COVID-19 Blocklists

A lot of good initiatives popped up recently to combat malicious activity related to the Corona pandemic.

A MISP instance for tracking COVID-19 activity; A list of domains which provides legitimate COVID-19 services; The Slack channel of COVID19 Cyber Threat Coalition; The COVID-19 CTI League; Public MISP feed by DCSO; And a feed by 1984.sh; Threat reports by RiskIQ; A COVID-19 threat list by domaintools; The COVID-19 domain classifier by SANS; A MISP warning listRead more.

Integrating MISP and Cytomic Orion

Cytomic Orion is a solution for Threat Hunting & Incident Response, that speeds up the process of identification, investigation, containment, and remediation of cyber threats & insiders using Living-off-the-Land techniques to evade existing controls (Reduce the MTTD & MTTR). The Cytomic Orion API allows you to integrate it with other tools, one of those tools is MISP.

The integration with Cytomic Orion allows you to achieve two main goals :

Query the Cytomic Orion API,Read more.

Iranian threat groups

In light of recent developments it would be a good idea to sketch a picture of the known Iranian threat groups. I used the information made available by MITRE ATT&CK.

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote accessRead more.

Generating MISP data statistical reports

The MISP API includes a couple of features that you can use to report on the type of data stored in the database. For example the User statistics or Attribute statistics give a pretty good overview. Unfortunately, as of now it’s not possible to limit the output of these functions to a specific timeframe. For my use case I’d like to report on the MISP data statistics for the last month. The information that IRead more.

RDP logs and incident response

Remote desktop protocol (RDP) is designed by Microsoft for remote management of Windows-based virtual desktops. It provides users a graphical interface to connect over the network to a remote computer. Having a remote access feature leaves the door open for attackers.

I’ll use this post to summarise some of the information and commands that I use when investigating an RDP incident.

Note that RDP connections are usually done via tcp/3389.

Investigating RDP goes best inRead more.