Mapping Detection Coverage - How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage.
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
YouTube
DEATHCon 2022 - Mapping Detection Coverage
In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry…
French National Strategic Review published - cyber features heavily
"In terms of hybridity, states are increasingly systematically using cyber as a weapon to defend their strategic interests or in the context of geopolitical tension. In addition to the development of offensive capabilities, sophisticated off-the-shelf, cyber-espionage weapons and tools are gradually being developed by private companies. This cyber-arms race increases the risk of escalation, the stages of which are not equally understood. Finally, cybercrime, a threat that has reached an unprecedented level of sophistication and disinhibition, constitutes a strategic challenge for our national security."
"They have diversified capabilities for deep strikes in the context of first entry, support to a coalition operation, retaliatory actions, or strategic warning. France is able to target and strike (kinetic or cyber) targets of interest."
https://preview.redd.it/jmyv6prjjoz91.png?width=1099&format=png&auto=webp&s=630129cf7be10cc78b6f795cf9c9d6741d92fbfb
Document:
http://www.sgdsn.gouv.fr/uploads/2022/11/national-strategic-review-intermediate-version-1.pdf
🗣digicat
🎖@malwr
"In terms of hybridity, states are increasingly systematically using cyber as a weapon to defend their strategic interests or in the context of geopolitical tension. In addition to the development of offensive capabilities, sophisticated off-the-shelf, cyber-espionage weapons and tools are gradually being developed by private companies. This cyber-arms race increases the risk of escalation, the stages of which are not equally understood. Finally, cybercrime, a threat that has reached an unprecedented level of sophistication and disinhibition, constitutes a strategic challenge for our national security."
"They have diversified capabilities for deep strikes in the context of first entry, support to a coalition operation, retaliatory actions, or strategic warning. France is able to target and strike (kinetic or cyber) targets of interest."
https://preview.redd.it/jmyv6prjjoz91.png?width=1099&format=png&auto=webp&s=630129cf7be10cc78b6f795cf9c9d6741d92fbfb
Document:
http://www.sgdsn.gouv.fr/uploads/2022/11/national-strategic-review-intermediate-version-1.pdf
🗣digicat
🎖@malwr
Another C# FUD implant (https://t.co/vsF1ZEKaGA) which enables Operators to send command via Gmail (Gmail-as-C2). github: https://github.com/reveng007/SharpGmailC2
🗣BabanSoumyanil
🎖@malwr
🗣BabanSoumyanil
🎖@malwr
reddit
Another C# FUD implant (https://t.co/vsF1ZEKaGA) which enables...
Posted in r/Malware by u/BabanSoumyanil • 32 points and 0 comments
Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux
🗣0xdea
If I recall correctly, the adversary strategy when meeting this kind of scheme is to continue to beat you until you're dead, even if you gave up all the secrets.
👤018118055
Maybe a stupid question, since a kernel module is needed, can't I just search for that on the target and then never trust the owner saying that only X layers of encryption are there instead of X+1? which of course can have worst results. Or is it "common sense" that the user has to modify the source and change names/parameters of the module to something else in order to hide it ?
👤ge_bil
So I can have a fake hidden volume filled with hentai and furry porn in case somebody uses the 5$ wrench technique, interesting 🤔🤣🤪
For research only, of course…
👤iamfromouttahere
🎖@malwr
🗣0xdea
If I recall correctly, the adversary strategy when meeting this kind of scheme is to continue to beat you until you're dead, even if you gave up all the secrets.
👤018118055
Maybe a stupid question, since a kernel module is needed, can't I just search for that on the target and then never trust the owner saying that only X layers of encryption are there instead of X+1? which of course can have worst results. Or is it "common sense" that the user has to modify the source and change names/parameters of the module to something else in order to hide it ?
👤ge_bil
So I can have a fake hidden volume filled with hentai and furry porn in case somebody uses the 5$ wrench technique, interesting 🤔🤣🤪
For research only, of course…
👤iamfromouttahere
🎖@malwr
Kudelski Security Research
Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux
Today we are excited to release Shufflecake, a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: w…
👍1🤣1
Is using an Android emulator like BlueStacks a forensically viable method of testing app behavior?
For example, if I wanted to confirm where, how, and when an application creates folders in the file system when I send an attachment. And I do my due diligence to match the operating system and version numbers. Could this be used as an explanation in court, or is this a dangerous oversimplification or misunderstanding of BlueStacks capability?
🗣Expensive_Ad6442
The official android emulator should behave as it would on a live system, so should be indicative enough of the app's functionality to demonstrate what you need to show.
Depending on the context, it's worth considering that an app could identify that it's in an emulator and change its behaviour accordingly though, so if it's something custom/niche then consider that some analysis of the apk might be required.
👤minimize
I wouldn't use BlueStacks just based on the amount of bloatware and OS-level modifications done to it, but people have certainly used it for that purpose (for better or worse).
I think what you're looking for is the official Android dev tools via Android Studio.
https://developer.android.com/studio/run/emulator
👤CrisisJake
🎖@malwr
For example, if I wanted to confirm where, how, and when an application creates folders in the file system when I send an attachment. And I do my due diligence to match the operating system and version numbers. Could this be used as an explanation in court, or is this a dangerous oversimplification or misunderstanding of BlueStacks capability?
🗣Expensive_Ad6442
The official android emulator should behave as it would on a live system, so should be indicative enough of the app's functionality to demonstrate what you need to show.
Depending on the context, it's worth considering that an app could identify that it's in an emulator and change its behaviour accordingly though, so if it's something custom/niche then consider that some analysis of the apk might be required.
👤minimize
I wouldn't use BlueStacks just based on the amount of bloatware and OS-level modifications done to it, but people have certainly used it for that purpose (for better or worse).
I think what you're looking for is the official Android dev tools via Android Studio.
https://developer.android.com/studio/run/emulator
👤CrisisJake
🎖@malwr
reddit
Is using an Android emulator like BlueStacks a forensically viable...
For example, if I wanted to confirm where, how, and when an application creates folders in the file system when I send an attachment. And I do my...
A Technical Analysis of Royal Ransomware [PDF](https://securityscorecard.pathfactory.com/research/the-royal-ransomware)
🗣CyberMasterV
🎖@malwr
🗣CyberMasterV
🎖@malwr
Security Scorecard
A Technical Analysis Of The Royal Ransomware
This malware encrypts files with the AES algorithm, either fully or partially. The extension of the affected files changes to “.royal”. Find out more in this technical analysis of the Royal Ransomware from SecurityScorecard’s Senior Malware Analyst, Vlad…
👍2