Hexastrike Blog
Automating CrowdStrike Network Containment
In a previous post, we have shown how Velociraptor and CrowdStrike can work together to speed up the deep‑dive phase of an investigation. One topic left open was containment. When an EDR flags genuinely high‑risk behaviour, isolating the host is often the safest move, and—if your rules are well tuned—doing it automatically is even better. What follows is how we do it: we tag every endpoint, then let Fusion SOAR decide, in real time, whether a particular machine may be
Ivanti Connect Secure CVE-2025-0282 DslogdRAT Analysis
At the beginning of the year, we investigated a cluster of Ivanti Connect Secure gateways that attackers had breached via CVE-2025-0282. If you missed the story, Mandiant’s write-up laid out a polished, multi-stage operation that combined code redirection, web-shell deployment, and meticulous clean-up. Last week, Florian Roth pointed us to a follow-up from JPCERT/CC that zeroes in on an ELF-based remote-access Trojan, dubbed DslogdRAT (1dd64c00f061425d484dd67b359ad99df533aa430632c55fa7e7617b55dab6a8), which surfaced in several of those same Ivanti intrusions. Because the sample was published, we
COM Hijacking from a Defenders Perspective
To me, getting into COM was not as trivial as I thought. The first time I encountered COM was many years ago, when I had to identify CLSIDs for Escalation of Privileges on Windows systems. In this blog post, we aim to provide some ideas for blue teamers to detect a specific attack targeting COM, known as COM hijacking. Motivation: Privilege Escalation using Juicy Potato Consider a privilege escalation example to ground this discussion in a real-world scenario. Suppose you