|
Florian Roth
@
cyb3rops
Frankfurt, Germany
|
|
Nextron Systems #DFIR #YARA #ThreatIntel | Creator of @thor_scanner, Valhalla YARA rule feed, Sigma, LOKI, yarGen & much more
|
|
|
16.792
Tweetovi
|
3.363
Pratim
|
43.339
Osobe koje vas prate
|
| Tweetovi |
| Florian Roth proslijedio/la je tweet | ||
|
Adnan (xanda) Mohd Shukor
@xanda
|
4 h |
|
Malaysia CERT, @mycert, released an advisory on espionage campaign targeting Malaysia government officials.
mycert.org.my/portal/advisor…
#APT40 #Dadjoke #TEMP.Periscope #Leviathan
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Nick Carr
@ItsReallyNick
|
6 h |
|
VBA Stomping in-the-wild: fireeye.com/blog/threat-re…
Title: “STOMP 2 DIS: Brilliance in the (Visual) Basics” 🤣
by @a_tweeter_user @malwaresoup @femmeshoto
A financial attacker (active right now!) with unique tradecraft, the #MINEBRIDGE C++ backdoor, and very specific music tastes. pic.twitter.com/oapuEY5Dys
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
4 h |
|
You mean, like in PESieve?
github.com/hasherezade/pe…
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
7 h |
|
Tycho-based Dashboard to Detect Gandcrab | by @CyberusTech
- interesting Sigma use case
- Syscall process tracing + ELK + Sigma for malware detection
cyberus-technology.de/posts/2020-02-… pic.twitter.com/kaNRfVPuoe
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Mark Russinovich
@markrussinovich
|
17 h |
|
Coming soon to Sysmon: clipboard logging for malicious RDP session DFIR, and shredded file recovery for capturing hacking tools
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Catalin Cimpanu
@campuscodi
|
4. velj |
|
Backdoor mechanism discovered (again) in HiSilicon chips
—Researcher did not notify HiSilicon due to a lack of trust in the vendor to patch the issue
—Backdoor was first reported in 2013, and again in 2017, but inadequately patched all this time
zdnet.com/article/resear… pic.twitter.com/u9JvKHzhTx
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
ScumBots
@ScumBots
|
4. velj |
|
#CobaltStrike Beacon found at pastebin.com/raw/dDMqMkC9 SHA256: 5884a9cefa3fa1f841923eefcf4201c0ffacabc275687fa1d2a7786f5cdaf281 C2: http://iexploreservice[.]com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
14 h |
|
Yes 😝
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
14 h |
|
We already have that
github.com/Neo23x0/sigma/…
However, it could be important to know that a specific process dumper has been used.
Some legitimate software also accesses lsass process memory (ask CyberArk).
The Dumpert rule can get a level “critical”, others cannot.
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Kevin Beaumont
@GossiTheDog
|
18. velj |
|
Pretty great YARA rules for Australian parliament hack from @cyb3rops (APT_WebShell_Tiny_1 flags other stuff which while malicious may not be directly related) raw.githubusercontent.com/Neo23x0/signat…
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Mark Russinovich
@markrussinovich
|
17 h |
|
Also coming soon: Process Explorer dark mode
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
23 h |
|
Sigma rule to detect Dumpert password dumper - used by Emissary Panda in recent campaigns
Dumpert
github.com/outflanknl/Dum…
Rule
github.com/Neo23x0/sigma/…
Report by @PaloAltoNtwks
unit42.paloaltonetworks.com/actors-still-e… pic.twitter.com/g4TSQxyIQw
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Dino A. Dai Zovi
@dinodaizovi
|
26. sij |
|
The claim in the FTI forensics report on Bezos’ iPhone that, “due to end-to-end encryption employed by WhatsApp, it is virtually impossible to decrypt the contents of the downloader [.enc file]...” bugged me so much that I coded up how to do it:
github.com/ddz/whatsapp-m…
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Tal Be'ery
@TalBeerySec
|
3. velj |
|
1/ I just published Hitting a CurveBall Like a Pro!
Using #wireshark to detect and hunt #curveball exploits by following the NSA advisory
link.medium.com/JarIb0qQM3
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Nicolas Krassas
@Dinosn
|
3. velj |
|
TeamViewer stored user passwords encrypted, not hashed, and the key is now public
whynotsecurity.com/blog/teamviewe…
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
John Lambert
@JohnLaTwC
|
4. velj |
|
If you study maldocs you know the Shell() function. Did you know about Interaction$.Shell@()?
This malware does:
🔗virustotal.com/gui/file/88173…
Interesting to see how just calling Interaction$.Shell drops the detection rate:
1⃣virustotal.com/gui/file/20eac…
2⃣virustotal.com/gui/file/95c00… pic.twitter.com/dEG9jJwGqL
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
4. velj |
|
Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations
unit42.paloaltonetworks.com/actors-still-e…
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Catalin Cimpanu
@campuscodi
|
3. velj |
|
BREAKING: Twitter says a suspected state-sponsored actor used its API to match usernames to phone numbers
- Attack took place on December 24, 2019
- Twitter said attack came from IPs in Iran, Israel, and Malaysia
zdnet.com/article/twitte… pic.twitter.com/ulWUmfF5L6
|
||
|
|
||
|
Florian Roth
@cyb3rops
|
3. velj |
|
Guide on upgrading your SSH keys to Ed25519
blog.g3rt.nl/upgrade-your-s…
|
||
|
|
||
| Florian Roth proslijedio/la je tweet | ||
|
Darkoperator
@Carlos_Perez
|
3. velj |
|
Getting DNS Client Cached Entries with CIM/WMI darkoperator.com/blog/2020/1/14…
|
||
|
|
||