Places to find a mentor?
Does anyone have any resources or places to possibly find a mentor for the IR space? I’m an early professional, and started on an IR team a few months ago and am looking for a mentor to guide me more of the technical aspects of DFIR.
Thanks!
🗣hoolahoop222
If you have a job and it is a big company they tend to host mentorships.
If you are in college there tends to host mentorships programs. At least back in the day they used to have FBI and Government employees stop by and help with mentoring and shadowing.
It seems tho with everyone being a university student and graduating but here asking the same question idk if University do this stuff anymore.
👤MDCDF
?? Don’t you usually find mentors through networking or at your place of employment?
👤ucfmsdf
Take a look at CFCE from IACIS. You will learn a lot and will be assigned a coach to help you.
👤lithium630
🎖@malwr
Does anyone have any resources or places to possibly find a mentor for the IR space? I’m an early professional, and started on an IR team a few months ago and am looking for a mentor to guide me more of the technical aspects of DFIR.
Thanks!
🗣hoolahoop222
If you have a job and it is a big company they tend to host mentorships.
If you are in college there tends to host mentorships programs. At least back in the day they used to have FBI and Government employees stop by and help with mentoring and shadowing.
It seems tho with everyone being a university student and graduating but here asking the same question idk if University do this stuff anymore.
👤MDCDF
?? Don’t you usually find mentors through networking or at your place of employment?
👤ucfmsdf
Take a look at CFCE from IACIS. You will learn a lot and will be assigned a coach to help you.
👤lithium630
🎖@malwr
reddit
Places to find a mentor?
Does anyone have any resources or places to possibly find a mentor for the IR space? I’m an early professional, and started on an IR team a few...
RtlQueueWorkItemLoadLibrary: Loads a DLL by queuing a work item (RtlQueueWorkItem) with the address of LoadLibraryW and a pointer to the buffer on Windows
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
GitHub
misc/RtlQueueWorkItemLoadLibrary.c at main · rad9800/misc
miscellaneous scripts and programs. Contribute to rad9800/misc development by creating an account on GitHub.
Using yara rules in a large scale enterprise
I've always wondered how yara rules could be used in a large scale enterprise to detect nalware.
I understand the premise of yara rules and how they work, and understand how individual files can be scanned using a number of yara rules each designed to detect a specific piece of malware, or how an individual yara rule can be run against a large number of files - but I do not understand how this can be used at scale in a large, segmented network.
I've read that sigma rules can be integrated into azure sentinel and threat hunts performed where logs are aggregated there but does anyone know if similar functionality exists for yara rules? Or whether there are other industry best practices that should be used?
🗣JoeBeOneKenobi
Velociraptor can do yara scans on the hosts in mass. Other tools that let you interrogate endpoints may have this capability as well.
Kansa might, or you could probably build a module that will allow you to do it.
👤jumpinjelly789
I've seen YARA pitched as a detection capability (implying enterprise-wide) but rarely see orgs using it that way. Here are a couple notes/resources I've been compiling around this.
If your org uses an internal sandbox, you could run the YARA rules there for malware classification and maybe provide leads for further hunting.
One way to "use" YARA without actually deploying rules at scale is to take advantage of feeds of IOCs derived from large-scale YARA scanning (e.g. over VT) and use those IOCs for further correlation/detection/blocking in your own org. See for example the long list of hashes here, and this is just for one of many rules: https://valhalla.nextron-systems.com/info/rule/SUSP\_RAR\_With\_File\_MacroEnabled\_MsOffice\_Content\_Jun22
Then there are a bunch of apparent ways to scale up YARA deployment, but I can't say I've really seen orgs using many/any of these with success (besides maybe the first couple that rely on commercial capabilities). I'm always reminded of pieces like this that highlight the performance issues of YARA deployment at scale.
I recall seeing a few EDR that can apparently run their own or in some cases user-submitted YARA at scale (Tanium, CB, Cybereason), even SOAR (XSOAR). Sorry I don't have links handy
Executing yara with powershell on domain computers
[Loki](https://www.nextron-systems.com/loki/) \- Python-based open sourced IOC scanner from the publisher of a large library of yara rules
"YARA as Endpoint" using Go
[YARA-based scanning with osquery](https://osquery.readthedocs.io/en/stable/deployment/yara/)
How to integrate YARA with Wazuh
[Using YARA rules in ClamAV](https://www.clamav.net/documents/using-yara-rules-in-clamav)
A large repository of other tools
👤Trop_Chaud
Stream files extracted from Zeek to something that will process them through YARA, and then put the results in a SIEM
👤toop4
🎖@malwr
I've always wondered how yara rules could be used in a large scale enterprise to detect nalware.
I understand the premise of yara rules and how they work, and understand how individual files can be scanned using a number of yara rules each designed to detect a specific piece of malware, or how an individual yara rule can be run against a large number of files - but I do not understand how this can be used at scale in a large, segmented network.
I've read that sigma rules can be integrated into azure sentinel and threat hunts performed where logs are aggregated there but does anyone know if similar functionality exists for yara rules? Or whether there are other industry best practices that should be used?
🗣JoeBeOneKenobi
Velociraptor can do yara scans on the hosts in mass. Other tools that let you interrogate endpoints may have this capability as well.
Kansa might, or you could probably build a module that will allow you to do it.
👤jumpinjelly789
I've seen YARA pitched as a detection capability (implying enterprise-wide) but rarely see orgs using it that way. Here are a couple notes/resources I've been compiling around this.
If your org uses an internal sandbox, you could run the YARA rules there for malware classification and maybe provide leads for further hunting.
One way to "use" YARA without actually deploying rules at scale is to take advantage of feeds of IOCs derived from large-scale YARA scanning (e.g. over VT) and use those IOCs for further correlation/detection/blocking in your own org. See for example the long list of hashes here, and this is just for one of many rules: https://valhalla.nextron-systems.com/info/rule/SUSP\_RAR\_With\_File\_MacroEnabled\_MsOffice\_Content\_Jun22
Then there are a bunch of apparent ways to scale up YARA deployment, but I can't say I've really seen orgs using many/any of these with success (besides maybe the first couple that rely on commercial capabilities). I'm always reminded of pieces like this that highlight the performance issues of YARA deployment at scale.
I recall seeing a few EDR that can apparently run their own or in some cases user-submitted YARA at scale (Tanium, CB, Cybereason), even SOAR (XSOAR). Sorry I don't have links handy
Executing yara with powershell on domain computers
[Loki](https://www.nextron-systems.com/loki/) \- Python-based open sourced IOC scanner from the publisher of a large library of yara rules
"YARA as Endpoint" using Go
[YARA-based scanning with osquery](https://osquery.readthedocs.io/en/stable/deployment/yara/)
How to integrate YARA with Wazuh
[Using YARA rules in ClamAV](https://www.clamav.net/documents/using-yara-rules-in-clamav)
A large repository of other tools
👤Trop_Chaud
Stream files extracted from Zeek to something that will process them through YARA, and then put the results in a SIEM
👤toop4
🎖@malwr
Reddit
From the blueteamsec community on Reddit
Explore this post and more from the blueteamsec community
From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Recordedfuture
From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations | Recorded Future
With Taiwan in focus, Insikt Group® analyzes China’s weishe coercion theory and assess China’s strategies, preparations, and capabilities in cyber warfare.
The Windows Subsystem for Linux in the Microsoft Store is now generally available on Windows 10 and 11
🗣plawwell
Microsoft might just be the coolest Linux company in 2022.
👤plawwell
I’m staying on the LSL
👤oscarbeebs2010
So what have I been using for the past couple of years?!
👤Drate_Otin
🎖@malwr
🗣plawwell
Microsoft might just be the coolest Linux company in 2022.
👤plawwell
I’m staying on the LSL
👤oscarbeebs2010
So what have I been using for the past couple of years?!
👤Drate_Otin
🎖@malwr
Microsoft News
The Windows Subsystem for Linux in the Microsoft Store is now generally available on Windows 10 and 11
Today the Windows Subsystem for Linux (WSL) in the Microsoft Store is dropping its “Preview” label and becomes generally available with our latest release! We are also making the Store version of WSL the default for new users who run wsl --install and easily…
Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Group-IB
Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries
Group-IB has identified 34 Russian-speaking groups that are distributing info-stealing malware under the stealer-as-a-service model.