Was the self hosted environment running a AV like the Crowdstrike agent? Or was it running different AV and that's why you chose to use Crowdstrike as someone different?
I guess no need to specific names. I'm just using that as examples.
Perhaps the parent commenter was referring to the section in the report which stating the IOCs indicated that the attackers used the known third-party command and control system named Sliver. There are multiple public yara signatures for Sliver.
tptacek|2 years ago
de-moray|2 years ago