Ronnie Salomonsen
@r0ns3n.dk
Adversary Methods - Research & Discovery (RAD) Team @Mandiant - Now Part of @GoogleCloud. Former DFIR, Malware & Network Analyst. All tweets are my own.
Reposted by Ronnie Salomonsen
Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
cloud.google.com
April 7, 2025 at 3:06 PM
Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)
Windows Remote Desktop Protocol: Remote to Rogue
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
cloud.google.com
April 7, 2025 at 3:18 PM
Windows Remote Desktop Protocol: Remote to Rogue
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers @googlecloud cloud.google.com/blog/topics/...
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | Google Cloud Blog
We discovered China-nexus threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers.
cloud.google.com
March 13, 2025 at 4:14 PM
Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers @googlecloud cloud.google.com/blog/topics/...
CVE-2023-6080: A Case Study on Third-Party Installer Abuse @googlecloud cloud.google.com/blog/topics/...
CVE-2023-6080: A Case Study on Third-Party Installer Abuse | Google Cloud Blog
Mandiant exploited flaws in the Microsoft Software Installer repair action of Lakeside Software's SysTrack installer to obtain arbitrary code execution.
cloud.google.com
February 3, 2025 at 8:29 PM
CVE-2023-6080: A Case Study on Third-Party Installer Abuse @googlecloud cloud.google.com/blog/topics/...
ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator @googlecloud cloud.google.com/blog/topics/...
ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator | Google Cloud Blog
We been tracking multiple espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW malware.
cloud.google.com
January 29, 2025 at 5:44 AM
ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator @googlecloud cloud.google.com/blog/topics/...
Reposted by Ronnie Salomonsen
@volatilityfoundation.org New Release: #volatility3 v2.11.0 - visit github.com/volatilityfo... for details and downloads.
#memoryforensics #dfir
#memoryforensics #dfir
January 17, 2025 at 5:50 PM
@volatilityfoundation.org New Release: #volatility3 v2.11.0 - visit github.com/volatilityfo... for details and downloads.
#memoryforensics #dfir
#memoryforensics #dfir
New to Google Secops: Top Ten YARA-L Rules Troubleshooting Tips www.googlecloudcommunity.com/gc/Community...
New to Google Secops: Top Ten YARA-L Rules Troubleshooting Tips
I’ve been asked a few times in the past month for tips that I use to troubleshoot YARA-L rules. As I thought about it, I realized this covers a lot of ground because when building detection logic, we ...
www.googlecloudcommunity.com
December 19, 2024 at 6:54 AM
New to Google Secops: Top Ten YARA-L Rules Troubleshooting Tips www.googlecloudcommunity.com/gc/Community...
XRefer: The Gemini-Assisted Binary Navigator @googlecloud cloud.google.com/blog/topics/...
XRefer: The Gemini-Assisted Binary Navigator | Google Cloud Blog
A Gemini-powered tool to reduce response and triage time when faced with increasingly large and complex malware.
cloud.google.com
December 14, 2024 at 9:15 PM
XRefer: The Gemini-Assisted Binary Navigator @googlecloud cloud.google.com/blog/topics/...
December 5, 2024 at 3:54 PM
December 4, 2024 at 6:25 PM
December 4, 2024 at 2:40 PM
Reposted by Ronnie Salomonsen
yay this feature is built into bluesky yay
December 2, 2024 at 6:41 AM
yay this feature is built into bluesky yay
Reposted by Ronnie Salomonsen
Nice write up from Mandiant on some practical use cases for leveraging AI to help red team operations. What are some other use cases ya’ll are thinking of? cloud.google.com/blog/topics/...
AI Enhancing Your Adversarial Emulation | Google Cloud Blog
Learn how Mandiant Red Team is using Gemini and LLMs for adversarial emulation and defense.
cloud.google.com
November 17, 2024 at 1:16 AM
Nice write up from Mandiant on some practical use cases for leveraging AI to help red team operations. What are some other use cases ya’ll are thinking of? cloud.google.com/blog/topics/...
Reposted by Ronnie Salomonsen
The bad guys are moving faster.
Mandiant analyzed 138 vulnerabilities. 97 of them were exploited before patches were available.
#cyber
cloud.google.com/blog/topics/...
Mandiant analyzed 138 vulnerabilities. 97 of them were exploited before patches were available.
#cyber
cloud.google.com/blog/topics/...
How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends | Google Cloud Blog
Mandiant analyzed 138 vulnerabilities that were disclosed in 2023 and that we tracked as exploited in the wild.
cloud.google.com
November 19, 2024 at 2:30 PM
The bad guys are moving faster.
Mandiant analyzed 138 vulnerabilities. 97 of them were exploited before patches were available.
#cyber
cloud.google.com/blog/topics/...
Mandiant analyzed 138 vulnerabilities. 97 of them were exploited before patches were available.
#cyber
cloud.google.com/blog/topics/...
Reposted by Ronnie Salomonsen
Looking for more people to follow on BlueSky? Find the @curatedintel.bsky.social folks here: go.bsky.app/Kfp62Uh
November 18, 2024 at 4:11 PM
Looking for more people to follow on BlueSky? Find the @curatedintel.bsky.social folks here: go.bsky.app/Kfp62Uh
Reposted by Ronnie Salomonsen
I made a Detection Engineering starter pack, will be adding more as more folks jump over to bluesky! go.bsky.app/HenXJUR
November 18, 2024 at 3:37 PM
I made a Detection Engineering starter pack, will be adding more as more folks jump over to bluesky! go.bsky.app/HenXJUR
Reposted by Ronnie Salomonsen
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
two men are standing next to each other with the words " we open it up " on the screen
ALT: two men are standing next to each other with the words " we open it up " on the screen
media.tenor.com
November 19, 2024 at 2:00 PM
#PIVOTcon25 registration is now OPEN 🤟📥📥📥
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
pivotcon.org
#CTI #ThreatResearch #ThreatIntel
Please read carefully the whole 🧵 for the rules about invite -> registration (1/5)
Reposted by Ronnie Salomonsen
#UNC5537 proved to be one of the most consequential threat actors of 2024 when they launched a campaign in April 2024 that systematically compromised misconfigured SaaS instances across over a hundred organizations.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion | Google Cloud Blog
A campaign targeting Snowflake customer database instances with the intent of data theft and extortion.
cloud.google.com
November 18, 2024 at 5:10 PM
#UNC5537 proved to be one of the most consequential threat actors of 2024 when they launched a campaign in April 2024 that systematically compromised misconfigured SaaS instances across over a hundred organizations.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...