#seceng/#threathunter; very curious; family; #infosec; #music; #djing, #cooking; #gardening. this is my twitter account, and I might say dumb things too.

Indianapolis, IN
Joined September 2016
Rob Carlsen retweeted
2021-10-20 (Wednesday) - #TA551 (#Shathak) pushes #Sliver-based malware - #pcap, malware samples, and IOCs available at: malware-traffic-analysis.net… More info at: proofpoint.com/us/blog/secur…
1
30
2
70
Rob Carlsen retweeted
#hancitor was back today for the first time in almost 2 weeks. It's like they were never gone - very little change in the front end distribution. Still following up with #cobaltstrike . Here are the IOCs: github.com/executemalware/Ma…
2
15
0
30
Rob Carlsen retweeted
2021-10-19 (Tuesday) - I just posted 7 new pages with recent malware samples/IOCs/#pcap files that I've had backed-up for October 2021. This includes a #MirrorBlast run with #FlawedGrace activity on 2021-10-04. See malware-traffic-analysis.net… for details.
1
40
2
125
Rob Carlsen retweeted
"Be proactively paranoid, it doesn’t work retroactively." @thegrugq
5
81
6
331
GIF
Rob Carlsen retweeted
2021-10-11:🔥#CobaltStrike Beacon | #Conti "Pentest" Methods 🛡️Watch for 2 Techniques for Shellcode Loader: 1⃣Nt* Shellcode Inject in a Local Process /w QueueUserAPC() + NtTestAlert() ➡️KiUserApcDispatcher 2⃣Azure Domain Fronting (eg. zanzi .azureedge.net)
1
51
2
120
Rob Carlsen retweeted
C2 Revealer 🚨 From Mandiant CDS ⤵️ #FIN12 shifted to heavy usage of “c2concealer” for malleable c2 profiles w/ #CobaltStrike Many threat actors using this with little to no modification: github.com/FortyNorthSecurit… #SpookyRYUKy
3
32
2
115
Rob Carlsen retweeted
Video: CVE-2021-40444 Maldocs: Extracting URLs i5c.us/d27894
0
27
2
63
Rob Carlsen retweeted
🆕Breaking Blog: 🔥Introducing - Backup “Removal” Solutions - From #Conti #Ransomware With 💕| Veam Flavor🛅 Advanced Tactics from Cobalt Strike via Corporation Breach Study ➡️#CobaltStrike Backup Removal Sequence with AteraRMM and Ngrok RDP Tunnel advintel.io/post/backup-remo…
0
53
1
114
Rob Carlsen retweeted
While I received ~100 #hancitor emails today, Google was so fast taking down the feedproxy urls that I wasn't able to get a .doc file (kudos @google). So, I only have a shortened list of IOCs. Here's what I saw: github.com/executemalware/Ma…
1
10
0
31
Rob Carlsen retweeted
In some ways, the new #Squirrelwaffle malware reminds me of #Emotet. Don't misunderstand me--it's definitely not Emotet. But with the Emotet botnet takedown earlier this year, and with Qakbot now gone, perhaps Squirrelwaffle will fill that big criminal-size hole left by Emotet
7
12
2
70
🙏🏾❤️ always in my heart man
3 years ago today, the world lost Mac Miller. Rest in Eternal Paradise, Mac. You are missed. 🕊💙
121
7,349
98
70,400
Rob Carlsen retweeted
#Bazarloader - How to start debugging, few basics steps: 1) StartW or DllRegisterServer 🔥🔥 2) x64dbg CommandLine - Rundll32... 3) Add DLL breakpoint - The sample name 4) Run F9 until the sample Entrypoint 5) Ready for debug ENJOY 🤓
1
29
1
119
Show this thread
Rob Carlsen retweeted
👁️TTP of the day from active #ransomware/breach encrypting VEEAM backups on local DC: 🛡️"start C:\locker.exe -m -net -size 10 -nomutex -p \\VEEAM.dc.local" ⚡️Expect elevated ransomware activity for the Labor Day weekend. #Conti
1
66
3
126
Rob Carlsen retweeted
For the first time since the 18th, #hancitor was back today. Uncharacteristically, the emails didn't start arriving until around 13:00. There was no #ficker stealer secondary payload again - only #cobaltstrike. Here are the IOCs: github.com/executemalware/Ma…
1
24
0
48