Staff Tactical Response Analyst @HuntressLabs | @SANS_EDU Alumni | Python Security Researcher
Joined May 2023
- Tweets 277
- Following 341
- Followers 832
- Likes 158
33 Photos and videos
Thoughts & SecOps/IR workflows for Agentic AI: sudorem.dev/blog/agentic-ai-…
This mostly just consolidates a heavy period of "mess around" I've been in with AI into some tangible takeaways and real world systems.
11
48
3,850
This time, we venture into RedSun, BlueHammer, and UnDefend!
huntress.com/blog/nightmare-…
As always, it's a pleasure to work with @RussianPanda9xx; banger work by the SOC crew @wbmmfq and @Curity4201 that helped document and raise the flag on this internally as well!
1
11
27
7,649
Rem retweeted
Apr 13
#AIForBlueTeam - Day 27!
Today I'm dropping a new tool 🔧
fishbowl is a containerized credential auditing perimeter for AI coding agents. It wraps Codex/Claude Code in Docker and audits credential access via eBPF.
Check out the git repo ( link below ) for more information and log samples.
3
13
35
3,018
Rem retweeted
Apr 8
Inspired by @Antonlovesdnb #ClaudeForBlueTeam, I wanted to use Claude for something productive & helpful, I decided to make Web extension that blocks clickfix, replaces clipboard content and alerts the user.
joshallman.co.uk/posts/shipp…
github.com/xorjosh/ClipShiel…
1
10
12
1,141
Sometimes I think we, as a security community, fail to recognize that our research and insight has far reaching consequences beyond the product we're selling.
It's important to acknowledge that one person's novel research could be the difference in some small mom & pop that realistically couldn't buy/afford [your | a] security product; and the security outcomes they may experience in an incident.
I'm not saying it's wrong to hold your cards close to your chest-- it's your research. But there's often more on the table than profit or attribution.
Gotta' stay in business to keep the research going, but LLM's training on my materials, detections, rules, etc., is a good thing imo-- makes the content more available to everyone.
Apr 3
I’ve deliberately not published blog posts on useful detection ideas and rule-writing methods because I didn’t want LLMs to absorb them.
So those ideas stayed private and were shared only with a small group.
I doubt I’m the only one making that call. And that probably has consequences for the community over time - not just ours, but any community.
3
185
Charlie's coverage of the AquaSec/Trivy breach and related activity has been phenomenal, highly recommend checking it out if you've been living under a rock.
Mar 22
The payload from CanisterWorm/TeamPCP isn't exactly subtle about its intent.
1
274
This is cool, did something similar today and pointed Claude at API docs to get a CLI tool bootstrapped. This probably would've saved some time.
Mar 19
I've stopped downloading CLI tools.
Agents can call APIs directly.
aurl allows agents to understand and use APIs.
> curl for humans → aurl for agents
> API docs as --help flags and SKILL[.]md files
pass in an API spec, agent instantly learns new tools
196
🧑💼"Your Outlook has an issue. Let me help you fix it."
@HuntressLabs Threat Hunting and Tactical Response teams join forces to open new pages on an old playbook, leading to custom Havoc agent deployment via sophisticated DLL side-loading.
huntress.com/blog/fake-tech-…
4
15
62
19,299
Adversaries leverage e-mail spam bombing, personal cellphone numbers, fake Outlook patches, and novel DLL side-loading cradles using to evade detections. But that's not all. Microsoft Detours, Hell's Gate, and highly obfuscated functions await us inside this demonic campaign. 👿
1
1
5
570
Special thanks to @RussianPanda9xx for being my reverse engineering buddy and taking on the daunting task of working through the Havoc Demon capabilities while I lost my mind with the DLL payloads.
1
6
355
BinaryNinja and IDA screenshots side by side in the next blog.
I suspect authorship won’t be hard to guess. @RussianPanda9xx 👀
2
22
8,450
Rem retweeted
Feb 23
Dropping a new tool today: TTPRunner
- One-click Vectr deploy
- Give it a threat report, PDF, or just plain-english instructions and it'll build an execution & simulation plan for you
- Executions are tracked via notes and automatically sync'd with Vectr
Works great with: github.com/Antonlovesdnb/Con…
Check it out! 🔽
github.com/Antonlovesdnb/TTP…
4
39
148
18,153
sudorem.dev/blog/esql-topolo…
Back at it with another blog, featuring a newly designed website which I'm quite pleased with.
This time we're discussing hypothesis driven hunting methodologies and statistical approaches to anomalous authentication detections.
1
8
38
5,980
Rem retweeted
Feb 17
A single copy-paste got this cybercriminal on the network.
40 mins later?
Both domain controllers were in scope.
We break down the full chain—from ClickFix social engineering to hands-on-keyboard activity.
Investigated by: @RussianPanda9xx @sudo_Rem
okt.to/ves7UN
2
17
46
4,040
Rem retweeted
We don't usually see hands-on-keyboard intrusions from #ClickFix @HuntressLabs BUT... when we do... oh boiii.... it's clickfix -> matanbuchus -> AstarionRAT and a lateral movement for extra flavor
Yes, the name is a BG3 reference 🧛
Link: huntress.com/blog/clickfix-m…
6
29
125
12,007
🚨Widespread SonicWall SSLVPN Compromise
@HuntressLabs has observed a significant uptick in SonicWall SSLVPN intrusions stemming from DigitalOcean, LLC ASNs.
This intrusion activity has resulted in 83 compromised SSLVPN accounts over 3 days, both local and LDAP-backed.
Source IPs
- 192.241.185[.]61
- 159.223.171[.]114
- 138.68.9[.]204
Details
- Many authentications were 'replayed' several hours later on some devices from the same source IP addresses.
- Multiple SonicWall SSLVPNs showed evidence of 10 users compromised from the same source IP address.
- Authentications where multiple user accounts were compromised were performed alphabetically, with intermittent failures.
- Authentications were performed in short "bursts", where multiple user accounts were authenticated in the same 60 second period.
- Authentications rarely failed for users who were compromised-- that is, accounts maliciously accessed did not display characteristics of bruteforcing.
- This may suggest adversaries possess a valid username/password combination list, and are validating credentials automatically.
2
7
20
2,719
Some tips for organizations using SonicWall SSLVPNs:
- SonicWall advised an Essential Credential Reset (sonicwall.com/support/knowle…) following the compromise of Cloud Backup services. We recommend heeding this advice and rotating all credentials.
- Ensure SonicWall appliances are operating on the latest SonicOS versions.
- Enable & enforce multi-factor authentication/TOTP maximally across SSLVPN accounts.
- If using LDAP, audit for Default User Group misconfigurations IAW this guide: sonicwall.com/support/knowle…
- Levy features such as account lockout, botnet protection, and password complexity requirements in SonicOS to help deter adversary access.
- And as always, SIEMs make a potent way to aggregate and retain logs to highlight and alert on this type of behavior.
1
223