Hexastrike Blog
Ivanti Connect Secure CVE-2025-0282 DslogdRAT Analysis
At the beginning of the year, we investigated a cluster of Ivanti Connect Secure gateways that attackers had breached via CVE-2025-0282. If you missed the story, Mandiant’s write-up laid out a polished, multi-stage operation that combined code redirection, web-shell deployment, and meticulous clean-up. Last week, Florian Roth pointed us to a follow-up from JPCERT/CC that zeroes in on an ELF-based remote-access Trojan, dubbed DslogdRAT (1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8), which surfaced in several of those same Ivanti intrusions. Because the sample was published, we
COM Hijacking from a Defenders Perspective
To me, getting into COM was not as trivial as I thought. The first time I encountered COM was many years ago, when I had to identify CLSIDs for Escalation of Privileges on Windows systems. In this blog post, we aim to provide some ideas for blue teamers to detect a specific attack targeting COM, known as COM hijacking. Motivation: Privilege Escalation using Juicy Potato Consider a privilege escalation example to ground this discussion in a real-world scenario. Suppose you
Combining the Raptors – Incident Response using Velociraptor and CrowdStrike Falcon
Although CrowdStrike is a powerful EDR, incidents still happen, even when using thorough prevention policies. In this post, we will use CrowdStrike Falcon in combination with Velociraptor to streamline our incident response processes. If you want to learn more about Velociraptor, check out their docs or one of our previous blog posts, in which we describe how to set up Velociraptor in Azure. Key Learnings in this Post In this blog post, we will showcase: Requirements You’ll need access to