Click here to download all references as Bib-File.

Enter keywords to filter the library entries below or Propose new Entry
2023-11-01nccgroupMick Koomen
@online{koomen:20231101:popping:05205f6, author = {Mick Koomen}, title = {{Popping Blisters for research: An overview of past payloads and exploring recent developments}}, date = {2023-11-01}, organization = {nccgroup}, url = {https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/}, language = {English}, urldate = {2023-11-14} } Popping Blisters for research: An overview of past payloads and exploring recent developments
Blister Cobalt Strike
2022-09-02nccgroupAlberto Segura, Mike Stokkel
@online{segura:20220902:sharkbot:a9ce98d, author = {Alberto Segura and Mike Stokkel}, title = {{Sharkbot is back in Google Play}}, date = {2022-09-02}, organization = {nccgroup}, url = {https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/}, language = {English}, urldate = {2022-09-12} } Sharkbot is back in Google Play
SharkBot
2022-08-19nccgroupRoss Inman
@online{inman:20220819:back:11abc41, author = {Ross Inman}, title = {{Back in Black: Unlocking a LockBit 3.0 Ransomware Attack}}, date = {2022-08-19}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack}, language = {English}, urldate = {2022-08-22} } Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
FAKEUPDATES Cobalt Strike LockBit
2022-08-04nccgroupMichael Mathews, RIFT: Research and Intelligence Fusion Team
@online{mathews:20220804:top:2e6e156, author = {Michael Mathews and RIFT: Research and Intelligence Fusion Team}, title = {{Top of the Pops: Three common ransomware entry techniques}}, date = {2022-08-04}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/08/04/top-of-the-pops-three-common-ransomware-entry-techniques}, language = {English}, urldate = {2022-08-22} } Top of the Pops: Three common ransomware entry techniques
2022-05-20nccgroupPeter Gurney
@online{gurney:20220520:metastealer:d3c2f0e, author = {Peter Gurney}, title = {{Metastealer – filling the Racoon void}}, date = {2022-05-20}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/}, language = {English}, urldate = {2023-01-31} } Metastealer – filling the Racoon void
MetaStealer
2022-04-28nccgroupDavid Brown, Michael Matthews, Rob Smallridge
@online{brown:20220428:lapsus:c7cd787, author = {David Brown and Michael Matthews and Rob Smallridge}, title = {{LAPSUS$: Recent techniques, tactics and procedures}}, date = {2022-04-28}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/}, language = {English}, urldate = {2022-04-29} } LAPSUS$: Recent techniques, tactics and procedures
2022-03-31nccgroupNikolaos Pantazopoulos, Alex Jessop, Simon Biggs, RIFT: Research and Intelligence Fusion Team
@online{pantazopoulos:20220331:continuation:b38514d, author = {Nikolaos Pantazopoulos and Alex Jessop and Simon Biggs and RIFT: Research and Intelligence Fusion Team}, title = {{Conti-nuation: methods and techniques observed in operations post the leaks}}, date = {2022-03-31}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/}, language = {English}, urldate = {2022-03-31} } Conti-nuation: methods and techniques observed in operations post the leaks
Cobalt Strike Conti QakBot
2022-03-25nccgroupYun Zheng Hu
@online{hu:20220325:mining:287a2e7, author = {Yun Zheng Hu}, title = {{Mining data from Cobalt Strike beacons}}, date = {2022-03-25}, organization = {nccgroup}, url = {https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/}, language = {English}, urldate = {2022-03-28} } Mining data from Cobalt Strike beacons
Cobalt Strike
2021-11-08nccgroupFox IT
@online{it:20211108:ta505:6ac8d13, author = {Fox IT}, title = {{TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access}}, date = {2021-11-08}, organization = {nccgroup}, url = {https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/}, language = {English}, urldate = {2021-11-09} } TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
2021-10-11NCC GroupNCCGroup
@online{nccgroup:20211011:snapmc:d2395ab, author = {NCCGroup}, title = {{SnapMC skips ransomware, steals data}}, date = {2021-10-11}, organization = {NCC Group}, url = {https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/}, language = {English}, urldate = {2021-10-25} } SnapMC skips ransomware, steals data
2021-06-14nccgroupNCCGroup, Fox-IT Data Science Team
@online{nccgroup:20210614:incremental:da01496, author = {NCCGroup and Fox-IT Data Science Team}, title = {{Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes}}, date = {2021-06-14}, organization = {nccgroup}, url = {https://research.nccgroup.com/2021/06/14/incremental-machine-leaning-by-example-detecting-suspicious-activity-with-zeek-data-streams-river-and-ja3-hashes/}, language = {English}, urldate = {2021-06-21} } Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
2021-01-31Twitter (@NCCGroupInfosec)NCCGroup
@online{nccgroup:20210131:itw:c033bfc, author = {NCCGroup}, title = {{Tweet on ITW exploitation of 0-day in SonicWall SMA 100 series}}, date = {2021-01-31}, organization = {Twitter (@NCCGroupInfosec)}, url = {https://twitter.com/NCCGroupInfosec/status/1355850304596680705}, language = {English}, urldate = {2021-02-02} } Tweet on ITW exploitation of 0-day in SonicWall SMA 100 series
2021-01-15nccgroupDavid Cash
@online{cash:20210115:sign:c50ae62, author = {David Cash}, title = {{Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures}}, date = {2021-01-15}, organization = {nccgroup}, url = {https://research.nccgroup.com/2021/01/15/sign-over-your-hashes-stealing-netntlm-hashes-via-outlook-signatures/}, language = {English}, urldate = {2021-01-21} } Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
2018-11-22nccgroupBen Humphrey
@online{humphrey:20181122:turla:de7f30a, author = {Ben Humphrey}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/}, language = {English}, urldate = {2023-06-19} } Turla PNG Dropper is back
Uroburos Turla
2018-11-22nccgroupMatt Lewis
@online{lewis:20181122:turla:99cb1b2, author = {Matt Lewis}, title = {{Turla PNG Dropper is back}}, date = {2018-11-22}, organization = {nccgroup}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/}, language = {English}, urldate = {2023-08-11} } Turla PNG Dropper is back
Uroburos Turla
2018-03-16Github (nccgroup)NCC Group PLC
@online{plc:20180316:royal:7ff57f8, author = {NCC Group PLC}, title = {{Royal APT - APT15 Repository}}, date = {2018-03-16}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Royal_APT}, language = {English}, urldate = {2020-01-09} } Royal APT - APT15 Repository
BS2005 MS Exchange Tool RoyalCli Royal DNS APT15
2017-04-03Github (nccgroup)David Cannings
@online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } Technical Notes on RedLeaves
RedLeaves
2016-07-14Github (nccgroup)NCC Group PLC
@online{plc:20160714:technical:a0afcbd, author = {NCC Group PLC}, title = {{Technical Notes on Sakula}}, date = {2016-07-14}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula}, language = {English}, urldate = {2020-01-08} } Technical Notes on Sakula
Sakula RAT