An offensive guide to the Authorization Code grant - Comprehensive and digestible enumeration of security concerns in the OAuth 2.0 Authorization Code flow
π£digicat
π@malwr
π£digicat
π@malwr
NCC Group Research Blog
An offensive guide to the Authorization Code grant
OAuth is the widely used standard for access delegation, enabling many of the βSign in with Xβ buttons and βConnect your Calendarβ features of modern Internet software. OAutβ¦
Microsoft launches free Memory Forensics and Rootkit Detection service for Linux systems
π£dreamygeek
Perhaps read the official blog post before you all get your pitch forks out over the free service thats intended to make hard to find, in memory malware incredibly expensive to keep using for attackers without risk of exposure.
"Project Freta was designed and built with survivor bias at its core."
God forbid microsoft and their academic researchers do a good thing here and get any credit.
Yeesh π
https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
π€jdwashere
Soooo... Volatility in the cloud?
π€YXZs
mmm... a rootkit that detects rootkits
π€skyl4nk
π@malwr
π£dreamygeek
Perhaps read the official blog post before you all get your pitch forks out over the free service thats intended to make hard to find, in memory malware incredibly expensive to keep using for attackers without risk of exposure.
"Project Freta was designed and built with survivor bias at its core."
God forbid microsoft and their academic researchers do a good thing here and get any credit.
Yeesh π
https://www.microsoft.com/en-us/research/blog/toward-trusted-sensing-for-the-cloud-introducing-project-freta/
π€jdwashere
Soooo... Volatility in the cloud?
π€YXZs
mmm... a rootkit that detects rootkits
π€skyl4nk
π@malwr
HelpMeGeek
Microsoft has launched a Free Memory Forensics and Rootkit Detection Service for Linux - HelpMeGeek
Microsoft has just launched a Free online service Project Freta aimed to discover forensic evidence on Linux systems. With this service you will be able to dig up hard-to-find rootkits and malware. The project is named after the Birthplace of Marie Curieβ¦
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
π£DllEntryPoint
π@malwr
π£DllEntryPoint
π@malwr
Unit 42
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
A new advanced malware, dubbed AcidBox, was discovered being used by an unknown threat actor against Russian organizations in 2017.
ThiefQuest Ransomware detects VM (possibly)
Set up a Mac VM on VMWare, tried running the ThiefQuest Ransomware. On the Activity Monitor, I Force Quit vmware-tools-daemon, hoping it won't detect it as a VM. But I guess I'm wrong. It's either the samples I've gotten are wrong, or the malware detects a VM.
https://preview.redd.it/qjsk2yyu0h951.png?width=1910&format=png&auto=webp&s=e5d5186bee11b35fdc5eaa1d7c06d577c4a3da32
π£LMJR500Army
It can still detect that it's in a VM even without the vmware-tools-daemon running. Common methods in this VMware kb article.
There are plenty of other anti-forensic methods for detecting a VM as well. Sometimes you need to be as tricky as the creators to get the malware to actually run when you are trying to examine it.
π€TheDarthSnarf
π@malwr
Set up a Mac VM on VMWare, tried running the ThiefQuest Ransomware. On the Activity Monitor, I Force Quit vmware-tools-daemon, hoping it won't detect it as a VM. But I guess I'm wrong. It's either the samples I've gotten are wrong, or the malware detects a VM.
https://preview.redd.it/qjsk2yyu0h951.png?width=1910&format=png&auto=webp&s=e5d5186bee11b35fdc5eaa1d7c06d577c4a3da32
π£LMJR500Army
It can still detect that it's in a VM even without the vmware-tools-daemon running. Common methods in this VMware kb article.
There are plenty of other anti-forensic methods for detecting a VM as well. Sometimes you need to be as tricky as the creators to get the malware to actually run when you are trying to examine it.
π€TheDarthSnarf
π@malwr
Digital forensics specialist's bookshelf: Top 11 books on digital forensics, incident response, and malware analysis
https://www.group-ib.com/blog/bookshelf
https://preview.redd.it/2bjsvygjyg951.png?width=1023&format=png&auto=webp&s=02c1aac3787d8620c8d8d0709c0c641bc035f27f
π£Igor_Mikhaylov
Is rootkits and bootkits an updated sequel to practical malware analysis or a specialized deep dive?
π€QuietForensics
I would add Applied Incident Response
https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268
π€sidi7
I donβt think #2 is with 508 anymore
π€bigt252002
π@malwr
https://www.group-ib.com/blog/bookshelf
https://preview.redd.it/2bjsvygjyg951.png?width=1023&format=png&auto=webp&s=02c1aac3787d8620c8d8d0709c0c641bc035f27f
π£Igor_Mikhaylov
Is rootkits and bootkits an updated sequel to practical malware analysis or a specialized deep dive?
π€QuietForensics
I would add Applied Incident Response
https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268
π€sidi7
I donβt think #2 is with 508 anymore
π€bigt252002
π@malwr
SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
nccfsas/Tools/spoolsystem at main Β· nccgroup/nccfsas
Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team. - nccgroup/nccfsas
Analysis of EventBot: Android banking Trojan. There is available patched EventBot payload that displays debug logs while being executed on device to helps understand its malicious functionality
π£barakadua131
π@malwr
π£barakadua131
π@malwr
YouTube
Dynamic analysis of patched EventBot allows us read its detailed debug logs while running | Trojan
Malware analysis of Android banking Trojan - EventBot
Its encrypted payload has lots of detailed debug logs for almost every executed functionality, however not activated.
So, I patched encrypted payload. It should help malware analyst to understand howβ¦
Its encrypted payload has lots of detailed debug logs for almost every executed functionality, however not activated.
So, I patched encrypted payload. It should help malware analyst to understand howβ¦
Handheld Computer/Controller
π£0ne-autumn-leaf
THE HACKPAD
π€Savvasun
Terminator 2. ATM scene. My favorite.
π€eltoro3333
Sick
π€cosmicleanie
π@malwr
π£0ne-autumn-leaf
THE HACKPAD
π€Savvasun
Terminator 2. ATM scene. My favorite.
π€eltoro3333
Sick
π€cosmicleanie
π@malwr
New network security scanner tool released by Google!
π£frrossty
So, will all my vulnerabilities and weak creds be available on the Google, nicely indexed, after using it?
π€ptzxc68
I'm surprised a new tool was written in Java. I definitely would have expected Go instead of Java for a new security tool from Google.
π€abluedinosaur
this only checks for four known admin panels and weak creds.
great idea, but it needs ways more plugins to be useful
π€Snoo-92683
π@malwr
π£frrossty
So, will all my vulnerabilities and weak creds be available on the Google, nicely indexed, after using it?
π€ptzxc68
I'm surprised a new tool was written in Java. I definitely would have expected Go instead of Java for a new security tool from Google.
π€abluedinosaur
this only checks for four known admin panels and weak creds.
great idea, but it needs ways more plugins to be useful
π€Snoo-92683
π@malwr
GitHub
GitHub - google/tsunami-security-scanner: Tsunami is a general purpose network security scanner with an extensible plugin systemβ¦
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence. - google/tsunami-security-scanner
CVE-2020-1300: Remote code execution via Windows CAB files
π£RedmondSecGnome
tldr; windows allows two different directory separators (/ and \\). By using one of them, you could bypass the directory traversal check. By abusing this with CAB files you get an arbitrary file write as system.
π€mdulin2
π@malwr
π£RedmondSecGnome
tldr; windows allows two different directory separators (/ and \\). By using one of them, you could bypass the directory traversal check. By abusing this with CAB files you get an arbitrary file write as system.
π€mdulin2
π@malwr
Zero Day Initiative
Zero Day Initiative β CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in Microsoft Windows. The bug was originally discovered and reportedβ¦
Best solution for unpacking most of the packed samples in a large dataset of malware statically
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a machine learning model and this is my dataset)
i guess one way of unpacking the packed samples is first detecting the packer with the help of Peid or die with scripting and then call the appropriate unpacker like UPX, Aspack, ... unpackers
but the problem is the list of packers is too large and there are so many different unpackers and such
so what is the best solution to this? if you had a large dataset of malware how would you go about of unpacking the most possible (obviously we can't unpack all of them, but the more the better)
any open source project for this problem or any other solution?
and I also obviously don't care about samples that are packed with a custom packer/crypter since i doubt there is any easy static solution to that.
π£BitDrill
Iβd suggest checking out https://www.unpac.me/
π€jershmagersh
π@malwr
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a machine learning model and this is my dataset)
i guess one way of unpacking the packed samples is first detecting the packer with the help of Peid or die with scripting and then call the appropriate unpacker like UPX, Aspack, ... unpackers
but the problem is the list of packers is too large and there are so many different unpackers and such
so what is the best solution to this? if you had a large dataset of malware how would you go about of unpacking the most possible (obviously we can't unpack all of them, but the more the better)
any open source project for this problem or any other solution?
and I also obviously don't care about samples that are packed with a custom packer/crypter since i doubt there is any easy static solution to that.
π£BitDrill
Iβd suggest checking out https://www.unpac.me/
π€jershmagersh
π@malwr
reddit
Best solution for unpacking most of the packed samples in a large...
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a...