Trickbot and AdFind Recon

An attacker logged into the honeypot, dropped AdFind, a couple batch files and Trickbot. The attacker created a user, ran a recon script utilizing AdFind and then installed Trickbot. This is what the folder structure looked like. Timeline Time in UTC 22:13 – login from 216.170.123[.]19 22:15 – opens powershell and runs the following command…

The Dever Ransomware Experience

I was scrolling through social media the other night and came across a friend who posted a screenshot of one of his home lab devices getting ransomwared. I reached out and asked if he wanted help taking a look into what happened and he excitedly said yes! The next 7-8 hours were a blur. I…

VBS Downloader and Defender Control

An attacker logged into the honeypot and ran a batch file that created a vbs script that attempted to download a possible coin miner. The download was blocked by the content filtering system but the attacker seemed to think Defender blocked it. The attacker then downloaded an application named Defender Control to turn off Defender….

XMRig and OPSEC Fail

An attacker logged into the honeypot, dropped XMRig and mimikatz, and then ran XMRig. XMRig installed Netshta to maintain persistence and then started mining Monero. When the attacker dropped mimikatz, they accidentally dropped a list of usernames, passwords and IPs. See below for info on XMRig, intrusion summary, OPSEC fail, and IOCs. XMRig XMRig is…

Ako Ransomware

An attacker logged into the RDP Honeypot and quickly ran Ako Ransomware. The attacker had opened the Defender GUI to disable it–but a bot from the previous day had already disabled it. The attacker then dropped Locker.exe, ran it, and then logged off before the execution had completed. Locker.exe is also known as Ako and…

Tridium Niagara Vulnerabilities

**If you’ve been contacted by me, it is because your device is on the internet and may be vulnerable to the vulnerabilities identified below. Please read through this and contact me if you have questions. Thanks** What is Tridium Niagara? Tridium is the developer of Niagara Framework. The Niagara Framework is a universal software infrastructure…

From Zero to Lateral Movement in 36 Minutes

An attacker logged into the RDP Honeypot a few weeks ago and was able to dump credentials and move laterally in 36 minutes. I’ve been seeing more and more ProcDump and less and less mimikatz lately. The attacker attempted to run a couple executables to maintain persistence but these attempts failed. These attempts failed because…

Defender Quarantines Lsass Dumps

An attacker logs into my RDP Honeypot, launches Advanced Port Scanner, attempts to run a Meterpreter reverse shell; and then, dumps Lsass using ProcDump. The attacker, stumbles along the way and does not accomplish their mission. See the timeline, details, summary and IOCs below. Timeline 2:52 – Logon from 185.156.177[.]131 2:55 – Copied Advanced Port…

Debit vs Credit Cards

During the holidays, I occasionally get asked by family and friends if it’s safer to use debit or credit cards. In my opinion, this is an easy answer but instead of repeating the conversation numerous times, I decided to write a short blog about it. So the first question is, what is the difference between…

Defending Against Emotet

Emotet started making the rounds again a couple months ago. If you work in an enterprise environment you’ve probably seen a sample or two. Here’s an in depth write-up by Brian on Emotet TTPs. Here are a few things you can do to defend against Emotet: Block Macros Block macros from running in Word files…