LIEF v0.13.0 is out:
https://lief-project.github.io/blog/2023-04-09-lief-0-13-0/
π£LIEF_project
π@malwr
https://lief-project.github.io/blog/2023-04-09-lief-0-13-0/
π£LIEF_project
π@malwr
Elevating your user-mode debugger into a Protected Process level, by ClΓ©ment Labro (@itm4n):
https://itm4n.github.io/debugging-protected-processes/
π£SEKTOR7net
π@malwr
https://itm4n.github.io/debugging-protected-processes/
π£SEKTOR7net
π@malwr
itm4nβs blog
Debugging Protected Processes
Whenever I need to debug a protected process, I usually disable the protection in the Kernel so that I can attach a User-mode debugger. This has always served me well until it sort of backfired.
π1
Happy Friday everyone! Want a ProcMon for macOS? Ever wish you had your own Endpoint Security client you could task? Want to peer behind the macOS EDR curtain? Have a go and let us know what you think!
https://github.com/redcanaryco/mac-monitor
π£PartyD0lphin
π@malwr
https://github.com/redcanaryco/mac-monitor
π£PartyD0lphin
π@malwr
GitHub
GitHub - redcanaryco/mac-monitor: Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOSβ¦
Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, dis...
π1
Setting Up QEMU Kernel-Mode Debugging using EXDI:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-qemu-kernel-mode-debugging-using-exdi
π£gerhart_x
π@malwr
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-qemu-kernel-mode-debugging-using-exdi
π£gerhart_x
π@malwr
Docs
Setting Up QEMU Kernel-Mode Debugging Using EXDI - Windows drivers
Debugging Tools for Windows supports debugging QEMU using EXDI. This topic describes how to setup QEMU kernel debugging using EXDI.
PatchlessCLRLoader - A fork of InlineExecute-Assembly to load .NET assembly and direct the output to mailslot https://github.com/VoldeSec/PatchlessCLRLoader #redteam
π£netbiosX
π@malwr
π£netbiosX
π@malwr
GitHub
GitHub - VoldeSec/PatchlessCLRLoader: .NET assembly loader with patchless AMSI and ETW bypass
.NET assembly loader with patchless AMSI and ETW bypass - VoldeSec/PatchlessCLRLoader
Discovering and #exploiting McAfee COM-objects by @Denis_Skvortcov
https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html
π£SinSinology
π@malwr
https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html
π£SinSinology
π@malwr
Introduction to offensive security (guide by @0xTriboulet)
https://steve-s.gitbook.io/0xtriboulet/
#offensivesecurity
π£0xor0ne
π@malwr
https://steve-s.gitbook.io/0xtriboulet/
#offensivesecurity
π£0xor0ne
π@malwr
This is an absolutely dope mindmap for attacking AD.
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg
Source: https://github.com/Orange-Cyberdefense/ocd-mindmaps
π£Jhaddix
π@malwr
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg
Source: https://github.com/Orange-Cyberdefense/ocd-mindmaps
π£Jhaddix
π@malwr
π2
A Journey of Finding #Vulnerabilities in #Drivers by @omertsarfati of @CyberArk
https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers-a-journey-of-finding-vulnerabilities-in-drivers
π£SinSinology
π@malwr
https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers-a-journey-of-finding-vulnerabilities-in-drivers
π£SinSinology
π@malwr
Frida 16.0.14 is out! π This one is all about stability improvements on Linux/Android, and brand new ARMv8 BTI interoperability:
https://frida.re/news/2023/04/18/frida-16-0-14-released/
π£fridadotre
π@malwr
https://frida.re/news/2023/04/18/frida-16-0-14-released/
π£fridadotre
π@malwr
Frida β’ A world-class dynamic instrumentation toolkit
Frida 16.0.14 Released
Observe and reprogram running programs on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX
Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks.
https://github.com/thefLink/Hunt-Weird-Syscalls
π£thefLinkk
π@malwr
https://github.com/thefLink/Hunt-Weird-Syscalls
π£thefLinkk
π@malwr
GitHub
GitHub - thefLink/Hunt-Weird-Syscalls: ETW based POC to identify direct and indirect syscalls
ETW based POC to identify direct and indirect syscalls - thefLink/Hunt-Weird-Syscalls
π1
Hey, FIRSTies! After much dedicated work, the #EthicsSIG has published their #CaseStudies to the FIRST website! Check out the encompassing document here: http://ow.ly/rG2S50NNbJt
π£FIRSTdotOrg
π@malwr
π£FIRSTdotOrg
π@malwr
FIRST β Forum of Incident Response and Security Teams
Ethics for Incident Response and Security Teams - Case Studies
c2detect: Search for c2 servers by listener outside https://github.com/michael2to3/c2-search-netlas
π£_r_netsec
π@malwr
π£_r_netsec
π@malwr
ESET researchers have discovered a new Lazarus #OperationDreamJob campaign targeting Linux users. As far as we know, this is the first public mention of this major threat actor using Linux malware as part of this operation. π§
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/?utm_source=twitter&utm_medium=cpc&utm_campaign=wls&utm_term=lazarus-linux-malware
#ESETresearch #ProgressProtected #Cybersecurity
π£ESET
π@malwr
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/?utm_source=twitter&utm_medium=cpc&utm_campaign=wls&utm_term=lazarus-linux-malware
#ESETresearch #ProgressProtected #Cybersecurity
π£ESET
π@malwr
Welivesecurity
Linux malware strengthens links between Lazarus and the 3CX supply-chain attack
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack
I've your interested in the #TradingTechnologies compromise & detections, then follow this thread π§΅
You won't find these IOCs/rules anywhere else
Hashes
https://github.com/Neo23x0/signature-base/blob/977ebf90ef01476f8586fbfd7e433cb93189bfa1/iocs/hash-iocs.txt#L10819
Filenames
https://github.com/Neo23x0/signature-base/blob/977ebf90ef01476f8586fbfd7e433cb93189bfa1/iocs/filename-iocs.txt#L4265
YARA
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_nk_tradingtech_apr23.yar
π£cyb3rops
π@malwr
You won't find these IOCs/rules anywhere else
Hashes
https://github.com/Neo23x0/signature-base/blob/977ebf90ef01476f8586fbfd7e433cb93189bfa1/iocs/hash-iocs.txt#L10819
Filenames
https://github.com/Neo23x0/signature-base/blob/977ebf90ef01476f8586fbfd7e433cb93189bfa1/iocs/filename-iocs.txt#L4265
YARA
https://github.com/Neo23x0/signature-base/blob/master/yara/apt_nk_tradingtech_apr23.yar
π£cyb3rops
π@malwr
GitHub
signature-base/iocs/hash-iocs.txt at 977ebf90ef01476f8586fbfd7e433cb93189bfa1 Β· Neo23x0/signature-base
YARA signature and IOC database for my scanners and tools - Neo23x0/signature-base
π1
Exploiting System Mechanic Driver https://voidsec.com/exploiting-system-mechanic-driver/ #Pentesting #Exploit #CyberSecurity #Infosec
π£ptracesecurity
π@malwr
π£ptracesecurity
π@malwr