Excellent series on Windows rootkit development for red teaming
Credits @Idov31
Part 1: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html
Part 2: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html
Part 3: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html
Part 4: https://idov31.github.io/2023/02/24/lord-of-the-ring0-p4.html
#windows #driver #kernel #rootkit #redteam
π£0xor0ne
π@malwr
Credits @Idov31
Part 1: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html
Part 2: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html
Part 3: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html
Part 4: https://idov31.github.io/2023/02/24/lord-of-the-ring0-p4.html
#windows #driver #kernel #rootkit #redteam
π£0xor0ne
π@malwr
π₯1
The Windows Process Journey β conhost.exe (Console Window Host)
https://medium.com/@boutnaru/the-windows-process-journey-conhost-exe-console-window-host-f03f8db35574
#Windows #Microsoft #conhost #cmd #CLI #SBOM #DFIR #Learning #Forensics #IT #Tech #security #infosec #DevOps #DevSecOps #Console #TheWindowsProcessJourney
π£boutnaru
π@malwr
https://medium.com/@boutnaru/the-windows-process-journey-conhost-exe-console-window-host-f03f8db35574
#Windows #Microsoft #conhost #cmd #CLI #SBOM #DFIR #Learning #Forensics #IT #Tech #security #infosec #DevOps #DevSecOps #Console #TheWindowsProcessJourney
π£boutnaru
π@malwr
Medium
The Windows Process Journeyβββconhost.exe (Console Window Host)
βconhost.exeβ is an executable aka the βConsole Window Hostβ, which is located at β%windir%\System32\conhost.exeβ. The goal ofβ¦
Seeing more malware using binary padding for evasion and obfuscation?
Intezer security researcher @MhicRoibin explains how and why threat actors are inflating malware files with junk data, plus what you can do about it: https://hubs.li/Q01RRkPP0
π£IntezerLabs
π@malwr
Intezer security researcher @MhicRoibin explains how and why threat actors are inflating malware files with junk data, plus what you can do about it: https://hubs.li/Q01RRkPP0
π£IntezerLabs
π@malwr
Zscaler's Mallikarjun Piddannavar presents a technical analysis of a new info stealer called Bandit Stealer, which has been marketed and sold as a service on underground criminal forums since April 2023. https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer
π£virusbtn
π@malwr
π£virusbtn
π@malwr
CatSniffer is an original multiprotocol,& multiband board made for sniffing, communicating,& attacking IoT devices. That integrates the new chips CC1352, SX1262,& SAMD21E17 (Sub 1GHz & 2.4GHz).
https://github.com/ElectronicCats/CatSniffer
#SoftwareDefinedRAdio #SDR
#LoRa #LoRaWAN
#BLE #ZigBee
π£giammaiot2
π@malwr
https://github.com/ElectronicCats/CatSniffer
#SoftwareDefinedRAdio #SDR
#LoRa #LoRaWAN
#BLE #ZigBee
π£giammaiot2
π@malwr
In a new blog post Trend Micro researchers discuss the latest TargetCompany ransomware variant, Xollam, and the new initial access technique it uses. https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html
π£virusbtn
π@malwr
π£virusbtn
π@malwr
A collection of bookmarks for penetration testers, bug bounty hunters, malware developers, reverse engineers and anyone who is just interested in infosec topics.
https://github.com/kargisimos/offensive-bookmarks
π£Dinosn
π@malwr
https://github.com/kargisimos/offensive-bookmarks
π£Dinosn
π@malwr
GitHub
GitHub - kargisimos/offensive-bookmarks: A collection of bookmarks for penetration testers, bug bounty hunters, malware developersβ¦
A collection of bookmarks for penetration testers, bug bounty hunters, malware developers, reverse engineers and anyone who is just interested in infosec topics. - kargisimos/offensive-bookmarks
[BLOG]
Bypassing Defender with ThreatCheck & Ghidra
https://offensivedefence.co.uk/posts/threatcheck-ghidra/
π£_RastaMouse
π@malwr
Bypassing Defender with ThreatCheck & Ghidra
https://offensivedefence.co.uk/posts/threatcheck-ghidra/
π£_RastaMouse
π@malwr
offensivedefence.co.uk
Bypassing Defender with ThreatCheck & Ghidra
Intro It should come as no surprise when payloads generated in their default state get swallowed up by Defender, as Microsoft have both the means and motivation to proactively produce signatures for open and closed source/commericial tooling. One tactic toβ¦
π1π₯1
strings2 - Extract strings from binary files and process memory https://github.com/glmcdona/strings2
π£reverseame
π@malwr
π£reverseame
π@malwr
GitHub
GitHub - glmcdona/strings2: strings2: An improved strings extraction tool.
strings2: An improved strings extraction tool. Contribute to glmcdona/strings2 development by creating an account on GitHub.
π₯1
For those who are encountering Golang malware (which are likely to be more and more of you as they language gains in popularity): the Ghidra scripts I made to help analyse Golang binaries in Ghidra are now public, along with a corporate blog diving into the details. The code itself is (if I may say so myself) very well documented. As such, if you push you Java hate aside, it's a knowledge base in and on its own.
Blog: https://www.trellix.com/en-us/about/newsroom/stories/research/feeding-gophers-to-ghidra.html
GitHub: https://github.com/advanced-threat-research/GhidraScripts
βΉοΈ Sent from one of our channel members
π@malwr
Blog: https://www.trellix.com/en-us/about/newsroom/stories/research/feeding-gophers-to-ghidra.html
GitHub: https://github.com/advanced-threat-research/GhidraScripts
βΉοΈ Sent from one of our channel members
π@malwr
Trellix
Feeding Gophers to Ghidra
Analysing Golang based malware samples is often time consuming. These scripts, based on Dorka Palotay's work, greatly improve Ghidra's handling of Golang based malware samples, making the analysis less cumbersome!
π₯5
RedLine Technical Analysis Report
https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152
βΉοΈ Sent from one of our channel members
π@malwr
https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152
βΉοΈ Sent from one of our channel members
π@malwr
π₯4
The latest blog post from http://Sekoia.io's TDR researchers aims at understanding & contextualising cyber malicious activities associated with Iran-nexus intrusions sets over the 2022-2023 period. https://blog.sekoia.io/iran-cyber-threat-overview/
π£virusbtn
π@malwr
π£virusbtn
π@malwr
Abusing undocumented features to spoof PE section headers by @x86matthew https://secret.club/2023/06/05/spoof-pe-sections.html
π£the_secret_club
π@malwr
π£the_secret_club
π@malwr
secret club
Abusing undocumented features to spoof PE section headers
Introduction Some time ago, I accidentally came across some interesting behaviour in PE files while debugging an unrelated project. I noticed that setting the SectionAlignment value in the NT header to a value lower than the page size (4096) resulted in significantβ¦
IBM Security X-Force researchers show how ITG10 is likely targeting South Korean government entities, universities, think tanks and dissidents with phishing emails in order to deliver RokRAT via LNK files. https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/
π£virusbtn
π@malwr
π£virusbtn
π@malwr
Practical Windows Forensics Training https://github.com/bluecapesecurity/PWF #Pentesting #Windows #CyberSecurity #Infosec
π£ptracesecurity
π@malwr
π£ptracesecurity
π@malwr
Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/
π£Dinosn
π@malwr
π£Dinosn
π@malwr
Check Point Research
Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa - Check Point Research
Key findings Introduction Check Point Research identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier. The malware Command and Control (C&C) network is part of a largerβ¦
https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html my intro to syscalls. I love introductory posts =^..^= #cybersec #cybersecurity #informationsecurity #malware #malwaredev #malwareanalysis #redteam #blueteam #purpleteam #hacking #ethicalhacking #windows #winapi #win32api #programming #cpp #assembly #asm
π£cocomelonckz
π@malwr
π£cocomelonckz
π@malwr
cocomelonc
Malware development trick - part 32. Syscalls - part 1. Simple C++ example.
ο·½
Digital Forensics Tools Cheat Sheet
π·Full HD Image: https://github.com/Ignitetechnologies/Mindmap/tree/main/Forensics
#infosec #cybersecurity #cybersecuritytips #pentesting #redteam #informationsecurity #CyberSec #networking #networksecurity #infosecurity #cyberattacks #cybersecurityawareness #bugbounty #bugbountytips
π£hackinarticles
π@malwr
π·Full HD Image: https://github.com/Ignitetechnologies/Mindmap/tree/main/Forensics
#infosec #cybersecurity #cybersecuritytips #pentesting #redteam #informationsecurity #CyberSec #networking #networksecurity #infosecurity #cyberattacks #cybersecurityawareness #bugbounty #bugbountytips
π£hackinarticles
π@malwr
Windows Memory Dump Analysis With Volatility #DFIR
https://digitalinvestigator.blogspot.com/2022/07/windows-memory-dump-analysis-with.html
π£DirectoryRanger
π@malwr
https://digitalinvestigator.blogspot.com/2022/07/windows-memory-dump-analysis-with.html
π£DirectoryRanger
π@malwr
Digital Investigator
Windows Memory Dump Analysis With Volatility
These volatility modules parse these structures and substructures within them and presents the examiner a beautiful tabular view for analysis
A new open source tool to check the integrity of an iPhone without jailbreaking it. Great work from @ddurvaux Aaron Kaplan and Emilien.
#DFIR #FIRSTCON23
https://github.com/EC-DIGIT-CSIRC/sysdiagnose
π£adulau
π@malwr
#DFIR #FIRSTCON23
https://github.com/EC-DIGIT-CSIRC/sysdiagnose
π£adulau
π@malwr
GitHub
GitHub - EC-DIGIT-CSIRC/sysdiagnose: Forensic toolkit for iOS sysdiagnose feature
Forensic toolkit for iOS sysdiagnose feature. Contribute to EC-DIGIT-CSIRC/sysdiagnose development by creating an account on GitHub.
π1