Detecting Snake Malware

Detecting Snake Malware Using Cb Response

Keith McCammon, Chief Security Officer

Several days ago, researchers at Fox-IT announced the porting of the Snake malware framework from Windows to the Mac platform. Detecting Snake malware may be difficult as Snake is a relatively complex framework that includes persistence, information stealing, and communications modules among other capabilities. Given this information, we had a need to look retrospectively across our customer base to identify … Read More

Detecting and Combating Advanced Threats

Detecting and Combating Advanced Attacks: a Global Not-for-Profit’s Defense Strategy

Cory Bowline

Everyone knows advanced threats are extremely difficult to defend against. Nothing earth-shattering there. They leverage sophisticated tactics, techniques, and procedures (TTPs) to covertly harvest sensitive data, and are characterized by their ability to avoid detection. Most organizations say they are concerned about advanced attackers, but also question if they would ever be a target. But what about the organizations that … Read More

Windows Registry Attacks

Windows Registry Attacks: Knowledge Is the Best Defense

Andy Rothman

Let’s talk about the Windows registry…yes, that mysterious and oh-so-dangerous piece of the Windows operating system that we were warned against messing with from the moment we booted up our first PC. Turns out, the Windows registry is not as scary as everyone makes it out to be. Granted, if you do not know what you are doing, there is ample … Read More

Verclsid.exe: Red Canary Threat Detection #1737

Old Phishing Attacks Deploy a New Methodology: Verclsid.exe

Keshia LeVan, Michael Haag

Phishing is not exactly a new or groundbreaking attack method, but it’s an ongoing problem (likely because it’s effective and we all need e-mail). A wave of Hancitor malware spam campaigns recently hit many organizations. It’s your typical pattern: a non-descriptively named Microsoft Word document sent with email subject lines like “USPS” or “eFax” using macros and heavily obfuscated VBScript … Read More

Threat Hunting

Threat Hunting Is Not a Magical Unicorn

Joe Moles

Threat hunting, like most market buzz terms, started with a concept or an idea, and then got overused and misused by every vendor, blogger, and Twitter account with an opinion. This has led to a lot of confusion for security teams that want to build a threat hunting capability. So what is threat hunting and how do you do it? … Read More

Whitelist Evasion Example

Whitelist Evasion Example: Threat Detection #723

Keshia LeVan

In my previous blog post on bypassing application whitelisting, I provided an overview of what application whitelisting is, why it’s effective, and how to look for signs that it’s being bypassed. Now, let’s dig deeper into a real-world example to illustrate what analysts and IT teams will see when monitoring endpoint behavior. Oftentimes when a built-in tool is being used … Read More

PowerShell Empire

Detecting Post Exploitation with EDR: What Security Teams Need to Know

Joe Moles

I recently joined Rick McElroy from Carbon Black on a webinar to discuss techniques for detecting post exploitation with EDR. The steady stream of questions reminded me how many people are interested in the topic. I’m passionate about helping people detect post exploitation behaviors and am always excited to share what I have learned. I wanted to circle back and share some … Read More