DFIR笑传之常常备
数据无价 谨慎操作
给亲友进行一个硬盘扩容抢救,原盘抛开写入寿命已经用掉20%不说,明明响应时间已经飞50ms甚至100ms了,测盘还是全绿的,SMART也非常宁静祥和,可能是太满了(余量10%)。相关数据截图不放出保护当事人隐私
经验1:痛苦地解了一晚上bitlocker和拷贝,事后想想是不是先逐字节对拷到新盘再解bitlocker会好一点,但那样搞我都怕从TPM到SB到卷内的任意一环出问题导致全盘锁解不开,Bitlocker+微软账号的设计对普通人还是过于不友善了,没有计算机管理经验的人谁会记得备份密钥.txt啊
经验2:真心建议从事非涉密的数字创作的朋友们人手一个小NAS进行准实时同步备份,群晖算1个能用的,其他牌子后果自负
经验3:固态硬盘留出至少15%可用空间,不然读写速度响应时间真要爆了
经验4:数据恢复是私人op动作中唯一一个适合在周五做的事情,因为工作日时间不够用但他是挂机等待类型
数据无价 谨慎操作
给亲友进行一个硬盘扩容抢救,原盘抛开写入寿命已经用掉20%不说,明明响应时间已经飞50ms甚至100ms了,测盘还是全绿的,SMART也非常宁静祥和,可能是太满了(余量10%)。相关数据截图不放出保护当事人隐私
经验1:痛苦地解了一晚上bitlocker和拷贝,事后想想是不是先逐字节对拷到新盘再解bitlocker会好一点,但那样搞我都怕从TPM到SB到卷内的任意一环出问题导致全盘锁解不开,Bitlocker+微软账号的设计对普通人还是过于不友善了,没有计算机管理经验的人谁会记得备份密钥.txt啊
经验2:真心建议从事非涉密的数字创作的朋友们人手一个小NAS进行准实时同步备份,群晖算1个能用的,其他牌子后果自负
经验3:固态硬盘留出至少15%可用空间,不然读写速度响应时间真要爆了
经验4:数据恢复是私人op动作中唯一一个适合在周五做的事情,因为工作日时间不够用但他是挂机等待类型
Forwarded from idapro (Not official)
Kaspersky's GReAT has released private plugin – the hrtng plugin for IDA Pro, the result of nearly 10 years of work. Packed with 37 advanced features, the plugin includes entirely new capabilities along with powerful upgrades to popular third-party plugins.
Each feature comes with detailed descriptions, demo links, and practical examples, all designed to make malware analysis faster, more effective, and more efficient.
An example of usage hrtng plugin to dissect FinSpy spyware is here
Each feature comes with detailed descriptions, demo links, and practical examples, all designed to make malware analysis faster, more effective, and more efficient.
An example of usage hrtng plugin to dissect FinSpy spyware is here
GitHub
GitHub - KasperskyLab/hrtng: IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition…
IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition and various pseudocode transformations - KasperskyLab/hrtng
Forwarded from vx-underground
vx-underground Black Mass Research Group presents: Minegrief.
tl;dr a computer worm that targets minecraft
https://github.com/blackmassgroup/minegrief
tl;dr a computer worm that targets minecraft
https://github.com/blackmassgroup/minegrief
GitHub
GitHub - blackmassgroup/minegrief: Self-spreading Java malware targeting Minecraft servers. Infected servers are capable of scanning…
Self-spreading Java malware targeting Minecraft servers. Infected servers are capable of scanning for other vulnerable servers, encrypting Minecraft worlds, and phishing players who connect. - blac...
🎉1💊1
国内排名前三的云厂商里面至少有两家厂商的专有云负载均衡产品的webconsole及其后端不能正确处理哪怕稍微花一点的PEM封装的证书,气笑了,我看还是优化少了,人和平台都是
💊4🎉1
Forwarded from vx-underground
We're witnessing the evolution of ransomware.
Yesterday someone informed us of the existence of the new TTP of AWS S3 extortion. More specifically, Threat Actors abusing the Amazon Key Management Service (KMS) to encrypt company AWS buckets (or any cloud provider).
We have never heard of this until yesterday.
RhinoSecurity wrote a paper on AWS S3 extortion, the methodology in which it's deployed, and wrote a simple AWS CLI script to accomplish the task.
It's 25 lines of Python code.
Yesterday someone informed us of the existence of the new TTP of AWS S3 extortion. More specifically, Threat Actors abusing the Amazon Key Management Service (KMS) to encrypt company AWS buckets (or any cloud provider).
We have never heard of this until yesterday.
RhinoSecurity wrote a paper on AWS S3 extortion, the methodology in which it's deployed, and wrote a simple AWS CLI script to accomplish the task.
It's 25 lines of Python code.
Forwarded from vx-underground
vx-underground
We're witnessing the evolution of ransomware. Yesterday someone informed us of the existence of the new TTP of AWS S3 extortion. More specifically, Threat Actors abusing the Amazon Key Management Service (KMS) to encrypt company AWS buckets (or any cloud…
Rhino Security Labs
S3 Ransomware Part 1: Attack Vector
In part one of this two-part blog series, we detail the attack vector of Amazon S3 Ransomware. We also include a PoC script to demonstrate the attack.
哦真的牛批 还有这种勒索 这下云厂商不得不在私藏用户密钥和丢失勒索数据之间创死一个了
省流:AWS的KMS服务,开公共加密权限,给别人开了公共写的桶全加密了,然后把钥匙扔了
省流:AWS的KMS服务,开公共加密权限,给别人开了公共写的桶全加密了,然后把钥匙扔了
💊7
最近半年干SRE捉的稀有网络虫子总结(高松灯并感)
1. 目标服务器访问微信API,会出现无连接静置一段时间后,重新连接产生大量丢失,直到数分钟后重新成功。原因是目标服务器出口防火墙采用的域名白名单实现有病,不采用Host头或SNI嗅探,而是抓DNS 53的包并将匹配了域名的A记录返回IP计入白名单,白名单TTL即为DNS指派的TTL。当客户端实现的DNS记录TTL长于DNS记录指定的TTL,或是二者之间存在时间差时,防火墙的白名单已经凋亡,但客户端并不会重新发DNS请求,白名单不会重新上新,于是请求被拦截。
2. 服务器属主反馈称进行扫描后发现托管的其服务器互联网IP的25和110端口没有开启服务但是暴露监听,出于安全考量,希望关闭。本端换用各种互联网IP尝试访问均不通,全网tcping也不通,但是属主反馈称他们有线宽带出口和手机热点均可复现,也确实有截图为证。原因是客户终端安装的零信任网关驱动会劫持邮件端口流量进行敏感信息过滤。
3. 修改DNS解析记录,等了三倍的TTL,仍然出现部分浏览器访问时导向原记录站点。原因疑似是国内手机厂商的浏览器采用的DNS疑似掺了私货,超时缓存相关记录。
锐评:不知道想出这么多神人实现方式的程序员的脑子一个月值多少钱,反正至少比我拿得多
1. 目标服务器访问微信API,会出现无连接静置一段时间后,重新连接产生大量丢失,直到数分钟后重新成功。原因是
2. 服务器属主反馈称进行扫描后发现托管的其服务器互联网IP的25和110端口没有开启服务但是暴露监听,出于安全考量,希望关闭。本端换用各种互联网IP尝试访问均不通,全网tcping也不通,但是属主反馈称他们有线宽带出口和手机热点均可复现,也确实有截图为证。原因是
3. 修改DNS解析记录,等了三倍的TTL,仍然出现部分浏览器访问时导向原记录站点。原因疑似是
锐评:不知道想出这么多神人实现方式的程序员的脑子一个月值多少钱,反正至少比我拿得多
Forwarded from OG: BATTLEGROUNDS
Here's a little surprise for y'all: We're now OPEN SOURCE!
https://github.com/H4TIUX/PUBG2017PS
https://github.com/H4TIUX/PUBG2017PS
GitHub
GitHub - H4TIUX/PUBG2017PS: A PUBG 2017 Open Source Private Server.
A PUBG 2017 Open Source Private Server. Contribute to H4TIUX/PUBG2017PS development by creating an account on GitHub.
💊1
安全笑传之查ChineseBinaries
我看红客联盟日站教学还是太保守了,
你们US安全圈(juan4)看到个USB网卡驱动就应激哈气的白人哈集美简单一挂Chinese OSINT就能骗到许多小红点和美金(安全公司CEO说是,一个简中企查查和CSDN使用教程能卖到2500美元),这就是文明的方向
https://fixupx.com/malwrhunterteam/status/1878746635221807345
我看红客联盟日站教学还是太保守了,
你们US安全圈(juan4)看到个USB网卡驱动就应激哈气的白人哈集美简单一挂Chinese OSINT就能骗到许多小红点和美金(安全公司CEO说是,一个简中企查查和CSDN使用教程能卖到2500美元),这就是文明的方向
https://fixupx.com/malwrhunterteam/status/1878746635221807345
🧵 Thread • FxTwitter / FixupX
MalwareHunterTeam (@malwrhunterteam)
On the left is a reply to her from @vxunderground.
On the right is her response to that.
At this point all I can say about her is this: 🤡🤡🤡.
🤷♂️
On the right is her response to that.
At this point all I can say about her is this: 🤡🤡🤡.
🤷♂️