If you're wondering how you can prepare for an incident in the cloud, our new blog is for you 🫵 invictus-ir.com/news/cloud-inc…

We’ve mapped the TTPs and shared actionable IOCs on our GitHub. 🛡️ 👉 github.com/invictus-ir/IO…

🚨 New Blog: Forensic Analysis of eM Client 🚨 If you investigate BEC incidents, you've likely seen eM Client pop up. We did a forensic deep dive to uncover the traces it leaves behind. #CyberSecurity #DFIR #BEC #ThreatIntel

🔍 New Blog: Essential Cloud Logs for Incident Response 🪵 Are you collecting the right logs for cloud security incidents? We break down the must-have logs to detect, investigate, and respond effectively in the cloud. 🔗 invictus-ir.com/news/cloud-inc… #dfir #aws #microsoft #google

🚨 New blog: BlackBasta’s leaks show how ransomware crews still exploit hybrid environments while Scattered Spider leans fully into cloud. Two actors, two strategies. What it means for IR, cloud defense, and ransomware readiness. 👉 invictus-ir.com/news/cloud-hea… #DFIR #Cloud #CTI

This isn’t recycled noise. It surfaces the often-overlooked details responders and CTI analysts actually need. Practical takeaways include: ✔️ Mapped TTPs ✔️ IR checklist ✔️ Actor context & relevancy invictus-ir.com/news/profiling… #CTI #CloudSecurity #AWS #DFIR #JavaGhost

Cool to see this reporting and supports my previous assessment.

Allright let's do this, a thread on Laundry Bear aka Void Blizzard. This group compromised the Dutch National Police. Let's dive into thing from a cloud IR/forensics perspective 🧵

Great writeup from Sekoia! Invictus Incident Response agrees: AiTM drives initial & credential access, fueling BEC 👉invictus-ir.com/news/locked-ou…. 🔎For IR, check Entra ID Sign-In, Identity Protection, & Unified Audit Logs. 🛡️Harden with passkeys & MFA for identity security. #DFIR #cloudsecurity

🔍 Detect Query Entra ID logs for Teams/1.3.00.30866 agent Spot device-app mismatch & targeted app ID access 🕵️ Investigate Correlate w/ AWS IPs & spray patterns Check post-comp activity (e.g. mailbox rules) 🛡️ Respond Block IPs, revoke tokens, reset creds #DFIR #ThreatHunting

Why am I so unimpressed by these strikes? Israel and the US have failed to target significant elements of Iran's nuclear materials and production infrastructure. RISING LION and MIDNIGHT HAMMER are tactically brilliant, but may turn out to be strategic failures. 🧵 1/17

🚨 Volume 3 | Profiling TradeTraitor (DPRK) 🚨 Our latest and greatest blog in our series on Cloud Threat Actors. This one is on the the infamous DPRK-nexus crew behind billion-dollar cryptocurrency heists. Check it out: invictus-ir.com/news/profiling… #stayInvictus

Pivoting on #UNC6148 infra (low confidence finds): 149.248.76./220 195.85.115./143 -- takesurvey./online, carlads./online 168.100.9./181 -- wg-aff./website The reverse shell IP (64.52.80./80) has some historical indicators of likely being used for EvilProxy phishing.

💙Microsoft Extractor Suite v4 is here 𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦 Learn more about the new features in the blog and thanks everyone that contributed! invictus-ir.com/news/black-hat… #stayInvictus #CloudIncidentResponse