SpoolSystem is a CNA script for Cobalt Strike which uses the Print Spooler named pipe impersonation trick to gain SYSTEM privileges.
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
nccfsas/Tools/spoolsystem at main Β· nccgroup/nccfsas
Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team. - nccgroup/nccfsas
Analysis of EventBot: Android banking Trojan. There is available patched EventBot payload that displays debug logs while being executed on device to helps understand its malicious functionality
π£barakadua131
π@malwr
π£barakadua131
π@malwr
YouTube
Dynamic analysis of patched EventBot allows us read its detailed debug logs while running | Trojan
Malware analysis of Android banking Trojan - EventBot
Its encrypted payload has lots of detailed debug logs for almost every executed functionality, however not activated.
So, I patched encrypted payload. It should help malware analyst to understand howβ¦
Its encrypted payload has lots of detailed debug logs for almost every executed functionality, however not activated.
So, I patched encrypted payload. It should help malware analyst to understand howβ¦
Handheld Computer/Controller
π£0ne-autumn-leaf
THE HACKPAD
π€Savvasun
Terminator 2. ATM scene. My favorite.
π€eltoro3333
Sick
π€cosmicleanie
π@malwr
π£0ne-autumn-leaf
THE HACKPAD
π€Savvasun
Terminator 2. ATM scene. My favorite.
π€eltoro3333
Sick
π€cosmicleanie
π@malwr
New network security scanner tool released by Google!
π£frrossty
So, will all my vulnerabilities and weak creds be available on the Google, nicely indexed, after using it?
π€ptzxc68
I'm surprised a new tool was written in Java. I definitely would have expected Go instead of Java for a new security tool from Google.
π€abluedinosaur
this only checks for four known admin panels and weak creds.
great idea, but it needs ways more plugins to be useful
π€Snoo-92683
π@malwr
π£frrossty
So, will all my vulnerabilities and weak creds be available on the Google, nicely indexed, after using it?
π€ptzxc68
I'm surprised a new tool was written in Java. I definitely would have expected Go instead of Java for a new security tool from Google.
π€abluedinosaur
this only checks for four known admin panels and weak creds.
great idea, but it needs ways more plugins to be useful
π€Snoo-92683
π@malwr
GitHub
GitHub - google/tsunami-security-scanner: Tsunami is a general purpose network security scanner with an extensible plugin systemβ¦
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence. - google/tsunami-security-scanner
CVE-2020-1300: Remote code execution via Windows CAB files
π£RedmondSecGnome
tldr; windows allows two different directory separators (/ and \\). By using one of them, you could bypass the directory traversal check. By abusing this with CAB files you get an arbitrary file write as system.
π€mdulin2
π@malwr
π£RedmondSecGnome
tldr; windows allows two different directory separators (/ and \\). By using one of them, you could bypass the directory traversal check. By abusing this with CAB files you get an arbitrary file write as system.
π€mdulin2
π@malwr
Zero Day Initiative
Zero Day Initiative β CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Pengsu Cheng and Yazhi Wang of the Trend Micro Research Team detail a recent code execution vulnerability in Microsoft Windows. The bug was originally discovered and reportedβ¦
Best solution for unpacking most of the packed samples in a large dataset of malware statically
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a machine learning model and this is my dataset)
i guess one way of unpacking the packed samples is first detecting the packer with the help of Peid or die with scripting and then call the appropriate unpacker like UPX, Aspack, ... unpackers
but the problem is the list of packers is too large and there are so many different unpackers and such
so what is the best solution to this? if you had a large dataset of malware how would you go about of unpacking the most possible (obviously we can't unpack all of them, but the more the better)
any open source project for this problem or any other solution?
and I also obviously don't care about samples that are packed with a custom packer/crypter since i doubt there is any easy static solution to that.
π£BitDrill
Iβd suggest checking out https://www.unpac.me/
π€jershmagersh
π@malwr
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a machine learning model and this is my dataset)
i guess one way of unpacking the packed samples is first detecting the packer with the help of Peid or die with scripting and then call the appropriate unpacker like UPX, Aspack, ... unpackers
but the problem is the list of packers is too large and there are so many different unpackers and such
so what is the best solution to this? if you had a large dataset of malware how would you go about of unpacking the most possible (obviously we can't unpack all of them, but the more the better)
any open source project for this problem or any other solution?
and I also obviously don't care about samples that are packed with a custom packer/crypter since i doubt there is any easy static solution to that.
π£BitDrill
Iβd suggest checking out https://www.unpac.me/
π€jershmagersh
π@malwr
reddit
Best solution for unpacking most of the packed samples in a large...
I have a large dataset of malware samples that are packed with variety of packers, and i need to unpack as many as possible (I want to build a...
How to actually do memory forensics in the real world?
I get it, you use probably use volatility like most do. But do you have any success with volatility on systems with like 128GB of RAM?
Yes, volatility works great on this 4GB images or training images. But in reality I keep getting issues with Vol, in where it crashes or basically takes forever (6h for an imageinfo without result).
This program is also single-core written and only takes 1 from the 16 available cores (AMD Ryzen 3950x) and hardly stresses the storage (NVME RAID).
So my question basically is, what do you guys use to perform forensics on large (64GB+) memory images.
π£tankton
as far as i have noticed few people use volatility live for it's lack of speed...
i have seen and used redline, kape, or commercial products like xways
π€sai_ismyname
Check out Memtriage by u/gleeda \- https://github.com/gleeda/memtriage
Its great for these types of scenarios as its intended to be run live rather than on images. It gives you most of the plugins you'd likely want to run with volitity as well.
π€toliver38
Does it have to be Live ? I mean you can find traces in other places (Prefetch, Event logs, Reg,...).
You can also use KAPE ( https://github.com/EricZimmerman/KapeFiles ) to do live response and collect artifacts or use a collection of scripts like Winterfell ( https://github.com/yasser-alghamdi/winterfell )
GRR and Velociraptor are pretty good alternatives too ( https://github.com/google/grr & https://github.com/Velocidex/velociraptor )
The truth is i only use VOL for training never used it in production (i am lazy :D )
π€hilo25
π@malwr
I get it, you use probably use volatility like most do. But do you have any success with volatility on systems with like 128GB of RAM?
Yes, volatility works great on this 4GB images or training images. But in reality I keep getting issues with Vol, in where it crashes or basically takes forever (6h for an imageinfo without result).
This program is also single-core written and only takes 1 from the 16 available cores (AMD Ryzen 3950x) and hardly stresses the storage (NVME RAID).
So my question basically is, what do you guys use to perform forensics on large (64GB+) memory images.
π£tankton
as far as i have noticed few people use volatility live for it's lack of speed...
i have seen and used redline, kape, or commercial products like xways
π€sai_ismyname
Check out Memtriage by u/gleeda \- https://github.com/gleeda/memtriage
Its great for these types of scenarios as its intended to be run live rather than on images. It gives you most of the plugins you'd likely want to run with volitity as well.
π€toliver38
Does it have to be Live ? I mean you can find traces in other places (Prefetch, Event logs, Reg,...).
You can also use KAPE ( https://github.com/EricZimmerman/KapeFiles ) to do live response and collect artifacts or use a collection of scripts like Winterfell ( https://github.com/yasser-alghamdi/winterfell )
GRR and Velociraptor are pretty good alternatives too ( https://github.com/google/grr & https://github.com/Velocidex/velociraptor )
The truth is i only use VOL for training never used it in production (i am lazy :D )
π€hilo25
π@malwr
Reddit
r/blueteamsec on Reddit: How to actually do memory forensics in the real world?
Posted by u/tankton - 22 votes and 5 comments
Fuzzing FastCGI With AFL-Fuzz
π£MoneyWaveSal
>FastCGI is written in C/C++.
FastCGI is a protocol. It isn't written in anything but maybe BNF or similar syntax description languages.
π€Taladar
Can someone explain to me why a fuzzer was used instead of manually reverse engineering it? The protocol seems small and simple.
Wouldn't reverse engineering be better for this?
And a fuzzer better for big programs?
π€SombraSec
A bit of a tease at the end with found 31 items and not even mentioning if they were
1. Possible to do remotely - some parameters are not accessible by an attacker
2. We (or looked) exploitable
Looking forward to a follow up article
π€rathaus
π@malwr
π£MoneyWaveSal
>FastCGI is written in C/C++.
FastCGI is a protocol. It isn't written in anything but maybe BNF or similar syntax description languages.
π€Taladar
Can someone explain to me why a fuzzer was used instead of manually reverse engineering it? The protocol seems small and simple.
Wouldn't reverse engineering be better for this?
And a fuzzer better for big programs?
π€SombraSec
A bit of a tease at the end with found 31 items and not even mentioning if they were
1. Possible to do remotely - some parameters are not accessible by an attacker
2. We (or looked) exploitable
Looking forward to a follow up article
π€rathaus
π@malwr
Medium
Fuzzing FastCGI With AFL-Fuzz
This is the very long tale of my adventures in fuzzing FastCGI with AFL-Fuzz. If youβre interested in fuzzing a FastCGI binary, look noβ¦
Generating Advanced hunting queries with PowerShell
https://www.verboon.info/2020/07/generating-advanced-hunting-queries-with-powershell/
π@malwr
https://www.verboon.info/2020/07/generating-advanced-hunting-queries-with-powershell/
π@malwr
Anything about IT
Generating Advanced hunting queries with PowerShell
I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you caβ¦