Transcription

Some hackers were trying to compromise an entire network by deploying ransomware. Now, I know that's a pretty general statement in today's day and age, that's common and happening all the time, but let me tell you a story and give you some background context. I'll be working out of my Windows 11 virtual machine, and I've got a folder on my desktop called Investigation. And I wanna tell you about a recent case that we got to work, part of our security operation center, at my day job, Huntress. Let me show you the incident report here. Now, this is a case of ransomware, so it's pretty clear, hey, the Huntress agent has been tasked to isolate this host, take that computer away from other computers on the network. It's been quarantined and isolated, so the incident wouldn't spread to other devices. Now, of course, I redacted a lot here, the host name, organization, security products. I don't think there were any others to be listed, but this is, of course, a critical severity incident. There's the usual boilerplate summary here as to, hey, really, a factory reset and complete wipe of the host is kind of ideal, but of course, assisted remediation will clean up all the bad bits that we're aware of. So check it out. Huntress detected the following on this host. Evidence suggests that a user, redacted, has been compromised. Huntress observed the following timeline. At a redacted timestamp, the user, redacted, remotely authenticated to the host from a separate IP address, redacted. Local area network IP address, think 192.168, whatever. That includes the connecting host name. Of course, I've redacted as well, but we did not have an agent installed on that host. And to clarify, the security solution is not running on the other host that connected to this host. And let me please say this from a place of love, but with a security solution in EDR, especially Huntress, there's really no wrong way to use it. It's the closest you can get to set and forget. The only wrong way to use it is to not install it. I'm sure folks are familiar with this, hey, whether it's not on servers or workstation or whatever, but seriously, hey, get that everywhere. That's the gist though. A machine that we did not have visibility and telemetry from, RDPed or remote controlled, you can see remotely authenticated, that clues me in to the remote desktop protocol with an account that I'll let you know, some backend detail here, that was an admin user. The local IP address with the connecting host name where it came from, well, the host name clued us in, and that was very likely their domain controller. So that sounds like bad news bears, right? Oh, unknown threat actor active on the domain controller already owns the whole infrastructure, but we didn't have the visibility because it wasn't installed. Anyway, once this threat actor and hacker has authenticated to this machine, the threat actor unfortunately deployed ransomware. You can see the command line here, they're dropping and running this win.exe with a couple arguments, given the mode, medium, ENS, LHD, sup, kill, okay? But take a look at that path here. I've of course redacted the username, but it's in the videos folder, just in their user profile, not particularly stealthy. I guess then again, how often do you look into your videos folder? Whatever. Of course, obviously this generates a signal, we get to triage, ransomware will trigger our canaries, and that'll spin off that critical alert and isolate the host. So we try to contain this the very well best that you can here. But that is not all that I wanted to chat about for this video, because you might've noticed in the same folder for our investigation, I've got another directory called tooling. And this is pretty cool. We were actually able to grab a couple of the files artifacts left over from the threat actor, from the hacker themselves. We got to see some of their tools. So in this video, I would like to take a look. Let's see what we could dig into for a couple of these simple batch scripts, and then the ransomware. I'll get back into my text editor, Sublime Text, and I actually want to open up that folder. Now we can see everything inside of tooling, and we can click into the stuff that looks a little bit interesting for us. First couple being backup.bat, clean.bat, closeapps.bat, killprocess, et cetera. But let me clue you in on something though, because this was a ransomware incident. And I could tell you, maybe jumping ahead in our story here, but this was the Inc ransomware, or I-N-C. Once we got to do enough investigation, analysis, and triage, we can uncover that. But while you're working through that process as either a threat hunter or CTI, like Cyber Threat Intelligence Analyst, you might be doing your homework, trying to go find other indicators of compromise, other attack techniques, things that were used throughout the attack. If you're digging into a case like this, it would be worthwhile to try and track down other research, other write-ups, other articles, other information that folks know of, or that they've seen from other cases and in the wild potential activity from I-N-C ransomware, Inc ransomware, or anything else. So before we dive into taking a look at the Threat Actors tooling, let me show you something cool all along the lines of Threat Intelligence CTI and threat hunting work. Let me tell you about the sponsor of today's video, Feedly. Let me show you the Feedly Threat Intelligence Ask AI feature set. With Ask AI, you can instantly pull insights from any article or batch of reports, whether it's quick summaries, translations, or advanced threat analysis, like threat hunting hypotheses and adversary tracking. There's a library of built-in actions ready to go, or you can custom prompt exactly what you need. Instead of sifting through massive reports, Ask AI extracts the tactical and actionable intelligence for you. Network traffic, EDR telemetry, vulnerabilities, you name it. Take this intel collected through Feedly on a threat actor. There's a lot here, and you've got no time to read it. If you're a threat hunter, Ask AI instantly generates a table of attack procedures and threat hunt hypotheses. You get only actionable procedures and technical details. Or if you're a CTI analyst, use Ask AI to build a detailed attack flow diagram and visualize the attack as it progresses. Why not just use ChatGPT? Well, because Feedly Threat Intelligence gives you control over the sources that you want to analyze and ensures that every fact is clickable right back to the original report for easy verification. On top of that, Feedly AI's deeper understanding of threat actors, tactics, techniques, and procedures, malware families, and indicators of compromise minimizes inaccuracies that can occur in general large language models. It's your AI assistant for the world's news in cybersecurity and threat intelligence. You can generate reports, tailor outputs, build diagrams for timelines, flow charts, and more with Ask AI. Check out Feedly's Ask AI feature and try it for free with my link below in the video description, jh.live slash feedly-ai. Huge thanks to Feedly for sponsoring this video. All right, now let's finally take a look at some of this threat actor tooling. These are the files that were left behind in that videos one directory with the ransomware executable, but there were a lot of these other batch scripts. Now, this is the part of the video where I have to add the usual disclaimer. Hey, malware, don't do it. Cybercrime is bad. Don't be bad, be good, et cetera. You know the drill. So the first one we got here is backup.bat. Now, this is not backing up anything. In fact, it's deleting all of the volume shadow copies that may be saved on your machine. If you aren't familiar, Windows does this thing where it will actually take a copy and clone of your file system, hence a volume shadow copy. These are oftentimes used to revert back to a known good state if anything were to go wrong on your computer, but in the case of ransomware, it's very common to delete these. Get rid of them so there's no chance of recovering data. And you're forced to pay the ransom. VSSadmin.exe is of course the built-in natural tool to be able to handle these, and they quietly delete all of them. WBAdmin is another executable and built-in that will do similar work. We can actually go take a look. We should fire up our own terminal to be able to explore and see what some of these commands do. I'll full screen this and take a look. WBAdmin, it is the Windows backup command line tool. Just another backup capability that Windows offers, but they're covering their tracks, trying to delete everything so there's no way to recover. Perhaps that's why it's called backup.bat, not making backups, but deleting them. Next we have clean.bat, ooh, which is actually kind of interesting. So there's a lot here, but it's using cmdkey.exe. If you aren't familiar, Windows does keep track of some of the credentials like cached passwords and things that it uses on your computer. These are usually for Windows specific things like Windows accounts or online accounts that they use. And you can use slash list to dump all the information about them. Not what they are quite then, but at least the ones that it has stored. It throws this or redirects it with the greater than symbol arrow to put it into the variable user profile. So C users, your username, slash random A1SDF.text. Then they actually look for using fine string. So basically grep, if you're coming from the Linux world, looking for the word target and then using that as their baseline, they'll then put that in F1DSA. Very cool. I like the original names here. Look, let me turn word wrap on so we could actually see this a little bit better. Then we have a for loop that just loops through it to actually get, okay, the entry and then delete them. Nice. The do loop here, the percent sign, percent sign G as the iterator variable is now going to take all those entries and then remove them. Nice. If you don't believe me, we can go take a look at our terminal. Let me use CMD key. And you'll see that is the credential manager here on Windows, but slash list, just list the ones that it has. I can run this on my machine just to see what it looks like using slash list. It dumps the currently stored credentials, in which case, you know, my Windows online account. So that includes my email. Redact that. Then it deletes those files that it used just to be able to grep through them with fine string. Okay. And then it makes some changes to the Windows registry using the built-in reg command, but not reg add to add anything or manipulate and modify the registry, but just delete things. They do use reg add just a little bit down below, but the keys here are especially pertinent because it's trying to remove evidence or any cache information from the terminal services, which you might know, or terminal server client, that's RDP. That's the remote desktop protocol. The client on Windows is typically that mstsc.exe executable. We could run that mstc.exe. It's remote desktop. It's RDP. Nothing fancy, nothing special there, but if you had anything here, as if it were caching, saving, or remembering any past connections, well, they're ripping that out of the registry and deleting it. Same thing with the server line here, making sure there's no history to look back on. Even then, a little bit more interesting, they do the very same with the default.rdp, the file system-based artifact that may be left behind as previous evidence of using RDP. They do this twice, interestingly, in the slash documents folder and the slash my documents with no space, which I don't think you usually see, but maybe I'm just not right. Then they do something kind of neat. They hop over to the automatic destinations folder on Windows, and they delete one of the .automaticdestinations-ms file, which, if you aren't familiar, are Windows jump lists. A Windows jump list is a system-provided menu that appears when the user right-clicks a program in the taskbar or on the start menu. So the artifacts, some of the forensic detail left behind, are really the things that have been accessed recently, just documents, files, programs, that, hey, it spun up and started. For some of the forensic analysis there, I really recommend you take a look at Eric Zimmerman's tools. He does have JLECMD, I think. Yeah, okay. Automatic and Custom Destinations Jump List Parser. Very cool, quick and easy command line tool, as with all the other awesome stuff that Eric Zimmerman puts out. All of his tools you can find online on his website or on GitHub. That is definitely something to have in your arsenal if you're doing some of the security operations center, analyst work, CTI, whatever the case may be. Hey, make sure you can pull down all the stuff that he's got between Amcache, activities, all these things. Hopefully that's a good resource for you there, but let's get back to our threat actor tooling. We're moving on to closeapps.bat. Ha, ha, ha. And this is awesome. The very first line is actually setting a label in batch. So the colon really just says, hey, this is a part of the script of the document, the text, the code that you're writing here with a given name tag. So we could actually jump back to it at any point given this label. That's oftentimes why batch and a lot of shell scripting languages get a bad rap because it's oftentimes spaghetti code and that you just sort of jump back and forth if you ever use go-to or labels like this. This is awesome. Look at it, it's just trying to kill absolutely everything here. Veeam backup and replication. Of course, SQL browser, if you have like any Microsoft or SQL database structured query language there. It's even trying to kill Slack, Dropbox, OneDrive, and then things related to Microsoft Exchange. Rem is for remark. And I know that's oftentimes one that could be used for comments in batch. You could also use two colons. And there's some idiosyncrasies there, Rem being for remarks specifically, but I'm rambling, sorry. Look at this, it's just over and over again, task kill, trying to beat up Nuke and get rid of any other software programs that might be running. Looks like all the comments here, but it's very funny because we saw that loop at the very start. Looks like it'll do this every 30 seconds because there's a timeout to wait, sleep for 30 seconds, go to the loop. Actually, after it just displays and echoes loop. So actively all the time, every 30 seconds, trying to kill all those processes that it just doesn't want running. That does leave me curious though. How does this compare to killprocess.cmd? Oh, okay, a lot more of the same. Should we even turn WordRap on at this point? I mean, I feel like you can see this. Stopping services in this case, SQL Writer, SQL Browser, MSSQL Server, and their actual service names. Not strictly a service display name, but the name that it's used to register as a service with the service manager. Looks like it tries to even make changes to the boot config, right? BCD edits, making changes to the boot status policy and even setting recovery enabled to be no. Ooh, that's grim. We see WB adding in the mix again. We see a couple more service stops and even shutting off the firewall. Nice. You can see that setting the current profile, whatever's active to just off so the firewall's no longer gonna be running. Set off mode being disabled. It's interesting to me that they do this like all in batches or little couples where they'll run the very same command with the cmd.exe, with cmd.exe and then slash C again to denote an actual command to run and then they run that command. So just some more processes to make this even louder and even easier to detect, I guess. Definitely gonna be generating a lot of signals there for a detection team to cue off of and log delete.bat, wow, makes this stick out like a sore thumb. If it hadn't already, wevtutil el to take a look at the Windows event logs and then cl to clear them. Let me show you that. Obviously this is much better dealt with in PowerShell if you're actually like a system administrator or someone trying to handle a lot of the Windows event logs but the old school OG actual, you know, core utility here, w-e-v-t-u-l, u-t-l, forgive me, is the event command line utility running on old school cmd.exe. All reliable, old, but gold, but of course the Threat Actor tooling is cleaning up their fingerprints and trying to remove everything from the Windows event log. Next we have loggycleaner.bat, ooh, with a cool comment here. Oh, I like that little hacker's calling card, super leet, created by Luciferium, Luciferium? How do you wanna say that? I can like feel the teenage angst with that leet hacker name. This includes the at echo off boilerplate so you won't actually see the commands as they're executed. Did we see that in the others? I feel like they just went right to it. Yeah, no. Okay, there is an at echo off here. I should have explained that when we saw it the first time. Man, I'm an awful educator. Anyway, let me zoom out a smidge, but honestly this looks like more of the same. They're doing everything that the other files already did but now just in a different place. Oh, there is a new one here. They beat up run MRU. So that is the registry key that will kind of contain a lot of, again, the history or cache information from the run dialog box. Whenever you press the Windows key and R on your keyboard at the same time, it pops open this, but then you could take a look through all of the old commands that were ran previously. Oh, there's a lot of sketchy stuff in mine. They have another one here, word wheel query. I believe that is actually like what you type into the start menu. As you open it up, anything that you're kind of searching for within here, that is a record also in the Windows registry. Next, more damage done to the RDP cache. Again, jumpless, even flushing DNS with IP config, nice. Clearing out the temporary director. We haven't seen that yet before. And temporary internet files from Internet Explorer or just other cached info from web browsers. You can see Chrome in here just as well. And then down in the bottom, more event log clearing. All right, basically stuff we've already seen. Medical.zip is where we can get into some of the fireworks, but please let me hold that for a little bit longer along with ns.exe because I think we can clear through these .bat scripts because apparently they're pretty easy and they're all the same just about before we dig into the executables themselves. Ooh, I like this, turnoff.bat, actually trying to clear the recycle bin. Was this also Luciferium's doing? I appreciate like the debug strings and output here, but take a look. They are using RD to remove a directory, a silent, but look, they enumerate all of the drive letters, whether it's your C drive, like C colon backslash or D or E or F or J or all of the letters of the alphabets to try to make sure no matter where your file system is actually mounted, the recycle bin, which is a folder by the way, legitimate, real, actual, like over on the desktop, our old recycle bin fellow friend is this very same. We can test that out. If you don't believe me, let me create just a quick new pleasesub.txt file and then let me delete it. And you can see it's populated in the recycle bin, which as you can tell, usually in Explorer, it's just called recycle bin. What is Explorer doing right now? Anyway, right, in Explorer, it'll show you just recycle bin as the clean separated words title case with a space in between, but C colon backslash dollar sign recycle.bin. You can even see in the auto-complete, it's kind of suggesting for a SID or my unique ID for a given user. And the dollar sign R oftentimes contains the like remnants leftover from that file. There's also a dollar sign I, if you get into like recycle bin forensics, but that's a whole nother can of worms. It's compartmentalized by the SID, right? So if I go back to the S whatever cache, I can supply the SID there and then you'll see there's our pleasesub.txt. Sorry, I spent way too long talking about the trash can on your computer and the windows recycle bin. Anyway, start service off is actually trying to stop screen connect. Ooh, other remote control capabilities, right? Apache two enterprise stuff, TD service, undelete, log me in. Lot of these remote monitoring and management or remote control pieces of software. Another sweet resource for you as we are scrolling through just the laundry list of services that it tries to stop. Wow, look another resource for you, LOLRMM.io online or LOLRMM. It's the living off the land sort of curated list of remote monitoring and management solutions that could be used and abused by threat actors like in ransomware or any others. There's a big long list here and this is a pretty cool archive collection. Good to note and something maybe to reference here and there. Anyway, what other services will we stop? I don't know, we could play a certain amount of bingo here. If you've got any votes for what else it could try to kill. Now with another task kill section, again, the same commands, but look at everything. They all just have it hard-coded. And another, okay, Windows event log clearing, delete shadow copies. Why are they doing this? How long is this file? There's a lot of this here. The fact that it's hard-coded though, obviously again, easy to detect. Yara could be a good savior there. All right, I could keep scrolling forever but I don't think that's the most entertaining thing. So we're going to try to speed run the rest of this, but look, they do this over and over and over again for what is this, 1,500 lines? Okay, 1,100 lines. And then we got vmkill.bat, which does more of the same again. This time probably specific to virtual machines, VMware, VirtualBox solutions, anything like that. But finally, now let's get to our executables, the zip archives that I have been postponing to the end here. What do we got to dig into? Win.exe is probably the most fun and enticing thing because we know that is the ransomware binary. That is the encryptor. So let's get back to our command line. And I actually want to show you a couple of things about these. Let me get to that investigation folder on the desktop and the tooling directory that we had here. If I actually take a look at the file hash for all of these, I'm going to use get file hash in PowerShell with the star asterisk to glob for everything. Look, it dumps, well, the hash, but I also want to know the file. So what I will do to clean that up is actually use the same command, but pipe it to fl star. I like to use that quick and easy, pull out everything. That is just the alias for format list. And that should at least expose all of the properties and show them to me nice and easy. So on a line here, I can tell what's what. The reason that I dragged us down this rabbit hole is that the SHA-256 hash for our win.exe.zip is the very same as the hash for windows.zip. Now it goes without saying in my mind that the windows.zip and the win.exe.zip, while they are password protected because they are malware, default password infected usually. Thank you, VXUnderground. I'm glad we have spread that gospel. Let's extract the other one just as well. Obviously, if I run this command again, get file hash, and now we're looking at the executables that were inside these two zip archives that had the same hash, obviously they are going to have the exact same hash. Actually, both zip archives had the file name saved as the hash of that binary, which corresponds in why they kind of clobber themselves. There's only one here because it's the exact same value that matches the SHA-256 hash of that. All that is to say this file, whether it was called windows.exe or win.exe, as we saw it in the incident report, that is the ransomware. Let's save those fireworks for the end, but I want to also take a look at our ns.exe.zip and our medical.zip. Let's start with medical because I've been alluding to that one for a little bit. If we extract that out into its own folder, really interesting, it actually has files that are the compiled ransomware binaries for different operating systems and architecture, right? You can see Windows there on his lonesome, but there's also Linux x86, Linux x64, Linux ARM or RISC-V, just crazy. They even have the Linux compiled binary for ESXi and MIPS. Obviously this medical.zip is just the collection of all of their tool chains, like all of the ransomware binary possible compile architecture and solutions there. But that means this whole package of their tool chain was pulled down onto the victim computer, left there as a remnant, an artifact in this case. But look, with this being like an unprotected, there is no password set on the zip archive. This is probably another thing you could signature or fingerprint if you really wanted to. Now let's not forget about our ns.exe. Let me extract that one here. That did have a password prepped for our tasking work. This file, given that SHA-256 hash is the real ns.exe binary. And we could go take a look at what that is. We'll keep it simple. I just want to look this up in VirusTotal. And actually, since we have that hash, we'll just copy paste that real quick and give that to VirusTotal. If for whatever reason you weren't familiar, VirusTotal is that awesome website and online resource where you can kind of test a file, have it scanned against multiple antivirus solutions and see how it goes. Looks like 51 out of 72 antivirus engines are saying this is bad news bears. There'll be dragons, a popular threat label of hack tool, net tool crisis. But while that gives us a quick check and that's doing some static analysis, it would be worthwhile to do dynamic analysis and actually run this in a sandbox and see what it looks like. I'm gonna press the easy button. I like doing this in any runs cloud sandbox because it's an immediate, quick, temporary and throwaway virtual machine. Let's upload the file, drop this in my desktop, Windows 11, get a little bit more time. Private analysis is good by me. All right, this is spinning up, but the benefit of the sandbox is that it is interactive. So we can honestly just click into it and have this extracted to our desktop. We'll type in the password infected. So we get to actually put this all together. Let's rename this executable. So that is the ns.exe. And if I double click on this to run it, oh, ASCII art. Oh goodness, this is a little bit hard to read. Here we go, that should be easier to see. Scan all network by mask and mount shared folders as drives. Okay, cutesy tooling, appreciate your time. Appreciate your time. Network scanning can mount include check for unmounted local volumes. 98 was added for standalone usage. What? I just do the thing? Not 11, one. And then it's trying to look for stuff. So it's a network scanner, right? Hence the name NS. I think that's fair to say. And also looking for shares, drives and other things. Okay, well, ns.exe is neat. I know we are probably most interested in the actual ransomware file itself. So let's go ahead and try to run that as it would execute on the target computer. So we'll invoke it with the same command line arguments, flags and switches we saw in the report. Let me extract this super quick. We can say infected. And now let's try to open the command prompt at this directory once we change this to win.exe. So let me grab that destination and then try to open up a start menu terminal here. The font is very hard for me to read it just as well, but we've got that executable ready. Let's try to grab the syntax to detonate it. Looking back in Sublime Text, they ran this with the arguments dash mode medium, dash dash ens, LHD, sup and kill. Now let's try to run our win.exe and then we'll paste in that. Send it. Now I'll hit enter and fire up ransomware. Oh, it's PowerShell. It needs the dot forward slash at the start. Okay, there we go. Ransomware. Oh, it even displays count number of arguments, dash mode, medium, ens and all that. So it looks like any run is tracking it. I'm gonna move my face here because I think, yep, okay, you can see the little tag identifier. It is noted as INC or ink. Of course, malicious with a ransom note being found, encryption capability, YAR rules firing, all the things here that clearly make this bad. Now it says it did track down a ransom note. So we could see that, okay, in basically any folder. Now let's go see, can we get to our root of the file system and check to see? Now it might be pretty tough to read, but I do see the readme.txt and we can open that in Notepad and see our ransom note. Inc ransom, your data is stolen and encrypted. If you don't pay the ransom, your data will be published on our Tor Darknet site. Let's pull this out so it's easy to read. Do they change the wallpaper? Oh yeah, they do. Let me stop any run here so we can see the video and actually get probably a clearer picture of what that background really looked like. Pretty brutal, right? Oh, it's the full ransom, like the note that they leave behind just on your background. So the ransom note says, Inc ransom, your data is stolen and encrypted. If you don't pay the ransom, it will be published on our Tor Darknet site. The sooner you pay the ransom, the sooner your company will be safe. They include the onion URLs. And that's surprising to me, they even have a clear net domain, incapt.su. Ah, and then I get the usual braggadocio. Hey, what guarantees we won't fool you? You know, it's a business, blah, blah, blah. They're on Twitter. Oh, okay, hashtag. Threw me for a loop there. I didn't know Inc Ransomware had an x.com account, the everything app. They have a different domain for chat than they do their blog and their leak site. But all the warnings, hey, don't make any changes. Don't go to the police, ask the FBI for help. Typical, you know, just like intimidation, scare tactic. Look, I'm not gonna comment on whether or not you should or shouldn't pay a ransom. Obviously it's totally your lifeblood, your business, your company, but it's just emboldening threat actors if you give them money. They're spooky scary though here. For those who have cyber insurance against ransomware attacks, insurance companies require you to keep your insurance information secret. In most cases, the cyber criminals will find your quotes, like your deal, your actual relationship. So you'll know what like the deductibles are and how much that will still do damage to you despite insurance. Not saying that to be doom and gloom, just nature of the beast. So this is the Inc Ransom Onion leak site. And obviously it's just listing the victims there. So I will do my darndest to redact that just if out of polite courtesy, but it's as real as it gets, you know, right? I believe Inc Ransom has been going since 2023. So they've got quite a queue here. I've never actually seen their like tour chat. Oh, I mean, that's what you'd expect, but different domain. Can I give it my unique ID? Can I chat with someone? Already registered. Oh, probably from any run, you know, standard machine ID. Could I guess the password? That would be really funny. Is it fancy pass? Can I reset my fake ransomware? Oh, okay. Falling down the rabbit hole here. Anyway, that's the gist. I wanted to show you these files. I want to show you these code, these scripts, the syntax, even if it is boring, stupid, dumb Windows batch commands. But look, in some cases it could still work. But I think any EDR worth its salt is probably going to be lighting that up like a Christmas tree. Of course, you can see plenty to signal off of and ransomware canaries and host isolation. All these things kind of help put it together to lean on defense against ransomware. And I hope there were a couple neato forensic artifacts alluded to in there. If you hadn't seen them before, things like the Windows jump list, the word wheel queue, registry key, a lot of things that you could still kind of pick up on. And all of these indicators of compromise artifacts, whether it's a MITRE attack techniques, or overall trade craft, cool things you could be hunting down if you are a cyber threat Intel analyst or security operations center, fellow folks, individual or threat hunter doing all that great work. And if you are, please do go take a look at Feedly Threat Intelligence. Link in the video description. Do you want to make sure we give some love to the partners of the channel. Thanks so much for watching. Hope you enjoyed this video. I'll see you in the next one.