Invictus Incident Response @InvictusIR

This one is for the #EKS enthousiasts! Investigate an AWS incident in the latest release of #CloudLabs #stayInvictus #CloudIncidentResponse

keyboard_arrow_left Previous keyboard_arrow_right Next

The second part in our Kubernetes Incident Response series is live on Google Kubernetes Engine (GKE). invictus-ir.com/news/incident-… 🔹 Standard vs. Autopilot Forensics: Why choosing Autopilot means you lose node-level access and how to adjust your IR plan accordingly. 🔹 The Logging Gap: Admin Activity logs are on by default, but Data Access logs (the ones that show secret enumeration and unauthorized execs) are not. If you don't enable them now, that evidence is gone forever. 🔹 Containment without Contamination: How to use NetworkPolicies to quarantine a compromised pod without tipping off the attacker or destroying volatile evidence. 🔹 Querying Cloud Logging: Practical examples of how to hunt for kubectl exec abuse within GCP. #stayInvictus #CloudIncidentResponse #k8s

Most security leaders discover their cloud Incident Response (IR) gaps at 2:00 AM in the middle of an active breach. The hard reality? Cloud incidents fail differently. The playbooks, containment moves, and muscle memory built for on-premises environments often don't apply when an attacker bypasses the perimeter entirely. If your team had to contain a cloud breach today, could they confidently answer these three questions? 1. Where does the evidence land? If your logs only live inside the individual compromised accounts, assume they are already suspect or deleted. 2. Who can authorize immediate collection? If your access permissions or approval paths have to be improvised under pressure, your time-to-truth drops to zero. 3. What is your evidence posture? Optimizing for fast business recovery pulls in a completely different direction than preserving data for litigation. We put together The Cloud IR Readiness Guide to serve as a practical pressure test for your visibility, access, and authority to act in those critical first hours. This isn’t a vendor pitch or a rigid compliance checklist, it’s a list of five critical readiness gaps based on real-world cloud breach responses. Stop guessing where your visibility ends. Download the full guide here to audit your environment before an incident forces the question: eu1.hubs.ly/H0vxzkQ0 #CloudSecurity #IncidentResponse #CyberSecurity #CloudIR #InfoSec #InvictusSpirit

Is your organization truly ready for a cloud breach? Most teams discover their cloud incident response (IR) gaps at 2:00 AM in the middle of a live incident. In the cloud, the "old rules" don't apply, the clock starts when an attacker gets a token, not a shell. We are excited to share the Cloud IR Readiness Guide, a practical manual designed to help security leaders pressure-test their environments before the crisis hits. The 5 Gaps That Determine Containment: 1. Log Integrity: It’s not just about having logs; it’s about whether they are immutable and independent enough to reconstruct an attacker’s tracks after they’ve tried to cover them. 2.Identity as the Perimeter: Traditional IP-based containment is dead. You need a full inventory of human and service identities to revoke sessions fast. 3. The Collection Plan: Collection speed is dictated by access. Do you know where your evidence will land and who is authorized to "pull everything" from a tenant?. 4. Cloud-Native Tabletops: If your last exercise was a standard ransomware drill, you’re using the wrong muscles. You need to test for OAuth phishing and metadata service abuse. 5. Pre-Staged Partnerships: The worst time to negotiate an MSA or grant admin access to a stranger is during an active breach. Stop relying on "compliance checklists" and start building actual technical authority to act in the first critical hours. Download the full guide below to see where your organization stands on the readiness scale. eu1.hubs.ly/H0vjnXM0 Get a Professional Perspective. Invictus is offering a Free 15-Minute Technical Readiness Assessment. We will help you understand if your organization is prepared to recover from an incident or where you may be currently vulnerable. eu1.hubs.ly/H0vjpTB0 #CloudIR #InvictusIR #InfoSec #CyberSecurity #CloudSecurity #IncidentResponse

The first part of our incident response in Kubernetes (K8s) blog series is now live! Incident Response in Kubernetes (EKS) 🏗️ invictus-ir.com/news/incident-… #stayInvictus #CloudIncidentResponse #EKS #KubernetesForensics

@Tank23x0

We’ve received quite a few messages over the past few days about Get-UAL being broken. It turns out Microsoft made an update that impacted the script, but this has now been fixed in our latest release. 𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦 While we were at it, we also added some additional features and improvements. Check out the release notes for all the details. github.com/invictus-ir/Mi… #stayInvictus #CloudIncidentResponse #MicrosoftExtractorSuite

𝐀𝐀𝐃𝐆𝐫𝐚𝐩𝐡𝐀𝐜𝐭𝐢𝐯𝐢𝐭𝐲𝐋𝐨𝐠𝐬: 𝐇𝐨𝐰 𝐭𝐨 𝐃𝐞𝐭𝐞𝐜𝐭 𝐋𝐞𝐠𝐚𝐜𝐲 𝐀𝐳𝐮𝐫𝐞 𝐀𝐃 𝐆𝐫𝐚𝐩𝐡 𝐀𝐭𝐭𝐚𝐜𝐤𝐬 Today is a great day for Blue Teamers in the Microsoft Cloud! There are finally logs streaming into the #aadgraphactivitylogs table. If you want to know what's inside the logs and how to detect some #RoadRecon check out our write-up 👇 invictus-ir.com/news/the-missi… #stayInvictus #CloudIncidentResponse

Defeating the Atlas Lion Threat 🦁 Most threat actors want your data. Atlas Lion (Storm-0539) wants your balance sheet specifically, your gift card portals. We have been tracking the evolution of this Moroccan-based group. They aren't just sending simple phishing links; they are high-jacking "trust chains" by: 🔹 Enrolling their own Virtual Machines (VMs) directly into your cloud domain. 🔹 Abusing MFA registration to bypass traditional security perimeters. 🔹 Leveraging legitimate platforms like Akamai and Linode to hide in plain sight. Our latest research on this cloud threat actor is live: invictus-ir.com/news/atlas-lio… #stayInvictus #CloudIncidentResponse #AtlasLion

Incident Response in the Neocloud ⛅️ Check out the next part on Lambda Cloud invictus-ir.com/news/incident-… #stayInvictus #CloudIncidentResponse #NeoCloud #LambdaCloud

📷 The SaaS Hardening Checklist: - Kill "Shadow Consent" – Disable user consent and implement an Admin Consent Workflow. No unvetted app should touch your data. - Audit Permissions – Understand Delegated vs. Application-level access to ensure the principle of least privilege. - Restrict App Access – Require explicit user assignment on first-party apps to block attackers from exploiting "trusted" tools. - Enforce Hygiene – Build application cleanup into your standard off-boarding process. Read the full breakdown: invictus-ir.com/news/the-silen… #StayInvictus #SaaS #CloudIncidentResponse #EntraID

Threat intel ftw: @IntCyberDigest @dprkcert @vxunderground

Update: Fingerprinting the HTTP response headers, we identified a unique ETag: W/"16-zUIWjx30dNMOrJoqA1R8JWYnVAw" which is shared between the primary Axios C2 and 23.254.167[.]216; both servers are also hosted on Hostwinds LLC (AS 54290). This specific IP and ETag fingerprint provide a high-confidence link to the "JustJoin" landing pages. As documented by researchers at Hunt.io, this infrastructure is associated with DPRK-nexus activity. This overlap further supports that the Axios incident is likely linked to a DPRK-nexus 🇰🇵 threat actor.

We just published an emergency blog on the #Axios compromise. A must read for incident responders and everyone who's been overwhelmed with supply chain package compromises. invictus-ir.com/news/the-poiso… #stayInvictus #CloudIncidentResponse #NPM

@ramimacisabird @vxunderground

🚨Axios Attack Infrastructure Update🚨 New C2 pivots reveal a coordinated staging effort. The malicious payload was published by nrwise@proton[.]me a separate account from the ifstap proton address used in the maintainer hijack. Analysis shows a newly identified and highly likely C2 callnrwise[.]com on the same infrastructure used in the #Axios attack, sharing clear naming similarities with the attacker's Proton account. #npm #SupplyChainAttack

🚀 Introducing 𝐀𝐥𝐥-𝐈𝐧 access for Cloud Labs Most cloud security training happens in a vacuum. Real-world attacks don't. We are incredibly excited to announce the launch of our All-in level for Cloud Labs. Here is what makes this scenario unique: 🌐 Cross-Cloud Attacks: You will trace sophisticated threats that pivot across different cloud environments, mimicking the true complexity of modern, multi-layered breaches. 🛠️ Live Environment Access: You get real, hands-on access to investigate active threat scenarios directly within live Google Workspace and Google Cloud environments. It is time to test your cloud incident response skills for real! #stayInvictus #CloudIncidentResponse #CloudLabs

keyboard_arrow_left Previous keyboard_arrow_right Next

Our latest research is live on a recent #AiTM case we worked on together with BIO-ISAC This blog dives into the underlying infrastructure of modern phishing campaigns and includes Indicators of Compromise of this recent campaign. invictus-ir.com/news/the-invis… #stayInvictus #CloudIncidentResponse #AiTM