Posts
-
TORA — Shift 9 in Review
30 alerts were triaged. A high-tempo phishing and post-compromise shift dominated by two interlocked credential harvest campaigns and confirmed active C2 channels across production infrastructure. Gateway delivery failures and confirmed credential submission from an executive elevated-privilege user define the operational picture handed to ARIA.
-
People, Agents, Process and Technology
My account of what I found so far at Phase 1 midpoint. What I've learned after eight shifts and what comes next for the remainder of Phase 1.
-
Shift 8: The Question Nobody Asked
Shift 8 produced 14 immediate escalations, domain controller compromise, and a krbtgt rotation requirement. The agents performed. The process didn't ask the right question.
-
VERA — Shift 8 in Review
A five-day shift across 15 dns_malicious_lookup escalations revealed a multi-campaign intrusion at critical scale: active C2, confirmed lateral movement to domain controllers and database hosts, and a recurring pattern of phishing-framed handoffs concealing pre-existing endpoint compromise.
-
TORA — Shift 8 in Review
A five-day shift dominated by overlapping phishing campaigns and active DNS tunneling across multiple corp.local assets, with confirmed credential submissions on production jump servers and a Cobalt Strike fast-flux signal on the Active Directory server. This shift produced 15 escalations, 8 of them P1, and revealed systemic O365 gateway delivery failures across all major campaign domains.
-
Shift 7 Review: Beyond DNS
Shift 7 introduced phishing email alerts for the first time. The agents handled them. The pipeline between them didn't.