body { -ms-overflow-style: scrollbar; overflow-y: scroll; overscroll-behavior-y: none; } .errorContainer { background-color: #FFF; color: #0F1419; max-width: 600px; margin: 0 auto; padding: 10%; font-family: Helvetica, sans-serif; font-size: 16px; } .errorButton { margin: 3em 0; } .errorButton a { background: #1DA1F2; border-radius: 2.5em; color: white; padding: 1em 2em; text-decoration: none; } .errorButton a:hover, .errorButton a:focus { background: rgb(26, 145, 218); } .errorFooter { color: #657786; font-size: 80%; line-height: 1.5; padding: 1em 0; } .errorFooter a, .errorFooter a:visited { color: #657786; text-decoration: none; padding-right: 1em; } .errorFooter a:hover, .errorFooter a:active { text-decoration: underline; } #placeholder, #react-root { display: none !important; } body { background-color: #FFF !important; }

JavaScript is not available.

We’ve detected that JavaScript is disabled in this browser. Please enable JavaScript or switch to a supported browser to continue using twitter.com. You can see a list of supported browsers in our Help Center.

Terms of Service Privacy Policy Cookie Policy Imprint Ads info © 2023 X Corp.

Conversation

1/ Do you monitor newly created services within your environment, and would you notice when a (vulnerable) driver is loaded? The screenshot below (#Velociraptor 🤩) is from a recent #XMRig CoinMiner investigation ⤵️ 🧵 #CyberSecurity

Quote Tweet

#ThreatHunting XMRig CoinMiners

continue to use WinRing0.sys & nssm.exe *legit* binaries for privesc & persistence WinRing0.sys 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 nssm.exe eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

5

37

119

Keep in mind that VBS turns attempts at using the physical memory mapping feature of WinRing0 into an instant BSOD. So instead of shitty bandaid detections, one could just enable that... But I know, that makes too much sense.

9:04 PM · Mar 18, 2023

327

Views

2

Bookmarks