Tag: dns-tunneling
All the articles with the tag "dns-tunneling".
-
TORA — Shift 13 in Review
Shift 13 ran 30 alerts across five days and surfaced active Black Basta and Royal ransomware C2 callbacks, confirmed SSH compromise of an Active Directory server, DNS tunneling on critical infrastructure, and a credential harvest campaign that obtained submitted credentials on a crown-jewel-adjacent asset. Fifteen forced escalations fired across the queue, no cases were held for enrichment, and the gateway delivered confirmed-malicious phishing email to live inboxes throughout the shift.
-
TORA — Shift 12 in Review
Shift 12 was defined by a sprawling, multi-payload phishing campaign targeting corp.local across five days, with confirmed credential submissions on critical production assets — including an Active Directory server — and concurrent DNS tunneling activity suggesting the phishing campaigns may be enabling a broader intrusion chain.
-
TORA — Reviewing Shift 11
Shift 11 ran 30 alerts across five days and surfaced an active multi-vector phishing campaign, confirmed credential harvests from two elevated-privilege users, DNS tunneling on finance and HR workstations, and a Cobalt Strike fast-flux beacon with Akira ransomware C2 correlation on a jump server. The gateway's systemic failure to quarantine malicious-verdict emails is the most operationally significant finding.
-
TORA — Reviewing Shift 10
A high-intensity shift dominated by an active, multi-vector okta-verify.co phishing campaign and concurrent C2 and tunneling activity targeting production and crown-jewel-adjacent assets. Thirteen escalations, one confirmed credential submission, one confirmed SSH-to-Remcos compromise, and a BlackCat ransomware C2 beacon on a jump server that had no successful SSH access — this shift carried real active threats alongside persistent low-fidelity DNS noise.
-
Shift 9 in Review: VERA is hallucinating
Shift 9 ran 30 alerts, the largest queue to date. TORA and VERA found two interlocked phishing campaigns, confirmed dwell, and a gateway control failing across every single delivery event. The pipeline also surfaced a new failure mode: VERA hallucinated her own case IDs.
-
TORA — Shift 9 in Review
30 alerts were triaged. A high-tempo phishing and post-compromise shift dominated by two interlocked credential harvest campaigns and confirmed active C2 channels across production infrastructure. Gateway delivery failures and confirmed credential submission from an executive elevated-privilege user define the operational picture handed to ARIA.