https://dfirtnt.wordpress.com/2020/11/25/detecting-ransomware-precursors/
Detecting Ransomware Precursors
The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of maximum impact. At this point the attack often looks like any other infiltration. However, several techniques are often observed just prior to ransomware execution. In this post Iβll provide examples of these detectable behaviors which you can use to build SIEM alerts, custom EDR prevention/response rules, and threat hunting logic.
#article #windows #ransomware
Detecting Ransomware Precursors
The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of maximum impact. At this point the attack often looks like any other infiltration. However, several techniques are often observed just prior to ransomware execution. In this post Iβll provide examples of these detectable behaviors which you can use to build SIEM alerts, custom EDR prevention/response rules, and threat hunting logic.
#article #windows #ransomware
https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware
Scanning your iPhone for Pegasus, NSO Group's malware
In collaboration with more than a dozen other news organizations The Guardian recently published an exposΓ© about Pegasus, a toolkit for infecting mobile phones that is sold to governments around the world by NSO Group. Itβs used to target political leaders and their families, human rights activists, political dissidents, journalists, and so on, and surreptitiously download their messages/photos/location data, record their microphone, and otherwise spy on them.
#tools #exploit #pegasus #ios
Scanning your iPhone for Pegasus, NSO Group's malware
In collaboration with more than a dozen other news organizations The Guardian recently published an exposΓ© about Pegasus, a toolkit for infecting mobile phones that is sold to governments around the world by NSO Group. Itβs used to target political leaders and their families, human rights activists, political dissidents, journalists, and so on, and surreptitiously download their messages/photos/location data, record their microphone, and otherwise spy on them.
#tools #exploit #pegasus #ios
https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network
From Stolen Laptop to Inside the Company Network
What can you do with a stolen laptop? Can you get access to our internal network? That was the question a client wanted answered recently. Spoiler alert: Yes, yes you can. This post will walk you through how we took a βstolenβ corporate laptop and chained several exploits together to get inside the clientβs corporate network.
#article #hack #blackbox #hardware #bitlocker #tpm
From Stolen Laptop to Inside the Company Network
What can you do with a stolen laptop? Can you get access to our internal network? That was the question a client wanted answered recently. Spoiler alert: Yes, yes you can. This post will walk you through how we took a βstolenβ corporate laptop and chained several exploits together to get inside the clientβs corporate network.
#article #hack #blackbox #hardware #bitlocker #tpm
https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/
Super Duper Secure Mode
The VR team is experimenting with a new feature that challenges some conventional assumptions held by many in the browser community. Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers. Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.
#article #windows #edge #browser #exploit #mitigation #sdsm
Super Duper Secure Mode
The VR team is experimenting with a new feature that challenges some conventional assumptions held by many in the browser community. Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers. Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.
#article #windows #edge #browser #exploit #mitigation #sdsm
https://posts.specterops.io/life-is-pane-persistence-via-preview-handlers-3c0216c5ef9e
Life is Pane: Persistence via Preview Handlers
#article #windows #persistence #redteam
Life is Pane: Persistence via Preview Handlers
#article #windows #persistence #redteam
https://malapi.io
MalAPI.io maps Windows APIs to common techniques used by malware.
#tools #cheatsheet #malware
MalAPI.io maps Windows APIs to common techniques used by malware.
#tools #cheatsheet #malware
Docs
Windows API index - Win32 apps
A list of the reference content for the Windows API.
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-for-windows-is-getting-a-massive-overhaul/
Microsoft Defender for Windows is getting a massive overhaul
Microsoft Defender for Windows is getting a massive overhaul allowing home network admins to deploy Android, iOS, and Mac clients to monitor antivirus, phishing, compromised passwords, and identity theft alerts from a single security dashboard.
#news #security #microsoft #defender #av
Microsoft Defender for Windows is getting a massive overhaul
Microsoft Defender for Windows is getting a massive overhaul allowing home network admins to deploy Android, iOS, and Mac clients to monitor antivirus, phishing, compromised passwords, and identity theft alerts from a single security dashboard.
#news #security #microsoft #defender #av
https://github.com/mvt-project/mvt
Mobile Verification Toolkit
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
#tools #opensource #forensics #Pegasus #NSOGroup
Mobile Verification Toolkit
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
#tools #opensource #forensics #Pegasus #NSOGroup
https://bellis1000.medium.com/a-memory-visualiser-tool-for-ios-security-research-bd8bb8c334c6
A Memory Visualiser Tool for iOS Security Research
In this post I want to share a recent project of mine β a memory visualiser tool for iOS security researchers.
- Live Memory Monitoring
- Visual Block Creation
- Contextual Typing
#ios #memory #security
A Memory Visualiser Tool for iOS Security Research
In this post I want to share a recent project of mine β a memory visualiser tool for iOS security researchers.
- Live Memory Monitoring
- Visual Block Creation
- Contextual Typing
#ios #memory #security
π2
https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence
Abusing LNK "Features" for Initial Access and Persistence
As per Microsoft, an LNK file is a shortcut or a βlinkβ used by Windows as a reference to an original file, folder, or application. In the eyes of a standard user these files have a meaningful purpose as they allow for file organization and decluttering of working space. From the attackerβs point of view however, LNK files look different. Theyβve been misused in numerous documented attacks by Advanced Persistent Threat (APTs) groups and from what I know, are still a viable option for phishing.
#windows #persistence #malware #trick
Abusing LNK "Features" for Initial Access and Persistence
As per Microsoft, an LNK file is a shortcut or a βlinkβ used by Windows as a reference to an original file, folder, or application. In the eyes of a standard user these files have a meaningful purpose as they allow for file organization and decluttering of working space. From the attackerβs point of view however, LNK files look different. Theyβve been misused in numerous documented attacks by Advanced Persistent Threat (APTs) groups and from what I know, are still a viable option for phishing.
#windows #persistence #malware #trick
https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html
Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations
Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis.
#research #malware #iot
Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations
Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis.
#research #malware #iot
Did you know that you can mass upgrade a lot of Windows 10/11 3rd party software with a free tool from Microsoft? It's like Linux's "apt" or "yum" ...
https://twitter.com/lkarlslund/status/1479809034836402183
#windows #winget
https://twitter.com/lkarlslund/status/1479809034836402183
#windows #winget
https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/
500M Avira Antivirus Users Introduced to Cryptomining
π What the fuck is going on in this industry ?!
#av #news #fun
500M Avira Antivirus Users Introduced to Cryptomining
π What the fuck is going on in this industry ?!
#av #news #fun
π2
https://github.com/ScarredMonk/SysmonSimulator#
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
#tools #opensource #windows #sysmon #attack
SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the attacks using WINAPIs. This can be used by Blue teams for testing the EDR detections and correlation rules. I have created it to generate attack data for the relevant Sysmon Event IDs.
#tools #opensource #windows #sysmon #attack
π1
https://github.com/lab52io/StopDefender
StopDefender
Stop Windows Defender programmatically using Steal token from TrustedInstaller and winlogon processes.
#tools #opensource #windows #antivirus
StopDefender
Stop Windows Defender programmatically using Steal token from TrustedInstaller and winlogon processes.
#tools #opensource #windows #antivirus
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
MoonBounce: the dark side of UEFI firmware
At the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner, which has been integrated into Kaspersky products since the beginning of 2019. Further analysis has shown that a single component within the inspected firmwareβs image was modified by attackers in a way that allowed them to intercept the original execution flow of the machineβs boot sequence and introduce a sophisticated infection chain.
#article #attack #firmware #uefi #rootkit #malware
MoonBounce: the dark side of UEFI firmware
At the end of 2021, we were made aware of a UEFI firmware-level compromise through logs from our Firmware Scanner, which has been integrated into Kaspersky products since the beginning of 2019. Further analysis has shown that a single component within the inspected firmwareβs image was modified by attackers in a way that allowed them to intercept the original execution flow of the machineβs boot sequence and introduce a sophisticated infection chain.
#article #attack #firmware #uefi #rootkit #malware
π1
https://render.com/blog/git-organized-a-better-git-flow
Git Organized: A Better Git Flow
Imagine this: youβve been paged to investigate a production incident, and after some digging, you identify the commit with the breaking code. You decide to revert the change.
Unfortunately, in doing so, a new bug is introduced! As it turns out, hidden in that old βbrokenβ commit was some code that another part of the app depended upon, and when you reverted those lines, it left the site once again in a broken state.
#article #dev #git
Git Organized: A Better Git Flow
Imagine this: youβve been paged to investigate a production incident, and after some digging, you identify the commit with the breaking code. You decide to revert the change.
Unfortunately, in doing so, a new bug is introduced! As it turns out, hidden in that old βbrokenβ commit was some code that another part of the app depended upon, and when you reverted those lines, it left the site once again in a broken state.
#article #dev #git
https://www.youtube.com/watch?v=dT9y-KQbqi4
How I hacked a hardware crypto wallet and recovered $2 million
I was contacted to hack a Trezor One hardware wallet and recover $2 million worth of cryptocurrency (in the form of THETA). Knowing that existing research was already out there for this device, it seemed like it would be a slam dunk. Little did I realize the project would turn into a roller coaster ride with over three months of experimentation, failures, successes, and heart-stopping moments. It reminded me that hacking is always unpredictable, exciting, and educational, no matter how long you've been doing it. In this case, the stakes were higher than normal: I only had one chance to get it right.
#video #fun #hack #hardware #crypto
How I hacked a hardware crypto wallet and recovered $2 million
I was contacted to hack a Trezor One hardware wallet and recover $2 million worth of cryptocurrency (in the form of THETA). Knowing that existing research was already out there for this device, it seemed like it would be a slam dunk. Little did I realize the project would turn into a roller coaster ride with over three months of experimentation, failures, successes, and heart-stopping moments. It reminded me that hacking is always unpredictable, exciting, and educational, no matter how long you've been doing it. In this case, the stakes were higher than normal: I only had one chance to get it right.
#video #fun #hack #hardware #crypto
π€―1