Detecting Ransomware’s Stealthy Boot Configuration Edits

Written By: Binary Defense Threat Researcher @shade_vx This blog post focuses on threat hunting methods and detections for a commonly observed technique used by Ransomware-as-a-Service (RaaS) operators. Such threat actors have often been observed altering boot loader configurations using the built-in Windows tool bcdedit.exe (Boot Configuration Data Edit) in order to: Modify Boot Status Policies […]

Take Stock of Cyber Risk in Light of Russian Cyber Activity

Many leaders in enterprise information security and IT operations organizations are taking stock of the potential for risk due to cyber operations between Russia and western countries that show support for Ukraine. Russian President Putin has said there will be “consequences” for nations that interfere, which could come in the form of cyberattacks, particularly on […]

Advice for Defenders Responding to the log4j Vulnerability CVE-2021-44228

Binary Defense Security Operations, Engineering, and Threat Hunting analysts have been working alongside our clients and our friends in the infosec community to mitigate the threat to organizations as a result of the critical Apache log4j vulnerability that is actively being exploited by threat actors. We are especially thankful for our colleagues at TrustedSec, who […]

Threat Hunting AWS CloudTrail with Sentinel: Part 3

Detecting Backdoor Attacks By Sean Fernandez | Threat Researcher | Binary Defense In part 3 of the blog series, Threat Hunting AWS CloudTrail with Sentinel, we simulated a series of adversary attacks focusing on persistence with backdoor access to a secondary access key and temporary security credentials. The attacks were deployed on our test AWS […]

Threat Hunting AWS CloudTrail with Sentinel: Part 2

Detecting S3 Bucket Attack   By Sean Fernandez | Threat Researcher | Binary Defense   In part 2 of the blog series, Threat Hunting AWS CloudTrail with Sentinel, we simulated an attack on a misconfigured S3 bucket. The attacks were deployed on a test AWS environment that emulated a small organization with a set of users, roles, groups, and policies. We utilized Sentinel to gather raw event […]

Threat Hunting AWS CloudTrail with Sentinel: Part 1

Part 1: Intro to Threat Hunting AWS CloudTrail with Sentinel By Sean Fernandez | Threat Researcher | Binary Defense Note: this is a four-part blog post based on research from our threat hunting team. We will release this series over the next few weeks. The adoption of cloud has been sharply rising in recent years. […]

Hunting and Defeating Evasive Threats

Written by: Randy Pargman and James Quinn Threat actors spend a lot of time and energy to evade and defeat detections on their victims’ network. Threat hunters and other defenders should be aware of the sneaky techniques that are most often used and adjust their tactics to catch the threats and put a stop to their access. In this blog post, […]

Emotet Wi-Fi Spreader Upgraded

This an update to an early article regarding the emerging cyberthreat of Emotet Wifi Spreader. Executive Summary Binary Defense analysts previously discovered a stand-alone program for spreading Emotet infections over Wi-Fi networks. Although the spreader had been recently delivered by Emotet command and control (C2) servers, the program itself had not been changed for at […]

An Updated ServHelper Tunnel Variant

James Quinn, Threat Researcher for Binary Defense Executive Summary Binary Defense Researchers discovered active Command and Control (C2) servers and a new version of ServHelper, a malicious Remote Desktop Protocol (RDP) backdoor program known to be used by the threat group TA505.  TA505 is a financially motivated threat group that has been active since at […]

Revenge is a Dish Best Served… Obfuscated?

Researching new and emerging cyber threats is common practice for the Binary Defense Threat Hunting team. Recently, the threat hunters came across an interesting multi-stage vbs downloader, which was used to distribute RevengeRAT and WSHRAT.  This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the […]

Binary Defense MDR Integrates Microsoft Antimalware Scan Interface Interoperability (AMSI)

With the latest release of the Binary Defense Managed Detection and Response (MDR) solution, we have now fully integrated Microsoft Windows AMSI. When looking to detect enhanced threats, especially with scripting languages and other methods of cyberattacks, AMSI provides an extensible platform for Binary Defense to get improved visibility into the latest threats and to our […]

Ransomware: what is it, and why should your organization be concerned?

Businesses of all sizes can be a target for ransomware attacks. Small business owners might think a hacker will ignore their organization in favor of a larger company with more data. In fact, small businesses are the low-hanging fruit of cybercriminals everywhere. This is partly because small-to-medium business owners think “it won’t ever happen to […]