CAPA - FireEye
π£deadbroccoli
>CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
π€deadbroccoli
π@malwr
π£deadbroccoli
>CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
π€deadbroccoli
π@malwr
GitHub
GitHub - mandiant/capa: The FLARE team's open-source tool to identify capabilities in executable files.
The FLARE team's open-source tool to identify capabilities in executable files. - mandiant/capa
Eset discovered a new operation within a long-running cyber-espionage campaign in the Middle East. Targeting Android users via the malicious Welcome Chat app, the op appears to have links to the malware named BadPatch, which MITRE links to the Gaza Hackers threat actor group known also as MoleRats
π£digicat
π@malwr
π£digicat
π@malwr
WeLiveSecurity
Welcome Chat as a secure messaging app? Nothing could be further from the truth
ESET research uncovers a malicious operation that spies on Android users via Welcome Chat, an app posing as a secure chat service available in Google Play.
serpentine - Windows RAT (Remote Administration Tool) with a multiplatform RESTful C2 server
π£jafarlihi
It's great that the client is in C++, but the Java server is a deal breaker.
π€PhisherPrice
I always knew RAT as βRemote Access Trojanβ
π€Wiamly
π@malwr
π£jafarlihi
It's great that the client is in C++, but the Java server is a deal breaker.
π€PhisherPrice
I always knew RAT as βRemote Access Trojanβ
π€Wiamly
π@malwr
Mobile phone data extraction by police forces in England and Wales: Investigation report - Information Commissioner's Office | This will be required reading for anyone applying for DF jobs in UK LEAs in the next few months. Almost guaranteed to be mentioned in interviews.
π£LordUlthar
Thanks for sharing! It's very informative.
π€happyredditgifts
π@malwr
π£LordUlthar
Thanks for sharing! It's very informative.
π€happyredditgifts
π@malwr
Masking Malicious Memory Artifacts Part II: Insights from Moneta
π£digicat
Part 1β£: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
π@malwr
π£digicat
Part 1β£: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
π@malwr
ForrestOrr
Masking Malicious Memory Artifacts β Part II: Blending in with False Positives
IntroductionWith fileless malware becoming a ubiquitous feature of most modern Red Teams, knowledge in the domain of memory stealth and detection is becoming an increasingly valuable skill to add to both an attacker and defenderβs arsenal. Iβve written thisβ¦
Booting to 'Hello Rust' on x86_64
π£micouy
Author here. It's my first post and I'd really appreciate your feedback. If you have any questions, you can comment here, DM me or send me an email. Thanks for reading :)
π€micouy
π@malwr
π£micouy
Author here. It's my first post and I'd really appreciate your feedback. If you have any questions, you can comment here, DM me or send me an email. Thanks for reading :)
π€micouy
π@malwr
Labtainers - Navy Postgraduate School - Center for Cybersecurity and Cyber Operations | Free Cybersecurity exercises & manuals covering a wide variety of topics. The Networking & Network Traffic Analysis portions should be of particular interest to forensicators.
π£LordUlthar
π@malwr
π£LordUlthar
π@malwr
nps.edu
Labtainers - Center for Cybersecurity and Cyber Operations - Naval Postgraduate School
Cybersecurity labs for Linux
GLORYHook - The first Linux hooking framework to allow merging two binary files into one
π£partyfaker
π@malwr
π£partyfaker
π@malwr
GitHub
GitHub - tsarpaul/GLORYHook: The first Linux hooking framework to allow merging two binary files into one!
The first Linux hooking framework to allow merging two binary files into one! - tsarpaul/GLORYHook
Git'ing Users for OSINT: Analysis of All GitHub Users - SANS@MIC Talk | A great case study of leveraging APIs for OSINT
π£LordUlthar
π@malwr
π£LordUlthar
π@malwr
YouTube
Git'ing Users for OSINT: Analysis of All GitHub Users | SANS@MIC Talk
Within the world of OSINT, many people solely focus on what data they can retrieve from a web browser. Others, like me, know the power and potential of using Application Programming Interfaces (APIs) to harvest huge amounts of data from platforms and incredibleβ¦
DARPA - Operationally Transparent Cyber (OpTC) Data Release - multi-day dataset that includes endpoint activity (including benign activity generation) from ~500 endpoints as well as Zeekurity data from the enterprise egress point.
π£digicat
π@malwr
π£digicat
π@malwr
GitHub
GitHub - FiveDirections/OpTC-data
Contribute to FiveDirections/OpTC-data development by creating an account on GitHub.
KAPE - A Beginner's Guide
π£deltawing
Best viewed not on mobile due to size of visual aids.
π€deltawing
π@malwr
π£deltawing
Best viewed not on mobile due to size of visual aids.
π€deltawing
π@malwr
AboutDFIR - The Definitive Compendium Project
KAPE - AboutDFIR - The Definitive Compendium Project
A detailed guide on how to use KAPE geared towards first-timers and visual learners.
Rom Hacking tool for Gameboy Advance game + detailed manual about how it was developed + talks
π£bmacabeus
Awesome stuff, man.
π€Streiw
π@malwr
π£bmacabeus
Awesome stuff, man.
π€Streiw
π@malwr
GitHub
GitHub - macabeus/klo-gba.js: π§’ Reverse engineering tool for the Klonoa's GBA game
π§’ Reverse engineering tool for the Klonoa's GBA game - macabeus/klo-gba.js
Bypassing Symantec Endpoint Protection for Fun & Profit!
π£input0
This is fun, but missing some details.
1. Version of Symantec Endpoint Protection tested is not listed. SEP14.3 came out a couple weeks ago and adds new capabilities including AMSI (finally).
1. Test was conducted on Windows 2012R2. Yes, Windows 2012R2 is still widespread in production and under support, however Windows 10/2016 have enhancements that make dumping credentials much more difficult (LSAS virtualization in Virtualization Bases Security).
Without this information, this blog really is "I walked through an intentionally vulnerable pen testing lab scenario", vs. "here is a demonstration that you should do something and actionable guidance on what you should do". (IE, you should upgrade your fleet to 2016/10, etc).
π€R-EDDIT
π@malwr
π£input0
This is fun, but missing some details.
1. Version of Symantec Endpoint Protection tested is not listed. SEP14.3 came out a couple weeks ago and adds new capabilities including AMSI (finally).
1. Test was conducted on Windows 2012R2. Yes, Windows 2012R2 is still widespread in production and under support, however Windows 10/2016 have enhancements that make dumping credentials much more difficult (LSAS virtualization in Virtualization Bases Security).
Without this information, this blog really is "I walked through an intentionally vulnerable pen testing lab scenario", vs. "here is a demonstration that you should do something and actionable guidance on what you should do". (IE, you should upgrade your fleet to 2016/10, etc).
π€R-EDDIT
π@malwr