We curate threat intelligence to provide situational awareness and actionable insights
Threat Identifier Detections
Atomic detections that serve as the foundation of our detection framework.
Threat Scenario Detections
Risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
Reports Hot Off the Forge
• Threat News Reports
• Trending Threat Reports
• ResearchArticles
Forge Report: First Half Threat Trends of 2024
Featured Threat Reports
All Threat Reports
Web Page Archive Files
NetSkope Threat Labs has identified malicious Microsoft Office documents using Web Page Archive files (.mht/.mhtml) in recent attacks. These files, potentially linked to APT32/OceanLotus, contain VBS code that drops DLL files and creates a scheduled task. The DLL injects itself into another process and runs rundll32 indefinitely, sending data to a C2 server on Glitch.
Signed DLL Campaigns / Polyglot
Researchers Jason Reaves and Joshua Platt detail campaigns using polyglotting to bypass security by embedding VBScript in signed DLLs. Malicious installers distribute malware such as AterAgent RAT, Zloader, Gozi, and Cobalt Strike. These scripts alter Windows Defender, invoke PowerShell downloads, modify the registry, and execute shutdown commands.
ProxyShell Exploited with DatopLoader Leading to Qakbot
Cybereason reports the emergence of DatopLoader malware following the exploitation of ProxyShell and Exchange vulnerabilities. DatopLoader delivers Qakbot, establishing persistence and conducting reconnaissance using native tools and AdFind. The attack also involves lateral movement with Cobalt Strike via PsExec and credential access through registry hive collection.
MuddyWater Part of Iranian Intelligence Activities
U.S. Cyber Command connects MuddyWater to Iran's MOIS, revealing the group's focus on surveillance and espionage against Middle Eastern, European, and North American nations. MOIS conducts domestic and international surveillance through embassy agents, targeting regime opponents and anti-regime activists.
Microsoft Defender Weakness
SentinelOne researchers have identified a weakness in Microsoft Defender that allows local attackers to query the registry and find excluded locations. This vulnerability enables attackers to plant malware in these excluded directories without detection. Group Policy settings can also be queried from the registry tree, giving attackers greater visibility into the network. Tests by BleepingComputer showed that executing malware from an excluded folder resulted in no action from Defender, while executing from a non-excluded location triggered a block. This issue affects Windows 10 versions 21H1 and 21H2 but not Windows 11.
APT35 CharmPower & Log4j
CheckPoint reports APT35 exploiting the Log4j vulnerability (CVE-2021-44228) to distribute their PowerShell toolkit, CharmPower. The exploitation chain involves encoded PowerShell commands triggered by a malicious Java class to download and execute modules from an Amazon S3 bucket. CharmPower's capabilities include downloading additional payloads, system enumeration, data collection, and exfiltration.
About the Forge & Threat Reports
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever- changing threat landscape.
Intelligence Levels for Threat Reports
Tactical
Detectable threat behaviors for response with threat scenarios or threat identifiers.
Strategic
General information security news, for awareness.
Whitepapers
The World's Best SOC Teams Use Anvilogic
.svg)
.svg)
.svg)
.png)
Build Detections You Want, Where You Want
