EDR Killers, GrimResource, Remote Administration Tool-RMM, Cloud API, PowerShell copy/paste campaign, Persistence outside EDR visibility
-
Well-known researcher Florian Roth published a “Q4 2024 trends” post. Tidal has CTI content related to each of the highlighted “trends”:
-
"EDR killers": EDRSilencer, EDRSandBlast, & other Software under the “Defense Evasion Tools” Tag or T1068 Technique.
-
Binary "auxiliary" execution: Newly added "GrimResource" (.msc) & APT29 (.rdp files) Campaigns.
-
“Remote Administration Tool-RMM” Tag: Example was be used in our webinar.
-
Several new Groups & Campaigns added under the Cloud API (T1059.009) Technique.
-
ADCS: Summarized by the T1649 Technique, which featured in our recently added “Pacific Rim” Campaign object.
-
PowerShell copy/paste campaign: “PowerShell User Execution Social Engineering” Campaign object.
-
Persistence outside EDR visibility: Could refer to a few things, but most likely (or at least including) recent rootkits (T1014) and edge device activity (“IoT Threat_Routers” or “IoT Threat_Other” Tags).
-
-
Additional Salt Typhoon Technique relationships following newly-confirmed reports that the Chinese espionage group had accessed high-profile call records from major telecom companies.
-
New “TA455 Iranian Dream Job Campaign”, where researchers concluded that Iranian actors (TA455) were either impersonating North Korea’s Lazarus Group, or that North Korean actors had shared tools and TTPs with the former.