This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.
Category: CIRT
Climbing Mount Everest: Black-Byte Bytes Back?
In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.
Shining the Light on Black Basta
This blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.
Metastealer – filling the Racoon void
MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.
Adventures in the land of BumbleBee – a new malicious loader
BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis
LAPSUS$: Recent techniques, tactics and procedures
This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.
Conti-nuation: methods and techniques observed in operations post the leaks
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
Microsoft announces the WMIC command is being retired, Long Live PowerShell
Category: Detection and Threat Hunting What is WMIC? The Windows Management Instrumentation (WMI) Command-Line Utility (WMIC) is a command-line utility that allows users to perform WMI operations from a command prompt. WMI is an interface providing a variety of Windows management functions. Applications and WMI scripts can be deployed to automate administrative tasks on remote … Continue reading Microsoft announces the WMIC command is being retired, Long Live PowerShell
Detecting Karakurt – an extortion focused threat actor
NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.