Masking Malicious Memory Artifacts Part II: Insights from Moneta
๐ฃdigicat
Part 1โฃ: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
๐@malwr
๐ฃdigicat
Part 1โฃ: https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dll-hollowing
๐@malwr
ForrestOrr
Masking Malicious Memory Artifacts โ Part II: Blending in with False Positives
IntroductionWith fileless malware becoming a ubiquitous feature of most modern Red Teams, knowledge in the domain of memory stealth and detection is becoming an increasingly valuable skill to add to both an attacker and defenderโs arsenal. Iโve written thisโฆ
Booting to 'Hello Rust' on x86_64
๐ฃmicouy
Author here. It's my first post and I'd really appreciate your feedback. If you have any questions, you can comment here, DM me or send me an email. Thanks for reading :)
๐คmicouy
๐@malwr
๐ฃmicouy
Author here. It's my first post and I'd really appreciate your feedback. If you have any questions, you can comment here, DM me or send me an email. Thanks for reading :)
๐คmicouy
๐@malwr
Labtainers - Navy Postgraduate School - Center for Cybersecurity and Cyber Operations | Free Cybersecurity exercises & manuals covering a wide variety of topics. The Networking & Network Traffic Analysis portions should be of particular interest to forensicators.
๐ฃLordUlthar
๐@malwr
๐ฃLordUlthar
๐@malwr
nps.edu
Labtainers - Center for Cybersecurity and Cyber Operations - Naval Postgraduate School
Cybersecurity labs for Linux
GLORYHook - The first Linux hooking framework to allow merging two binary files into one
๐ฃpartyfaker
๐@malwr
๐ฃpartyfaker
๐@malwr
GitHub
GitHub - tsarpaul/GLORYHook: The first Linux hooking framework to allow merging two binary files into one!
The first Linux hooking framework to allow merging two binary files into one! - tsarpaul/GLORYHook
Git'ing Users for OSINT: Analysis of All GitHub Users - SANS@MIC Talk | A great case study of leveraging APIs for OSINT
๐ฃLordUlthar
๐@malwr
๐ฃLordUlthar
๐@malwr
YouTube
Git'ing Users for OSINT: Analysis of All GitHub Users | SANS@MIC Talk
Within the world of OSINT, many people solely focus on what data they can retrieve from a web browser. Others, like me, know the power and potential of using Application Programming Interfaces (APIs) to harvest huge amounts of data from platforms and incredibleโฆ
DARPA - Operationally Transparent Cyber (OpTC) Data Release - multi-day dataset that includes endpoint activity (including benign activity generation) from ~500 endpoints as well as Zeekurity data from the enterprise egress point.
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
GitHub
GitHub - FiveDirections/OpTC-data
Contribute to FiveDirections/OpTC-data development by creating an account on GitHub.
KAPE - A Beginner's Guide
๐ฃdeltawing
Best viewed not on mobile due to size of visual aids.
๐คdeltawing
๐@malwr
๐ฃdeltawing
Best viewed not on mobile due to size of visual aids.
๐คdeltawing
๐@malwr
AboutDFIR - The Definitive Compendium Project
KAPE - AboutDFIR - The Definitive Compendium Project
A detailed guide on how to use KAPE geared towards first-timers and visual learners.
Rom Hacking tool for Gameboy Advance game + detailed manual about how it was developed + talks
๐ฃbmacabeus
Awesome stuff, man.
๐คStreiw
๐@malwr
๐ฃbmacabeus
Awesome stuff, man.
๐คStreiw
๐@malwr
GitHub
GitHub - macabeus/klo-gba.js: ๐งข Reverse engineering tool for the Klonoa's GBA game
๐งข Reverse engineering tool for the Klonoa's GBA game - macabeus/klo-gba.js
Bypassing Symantec Endpoint Protection for Fun & Profit!
๐ฃinput0
This is fun, but missing some details.
1. Version of Symantec Endpoint Protection tested is not listed. SEP14.3 came out a couple weeks ago and adds new capabilities including AMSI (finally).
1. Test was conducted on Windows 2012R2. Yes, Windows 2012R2 is still widespread in production and under support, however Windows 10/2016 have enhancements that make dumping credentials much more difficult (LSAS virtualization in Virtualization Bases Security).
Without this information, this blog really is "I walked through an intentionally vulnerable pen testing lab scenario", vs. "here is a demonstration that you should do something and actionable guidance on what you should do". (IE, you should upgrade your fleet to 2016/10, etc).
๐คR-EDDIT
๐@malwr
๐ฃinput0
This is fun, but missing some details.
1. Version of Symantec Endpoint Protection tested is not listed. SEP14.3 came out a couple weeks ago and adds new capabilities including AMSI (finally).
1. Test was conducted on Windows 2012R2. Yes, Windows 2012R2 is still widespread in production and under support, however Windows 10/2016 have enhancements that make dumping credentials much more difficult (LSAS virtualization in Virtualization Bases Security).
Without this information, this blog really is "I walked through an intentionally vulnerable pen testing lab scenario", vs. "here is a demonstration that you should do something and actionable guidance on what you should do". (IE, you should upgrade your fleet to 2016/10, etc).
๐คR-EDDIT
๐@malwr
Was a USB drive inserted into my Windows computer? - Boncaldoโs Forensics Blog
๐ฃLordUlthar
๐@malwr
๐ฃLordUlthar
๐@malwr
Boncaldo's Forensics Blog
DFS# 03: Was a USB drive inserted into my Windows computer?
Can you tell if a USB storage drive was plugged into a specific computer? Data exfiltration โand introductionโ through USB storage devices can be a plausible concern in an overabundanceโฆ
checkra1n, USB Restrictions and Breaking Into Locked iPhones - Elcomsoft Blog
๐ฃLordUlthar
๐@malwr
๐ฃLordUlthar
๐@malwr
ElcomSoft blog
checkra1n, USB Restrictions and Breaking Into Locked iPhones
The checkra1n jailbreak is fantastic. Not only does it work with the latest versions of iOS the other jailbreaks aren't even available for, but it also allows performing partial data extraction from disabled and locked iPhones even if the passcode is notโฆ