Skip to content

Threat Intel Content Update: 11/20/24

  • November 20, 2024

EDR Killers, GrimResource, Remote Administration Tool-RMM, Cloud API, PowerShell copy/paste campaign, Persistence outside EDR visibility

 
Threat Highlights
  • Well-known researcher Florian Roth published a “Q4 2024 trends” post. Tidal has CTI content related to each of the highlighted “trends”:

    • "EDR killers": EDRSilencer, EDRSandBlast, & other Software under the “Defense Evasion Tools” Tag or T1068 Technique.

    • Binary "auxiliary" execution: Newly added "GrimResource" (.msc) & APT29 (.rdp files) Campaigns.

    • “Remote Administration Tool-RMM” Tag: Example was be used in our webinar.

    • Several new Groups & Campaigns added under the Cloud API (T1059.009) Technique.

    • ADCS: Summarized by the T1649 Technique, which featured in our recently added “Pacific Rim” Campaign object.

    • PowerShell copy/paste campaign: PowerShell User Execution Social Engineering” Campaign object.

    • Persistence outside EDR visibility: Could refer to a few things, but most likely (or at least including) recent rootkits (T1014) and edge device activity (“IoT Threat_Routers” or “IoT Threat_Other” Tags).

  • Additional Salt Typhoon Technique relationships following newly-confirmed reports that the Chinese espionage group had accessed high-profile call records from major telecom companies.

  • New “TA455 Iranian Dream Job Campaign, where researchers concluded that Iranian actors (TA455) were either impersonating North Korea’s Lazarus Group, or that North Korean actors had shared tools and TTPs with the former.

Data-Driven Threat-Informed Defense

Meet Tidal Enterprise Edition

Quickly and easily develop custom threat profiles and defensive stacks, see your coverage and identify gaps and redundancies, and get daily recommendations to improve your cybersecurity posture.