocket. They're amazing. And yes this report right everyone's heard about. Right, especially after to say, and I like the intro right you can read the first couple paragraphs without being that technical and still get something out of this report, but once you dive deeper into it, we get all the way to the point where you have actual procedures. And one that you touched on right now was adding a registry key that has an asterisk in it. I was actually today days old so first five minutes of roulette you taught me something I did not know that an asterisk in front of a registry key meant that it could start in safe mode so thank you for that bit of knowledge and again shout out to the deeper report I'll let someone else weigh in. Oh, I just want to say I was today years old as well when I heard that so thank you so much for your insights this is why I love this. And I wanted to add to besides me being a sponsor of the deeper report as well or I pay out of pocket, because I think awesome. And, you know, I give them my money. Is actually the community involvement with the deeper report to like beyond, beyond analysts using it, something that I thought was really interesting was black matter 23. And he tweeted out eight detection ideas and 18 rules, 18 rules. And so he has a whole GitHub with detection ideas detection rules, based solely on the deeper report and so I just really love to see the positive impact that the deeper is having within the community, and all of these amazing professionals around the world, kind of like the people on this panel they're people from around the world, coming together and discussing cybersecurity and protecting organizations. So, thank you. Anyone else want to comment on this. Okay, Danny. So for me as a incident responders L three sock analyst. Some of the things that I like about this is that it tells me what the it gives me information of what to look for if I'm trying to find the intrusion. I don't know about where the files can be located. There are some things that will change, but there are some things that are static based on how the adversary likes to place things so finding things and say a public folder is out of the ordinary. So those are artifacts that I will look for. And furthermore, some things that I would also try. We usually get a week, usually respond to alerts. And so some of the alerts is generally when a fishing occurs, but finding finding any sort of registry. And such as the safe mode is definitely definitely a interesting indicator to look into. So looking into the auto runs. So the so the deeper report is definitely a good one for us and responders. Okay, thank you and will any comments. So just as quick one is, I believe that this was one of the first instances of ice ID being used as the initial access factor for our evil, which was a, which was an interesting evolution for that particular malware family because it has is associated with other ransomware actors so it's definitely a malware family want to prioritize if you're worried about being targeted by ransomware operators. I totally agree with this initial access brokers, like that's where the money's at right. Okay, so I, if everyone's okay, we're going to move on to the next threat report thumbs up. Good. All right, so I'm going to spin the wheel and secure list. So this one. Who goes to who wants it who wants it first. Is this the black kingdom. Yes, do you want this one Danny. Yeah, I'll take this one. Okay, it's all yours and I'm starting the timer right now. Okay so black black kingdom that one was one of the more interesting ones. I don't remember. This one was actually using Python Python for the entries, especially web shells. Since this one doesn't web shells. This one, the web shells are generally targeting for facing public facing servers. So the, as far as a public facing servers go, these are some ways that we want to take a look at one, finding out that there's no. There's no ordinary PHP files or any sort within our servers and especially the for this one this one targeted the Microsoft Exchange server, which was it one of the big, big events back in the couple months ago. Once that was out we did. In fact, thinking of my last. People are work for. I had to go around making sure that no one made any authentications and uploads into the exchange servers. But the way that this was interestingly done. They part coded some when some folders to exclude rather than using regex. For me as an incident responder, I would be looking for any sort of anomalous PHP files or execution within the exchange server stat the client owns. And that's pretty much about it this one was. It's more into depth and how it was programmed but from a TTP perspective, it's what it would generally upload in. And so that for me is where I would be focusing on to make sure the client does not have any anomalous uploads into their servers. Oh, that's great. That's great and definitely. You know, look at patching those CDs that are in the report to right. Yeah, yeah, like, and prioritizing them if they aren't already done, and any stakeholders that are interested in commenting on this particular report. I'll be glad to take that. Okay, thanks Joe. From the explanation here. You know, again, so as a red teamer, my job with the most of these reports is to either because this report does is not as in depth as the, you know, DFI our reports deeper reports, which are again plus one fantastic. The report is pretty in depth though but they do the specific report the CTI channel that, you know, we're getting it from here on the stakeholders panel is really telling me, you know, the things that I do as a red team with these is I either have to try to write the same ransom where the same tactics TTPs they have to help try to break into the network to again help write IOCs. Take it to my detection engineering team say, Have you guys seen these things we're about to run these things for you guys to help you see if we can commit to creating better detections and better IOCs for the indicators of compromise so while writing these things. This report is thorough enough that I could take it and then from a CTI perspective, you know, it's one of the things that I have to ask though is is looking at this report. Am I even a potential affected, you know, an affected client. Am I a target of this report, you know, I want to spend the time that I have an NA 95 40 hour work week making sure that I'm writing the right defenses here for my, my company for the company here. So when it comes to this report. Some of that stuff is here and it but again some of the TTPs are definitely here and I can see that the CBEs they're attacking so I can again try to reverse engineer find POC's proof of concepts that'll work and then develop again a single executable or string or an individual POC that mimics this specific kind of ransomware malware. Okay, thank you very much. And oh it looks like we have Ricky chiming in. Do you want to chime in really quick Ricky. Yeah, yeah. So, looking at the report. Listening to what we have folks saying right. It's something like this. And I'm thinking, this is impacting me, or this is affecting anywhere at work or an organization I'm responsible for business, something like to that effect. And I have to be able to look at these reports and take action. Right. So, I'm looking at something like this. And I have multiple lines of pipelines of work kind of already kind of going out of my mind right now. I'm thinking, okay. We have this scenario. Are we prepared from a insurance perspective. Are we prepared from a PR perspective. We have a lot of stakeholders in these areas. Meanwhile, I'm assigning two to three incident response engineers to go into log dives network are in points making sure that we have detection and engaging with the service owners and service teams to go and get me, you know, data. So that can also make those types of assessments. In the end or I'm probably also on the phone with our legal team. You know, you know, people who are also in charge, you know, like, executives, directors, and I'm thinking, I have no shit. I have a, you know, a potential right for exfiltration within an environment I own or, you know, something that is going to impact the business in some way shape or form. And so, of course, I don't want to take up, you know, some time, but the thought process when I look at something that's related to ransomware or exfiltration data or anything like that is, I have to think through what the actions on objective are what the impact is going to be. And that I am collecting the right people in the room to make sure that we have an appropriate response to handle everything from PR to legal to financial to investigation risks all in kind of the same room organizing all of these cats. No, that's great. And so Ricky makes a really great point that I need to point out, especially for people in the audience that are in larger organizations, building those relationships ahead of time so that you know the product donors and you know the people and you understand their their backup schedule let's say your go to person is on vacation. And you don't know who to contact other than that, you know, and just understanding who to contact building the relationships and forming those connections before something horrible happens. I know it sounds simple but it's definitely been very beneficial in my experience to be able to just be like yo, I need your help with something and already have that report established. I hope everyone's okay I'm going to click on another report unless anyone else has something to add. We're good. Thumbs up. All right. And I'm spinning the wheel. Ooh, BC security to let's see which one that one is. Let's see that one is the overview of Empire 4.0 C sharp. And let's see who wants to take that one we have. You want that one will. Um, could I pass for the next one. Okay. Let's see who wants this one. No takers. I can take it. Okay, go for it. Um, BC security are the makers of Empire Empire, what was originally called PowerShell Empire is one of the most popular command and control frameworks. I know that because of a project called the seat to matrix. I also chose Empire as the seat to to teach people read to me and my security 564 class. The sans red team exercise and adversary in relation course, because in a classroom environment you want a tool that is consistent and reliable, and does what you tell it to do every time. And with a lot of C twos that's just not the case, but Empire is one of those so back in July 2019. The original creators of Empire said that they were ending development and the folks over at BC security took over development which is fantastic. In this case, we're going to talk about in this blog post it's talking about the latest version of Empire which is 4.0 and C sharp and right off the bat in the intro. You can see that a lot of the new C twos are popping up and the way to create implants actual payload, or the stage or that runs in your environment is before was PowerShell right. Lots of people say PowerShell is dead. Sometimes it was Python, but we're definitely seeing an uptake in C sharp and C sharp is a language you can anyone can actually write C sharp code you can download a version of visual studio community and compile your own C sharp code. So, in this case, we take a look at well how Empire works the latest updates to it how to run it to C to framework so you have the server component, which is your listener listens on a particular port. And then you can see that Empire has mostly HTTP listeners. So, we know that the C to will be over HTTP and HTTPS, you set the delay and jitter which is how often that end points going to call out, and then you have to create a payload. And they call the stager. So the net new here is the ability of creating this C sharp stager. It's just the code used to compile that payload, and get it to execute on a window system. So if you see this just like PowerShell when PowerShell was starting to be used that infamous Derby contact or def contact by Dave Kennedy. There was no detections right and even today PowerShell is tough to catch, but essentially what what we're seeing is the move to see sharp because of that same thing right. PowerShell is able to execute a lot of antivirus and anti malware and anti exploit solutions aren't catching a lot of C sharp code. So that's really the biggest net new here in this case if you haven't tested or used Empire, by all means, check them out. There's a whole bunch of C twos out there, and understand how these work right. A lot of these are open source they're used by red teamers and adversaries alike, and the ability to understand and be able to see how those stages execute on the target system as a C to server and look at it is it is going to be important. So definitely more of a red team CTI report, not much talk on detection or anything like that. So, back over to you. So the reason why I included this one is because PowerShell Empire Empire, as for me said, it's really popular with the threat actors and so before the new release of PowerShell Empire, there was a paper called disrupting the empire, identifying PowerShell Empire C two activity and it's a sands white paper. That's available on the sands website under their resources and paper section, just apply I and so in it they talk about HTTP request behavior. They talk about anomalous URIs and a bunch of other network based indicators to be able to detect PowerShell Empire. So, there's even whole get hubs with like detection rules that are for those specific configurations of Empire so now that they released a new version. You know, I wanted to highlight this report to bring attention that we need some defenders to come in here and be like, to do another sands white paper on this new edition of PowerShell Empire and to perform security research and to try to find a way to find those unique tool marks. I believe key dot 89. Let me let me get his proper Twitter handle so I don't miss quote here. Stand by key dot 89. He changed his name. So I'll have to look it up later. Anyways, I'll put it in the chat and I'll put it in the GitHub, but he's a big proponent of something called tool marks. So, trying to detect the custom out of the box and I'm horribly paraphrasing it, but detecting custom out of the box features of like you know cobalt strike PowerShell Empire, or a lot of the other really popular tools that ransomware actors and cyber criminals and all of that use. And they just use it straight up the box and they don't try to reconfigure stuff sometimes so like taking that low hanging fruit essentially building detections around it of course it's easy whatever but getting it out of the way so that at least you have that as an alert in the event they decide not to modify any of the settings. I wanted to bring that to people's attention. Does anyone else want to comment on this particular report. Oh, Danny. Yes, and then in the meantime I'll look up what he changed his name to on Twitter. So with this one is definitely looking for network based indicators at this point. So some of the signatures that we've I've seen before was going to news dot PHP. Now, whether it's that change or not for this one. So we're looking for indicators that is by net flow, or any of the same that's letting me know that there's rapid connections going on to a certain IP or domain. And really quick I did find the person's name. I just spelled it wrong. I apologize. It is ke y dt 89 Harlan Carby. He is an author of books and super smart, and he talks about tool marks and he's a deeper professional sorry for interrupting Don't no worries. And then from there, I can pivot to the host that is emitting that connection and try to find any other indicators from there that may be agnostic of the C two. But for now with this one, especially with update, I'm going to have to rely on network indicators that that indicators are beginning. Okay, anyone else talk quickly say so the, you know, tool marks. There's, there's a lovely tool out there for cobalt strike called charm J arm. If you think you're being targeted by a cobalt strike tool server, you can turn around and use charm to scan the endpoint, and it will literally see if it can find like the proper files that usually cobalt strike user running so tool marking be a real valid way to do that because again Empire, when it boots up there are certain ports that need to be open. When you are executing from a external source. And as Georgia said that there's a lot of a lot of these things the reason that they became popular was because the PowerShell and then when people said PowerShell was dead, people like not really put sort of and then so they're like but here's this sharp thing that you know you've been worried about PowerShell so long. It's like an ira construct that's been here all along. And then, you know, again using the C2 matrix. This will tell you that this is one of the most popular ones and I love Empire myself so. Thank you. Yeah, I know it's a great. It's a great tool. Okay, so are we good to move on to the next threat report. I took a couple host based indicators I came up with for that one that I'll slip in real quick so first of all CSI.exe fsi.exe without any command line arguments that's going to be an indication of interactive session. Any sort of arguments being passed from those two executables renamed instances for those binaries network connections from those binaries. And, you know, that's, you know, in certain environments where people are heavily using CRF that's obviously loud but again you just have to go through and see if it's present. And if, and then, you know, whitelist what your developers or whatever is doing but other than that the average user is not going to be using either one of these. So simply the presence of those executables without any command line arguments right off the back should be indicator that someone is not on the host running that. Okay, thank you so much. Are we good. Anyone else, we're good. Oh, okay. I will move on and spin the wheel. Okay, what's going to land on. D for report number one. Let's see what that one is and who iced ID and cobalt strike versus antivirus. Ooh, let's see. Who wants to speak to that one who wants to start on that one. Any takers. Danny. All right, Danny, go for it. Let me get myself mentally prepared for this one. Yeah, you have 15 seconds. So, yep, thank you. I can jump in on that one afterwards too. Okay. I was just muted. All right. Based on what I was reading on this report this one, this one is a resurgence of the use of ice ice ID and some big interesting key points is the use of not only the cobalt strike but WMI. And from what I've seen, they were trying to use the it start to start off with the, with the word of spear phishing word doc, which will release an HTA file and close a JPEG that is actually a library. It was executed by run deal deal 32 or rich serve 32. And then it tries to do is tries to do the host discovery, as well as encoder PowerShell payloads for month that what I like about this deeper report is the fact that it goes through the very stages of how it operates is credential access is it's how it tries to do a host discovery and the actual manipulation of WMI see other processes and also shows that the antivirus has already installed can detect some of those anomalies. But it's also a good to know of what WMI sees that should not be coming consecutively in the environment, especially when it's trying to do a view in the domain and trust domain admins and trying to find your domain list. See some visible on the lateral movement, some other key takeaways with this one that I do like is for me as a sock analyst, not only am I looking for any strange WMI see activities, but processes ran by services or certain PowerShell activities, especially when IEX is used, which is trying to execute something. No, that's great. Are you are you good Danny are you ready Chris. Chris. Okay, I have a little bit of comment to, and then well it looks like. So, you know, getting mentioned, pretty much a lot of stuff I'm going to cover I'm just going to kind of get a little specific on a couple of them so we're at the bat. If you see Mimi cats bad. So anytime that pops up, you should have some sort of learning for that. Second, JPEG, making any sort of process command line arguments. That should be some sort of indicator there. There's no reason why JPEG ever needs to do call for system info IP config anything like that so although you know, it would be hard to basically do every single file type that does that they may not use JPEG they may kind of pivot you should probably figure out you know what what file type you can include in some sort of list to do as you recon next. The adf continued Intel and scanning piece. So, calling the adf.bat to do again more system gathering information that's not something that any user does it's not something you just add it's going to do. They've got tools to gather information they've got all sorts of other things that you're never going to sit in there and gather it that way. So, if adf.bat is calling any sort of process and command line this information gathering that should be some sort of I will see. Last thing, a lot of movement registry value set, we're using encoded PowerShell. There's never a time we're going to have any users that need to hop to another device using registry value set and within coded encoded PowerShell. As we know you're going to use that if there's some sort of escape character in there or something that will make the code not run there's nothing that you would need as a normal host that are a normal user that can pivot to another host legally in an environment. There's never an argument you'd have to run that would require you to use encoded PowerShell, except for some really rare edge cases in which case there's probably some sort of change window. No that's great unless you're in some environments where the where the people like to use encoded commands all the time. A lot of people just like doing it for, for, for, you know, moles. But like, you know, Sentinel one all these tools now they'll they'll decode it for you they'll check through it you can you can still dig into it but yeah you're right people use it when they don't even need to. Yes, and will, did you want to comment on this one. Did I get that right. Okay. So this another another blog piece on I study attacks and as we know it's it's associated with ransomware but it's it's another important piece because I study so in this specific one, the I study variant is using a loader called what the research is the photo loader so it uses a JPEG file to sort of deploy a hidden payload. Like following I study and the overall campaign that so it's been it began as a banking chosen and turned into an access broker but more recently in like the last maybe six to nine months it has been pushed by a spam botnet called the shatak botnet linked to to a T a 551 and it's distributed a range of payloads but more recently it's it's iced ID has been it's primarily primary payloads so it's, it's another example of what to expect if you're if one of your endpoints is infected by study but I mean the main point that an analyst should be bringing if they decide to write this report up and you know document as an instant before they should be sort of explaining why I study is an important threat and it's it's basically taking over from emo tech the emo tech botnet that got shut down in January by the European and Ukrainian police and things that's there's been a vacuum and iced ID and quackpot have basically taken over and pushed in parallel campaigns between them. So it's, and then you know cobalt strike. That's what we normally see with with a lot of these malware family so it's the two to sort of staple threats to be aware of be aware of be aware of and as as the guys have explained some good detection that you should be using to alert on. Okay, great. Thanks well and the little comment that I wanted to add and we'll hop on over to the stakeholders really quick is from a point perspective, I saw the discovery and I saw dubby make IP config system info net and I'll test net and a bunch of other related processes that would need to execute within a short amount of time. And so if you're performing a hunt for this type of thing instead of making it per se specific about command line arguments, grouping the processes, you know, of like all of these all of these within this particular report that are used and then you time bound it by like you know 24 hours or even an hour or whatever right because they move very quick. And so, I believe if you do that, it'll cut down on false positives within your organization of, you know, the random person just doing IP can beg right because you don't want to learn on that because that'll, that'll create a lot of traffic a lot of alerts to you. So aggregating the whole report as a whole, and then creating a hunt around that specifically and then investigating any potential anomalous activity of any matching results if you do have any, which I'm hoping you don't. That was my contribution. Anyone else want to say anything. Well, as a stakeholder I'll say, you know, again another from from my CTI panel if you guys were feeding me this information again as a red team or I can definitely help you recreate the actual IOC's actual detections with our tools. The DFI report and what you guys have explained is again one of the like the level of detail they go into that then comes to you guys that can then come to me. And then I can take to the operations team is just phenomenal but the the the tooling here again being things that are free simple easy to use. And and but good news is it's highly detailed so we can write the right detections and build the right tooling to emulate it. Okay, thank you. And I want to throw a little bit of a mix in and have Karen speak about our mystery threat report that we picked. So, Karen's going to have three minutes to speak to this mystery threat report. And then we're going to close on out with for Hey, and the rest of us commenting on a size threat Thursday, because a I love it, and be I warned you all that I'm a huge standard for Hey so. Okay, so, Karen has the floor and you have three minutes. Okay. Um, okay, so this report mystery report is basically for the recent basal odor bizarre backdoor campaign. It's the report in in terms of you know how it's reporting is done it's it's very good. But I feel that it's not very accessible because some stakeholders for example, DFI are they would like quick access to the TTPs they would like quick access to the IOCs. The TTPs and IOCs is generally like you need to siphon off by reading there's a lot of reading involved so. But the good thing about it, like this has good content this has good screenshots diagrams explaining the attack chain screenshots about the email. Even the you could say the the unique unique IDs that the attackers used to identify all of the victims. And another good point about this that there there are hunting rules where which which can be used with Microsoft 365 defender. It's pretty good. The only disadvantage as I said before is which heavily relies on actually reading the report and some stakeholders might not like it. In terms of key takeaways this is particularly very interesting because I think Microsoft has been tracking this for around a month and this is like one of the newer campaigns. So, and due to it resulting into ransomware which is I think it's Conti or Ryuk. It's definitely interesting in that sense because basal odor is a prolific mother and any updates on their TTPs the new campaigns is particularly interesting. In terms of speaking about the the detection rules, the detection rules, particularly provided by them are extremely good because it provides tracking for the, you know, hunting for the emails. It even includes hunting for the exfiltration to of the ransomware, which is I think our clone. Yeah. And other than that, there's very particular interesting thing and I want to like focus on this is the use of social engineering in in like this whole campaign. Because the highlight of this is they use the attackers the threat actors use like a fraudulent call center to in case the victim decides to call that number which is provided in the email that can actually lead to like a person without a call center and social engineer the victim victim into, you know, malicious execution link attachment whatever it can cost more harm. But that is very interesting in my opinion. And other than that, nothing else for this report. It's a good report but I feel like they could have included the TTPs and the ICs like a particular table in the last to make it easier for people who are researching it. Okay, and the comment that I would like to add to this is Unit 42 Palo Alto's unit 42 recently came out with a report 729 2021 on Baza Loader. And so in it they have like they have a bitly link that has a bunch of IOC's and stuff like that it may not necessarily be tied to the Baza call campaign. You know, I would need to perform analysis to see the difference between the Microsoft report that was the mystery report. It was called Baza call. Let me go to the top of the report Baza call phony call centers lead to ex filtration and ransomware. So I would have to compare the Baza call report to the one that was produced by Palo Alto with the IOC's but the point is that it both that both of them involve Baza Loader. So I would look at that and take a look at those IOC's as well as, you know, that's BAU activity. But the whole point of this is that if you get a report and they don't have the TTPs or IOC's or whatever, pivoting on that and looking for other organizations that may have done reporting such as Palo Alto unit 42 they do some awesome work to and supplementing the reports that come out for that. Anyone else want to comment on that before we move over to Jorge. Okay, Will, and then Danny. Yeah, so the Baza Loader Baza Baza call campaign is, is a really interesting one to me. It's linked to the infamous riot can Conti gang, which I think crowd strike tracks as Wizard spider. This group is very well known for using like a range of delivery techniques that purposely are designed to evade detection. I wrote a blog about all the different techniques they use and Baza call is the one that currently running and the thing that makes it so interesting is there's no malicious links inside the email itself it's just a phone number that you call and are guided to. And then once you reach the fake website that they created, you have to enter a code to be able to download like the spreadsheet that they give you so there's so many different ways to thwart researchers like myself and methods to evade detection. It just makes this gang really prolific threat and one to definitely, you know, actively hunt for because there's a chance your tools won't pick them up. Thank you so much for stating that and Danny. Okay, so this one is a very interesting one because this one actually involves more than just going into the network and trying to hunt this one involves working with your organization to put out a message. As far as dealing with fake call centers, just a reminder to the end to the core to the employees. Hey, you are you have a call center in the organization. You, this is an external email that's out. You're not using that you're using this particular one. And I bring this up because there's been cases where there's been. There's been a lot of calls acting as Microsoft trying to help with situation with computer issues by running commands was a fake call center. So a little similar but not quite it was involving running scripts, which inevitably effect infected the host. This is where you want to leverage your departments to help put out a message. Now, from the forensic side, I see a couple of things of say the use of cert util depending, especially when certain tools being used to do URL cash to grab things from another location. So I'm going to watch out for. Okay, great. And now we will take it over to the final report. Just an overarching discussion of threat Thursday. I had the wonderful opportunity through independent research to speak with some really awesome professionals and they've actually operationalized this threat Thursday, where every Thursday it comes out they mobilize their team. And we need to like perform an actual real purple team exercise related to this particular report that they put out and we happen to have Jorge with us. So I thought it would be nice if he could just speak to it really quick and another reason why I'm really really like this is that they include not only community based information sourced information, but they also have like a detect and respond section as well, which I feel is exceedingly exceedingly important so thank you very much Jorge take us take us out. Yeah, no just real quick. So this was something that I started early when I joined site been there for about a year, essentially was to make some of these threat Intel reports and reports from instant responses more actionable and bring value to organizations. We do kind of what we did here right which is consume the cyber threat Intel reports and make them actionable for the purposes of adversary emulation and essentially what we're now calling attack detect and respond right. Essentially, everything we talked about today was something post initial access I think all organizations nowadays are working under that assume to breach of, you know, whether it was an O day which we've heard a lot of, or I see or trick bar or whatever, what happens next right. So we take these reports the deeper reports, a fun one. Right, and actually get those procedures and that's, I think something where the CTI world can improve on is actually providing the procedures the deeper report being a great example of that, because then people like myself like Joe blind hacker. So we grab those actual procedures, and then we can create these emulation plans and, of course, we build these emulation plans and share them with everyone. We share them with our customers in JSON format they can simply import it. But of course we want to contribute to the community as well so we publish them as attack navigator heat maps as well. We can also give the actual procedure so just want to copy and paste them or use something like atomic red team, you can still get value out of it right we don't foresee that to have to use site and things like that but here's a perfect example of the the the one you're Microsoft published how a nobellum was getting around defenses, leveraging this attraction and what we read through the attraction say wait, there's a new procedure here, and I looked it up on atomic red team it wasn't there. All right, let's play with this figured it out. And then of course contributed back and this particular case actually ended up PRing it into atomic red team as well. But of course you want to do it manually I showed how you can create an ISO file with malicious payload in it. And then just through Twitter kind of purple themed it with cyber monk and Florian and black matter. Essentially just finding ways to do the detections I believe Ryan also was pregnant was on there. So, so yeah it's a lot of fun, it's probably one of the funnest things that I do is get to read some of these reports and build these adversary emulation plans and share them with the community and yeah they're they're all free. Like I said, you don't have to use site for this, we're big believers and giving back to the community and doing purple teaming so thank you for for a little for that shout out I appreciate it and like I said just trying to give back to the community. Yeah, thank you so much and thank you to all the panelists to. I really appreciate you coming to share your insights and wisdom and knowledge I learned something I hope the audience learned something as well. Thank you very much I hope you enjoy the rest of deaf con I believe this airs on the last day. So thanks for taking time out to watch threat report roulette. Once again, the bit.ly link is bit.ly slash DC 29 roulette. And that's how you can get it or you can find it on my GitHub it's Ontario and it's called deaf con 29 BT, BTB threat report roulette, and it provides the list of all the threat reports the threat report roulette will as well as our favorite resources and more information if you want to contact any of the panelists. So thank you very much and have a great summer.