SANS Stormcast Friday, May 30th 2025: Alternate Data Streams; Connectwise Breach; Google Calendar C2; Alternate Data Streams: Adversary Defense Evasion and Detection Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse. https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990 Connectwise Breach Affects ScreenConnect Customers Connectwise’s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions. https://www.connectwise.com/company/trust/advisories Mark Your Calendar: APT41 Innovative Tactics Google detected attacks leveraging Google’s calendar solution as a command and control channel. https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge. https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/ keywords: deceptoin; ics; apt41; google; calendar; connectwise; screenconnect; ads; alternate data streams;