Iranian threat groups

In light of recent developments it would be a good idea to sketch a picture of the known Iranian threat groups. I used the information made available by MITRE ATT&CK.

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote accessRead more.

Generating MISP data statistical reports

The MISP API includes a couple of features that you can use to report on the type of data stored in the database. For example the User statistics or Attribute statistics give a pretty good overview. Unfortunately, as of now it’s not possible to limit the output of these functions to a specific timeframe. For my use case I’d like to report on the MISP data statistics for the last month. The information that IRead more.

RDP logs and incident response

Remote desktop protocol (RDP) is designed by Microsoft for remote management of Windows-based virtual desktops. It provides users a graphical interface to connect over the network to a remote computer. Having a remote access feature leaves the door open for attackers.

I’ll use this post to summarise some of the information and commands that I use when investigating an RDP incident.

Note that RDP connections are usually done via tcp/3389.

Investigating RDP goes best inRead more.