Twitter | Pretraživanje | |
Decalage
High-latency Twitterbot with experimental, Turing-proof AI. Daily downtimes for maintenance. Tweeting about , analysis, file formats and .
4.584
Tweetovi
887
Pratim
3.114
Osobe koje vas prate
 
Prikaži više fotografija
Tweetovi
Decalage proslijedio/la je tweet
Joshua Saxe 4. velj
1/ Some thoughts on the way ML gets talked about in security: Most security problems are not machine learning problems. Like encryption, dual-factor authentication, taint analysis, or hand-crafted IOCs, machine learning is just one of many security tools.
Prikaži podatke · Reply Retweet Označi sa "sviđa mi se"
Decalage 10 h
Odgovor korisniku/ci @JohnLaTwC
Have you seen many AV engines triggering false positives on legit VBA macros? Most of the time I see the opposite, many malicious macros are not detected. In this specific case maybe the actual code is benign, but running native code from VBA is definitely bad practice!
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
John Lambert 15 h
If you wondered why AV has false positives, take a look at this excel file: 1. Runs code automatically on opening 2. Uses native APIs that manipulate memory 3. Instantiates a COM object defined in a text string in a macro Benign.
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
DirectoryRanger 22 h
Red Team Cheat Sheet
Prikaz sažetka · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
NVISO Labs 4. velj
New blog post: The return of the spoof part 2: Command line spoofing | by
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage 4. velj
Odgovor korisniku/ci @ochsenmeier @JohnLaTwC
Well, "shell" alone is suspicious enough, I don't think a complex signature is needed. ;-)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
John Lambert 4. velj
If you study maldocs you know the Shell() function. Did you know about Interaction$.Shell@()? This malware does: 🔗 Interesting to see how just calling Interaction$.Shell drops the detection rate: 1⃣ 2⃣
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
Joshua Saxe 29. sij
1\ I've written a little compiler to ship ML models as standalone Yara rules, and done proof of concept detectors for Macho-O, RTF files, and powershell scripts. So far I have decision trees, random forests, and logistic regression (LR) working.
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
Michele Spagnuolo 1. velj
This abomination is the regex for validating IPv6 addresses:
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
SANS ISC 3. velj
Analysis of a triple-encrypted AZORult downloader
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage 2. velj
Odgovor korisniku/ci @Pawp81 @Ledtech3 i 3 ostali
EDR behavioral detection is the last layer of defence before malware can actually run. So yes, it's a bit late. When a document with macro reaches the EDR, it means that none of the other layers before that managed to detect it (e.g. AV engine in the email gateway or local AV)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Decalage 1. velj
Odgovor korisniku/ci @Pawp81 @Ledtech3 i 3 ostali
Sure, however this is behavioral detection once the macro has started running, when MS Office spawns Powershell. It would be better if AV engines could actually detect malicious XLM macros before they run.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
Alexandre Dulaunoy 25. sij
Threat Bus: a real-time pub/sub broker to get intelligence/indicators from and feed your in real-time & get sightings from your NIDS to MISP. A clever way to connect efficiently open source security tools. Thanks to
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
Josh Stroschein 30. sij
Interested in learning how to debug macros or learn more about the structure of user forms? In my latest video, I show you how to use the Office IDE to debug a recent
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage 30. sij
Odgovor korisniku/ci @Pawp81 @JohnLaTwC @DidierStevens
BTW this trick seems to be undetected by most antivirus engines for now (see VT):
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Decalage 30. sij
Odgovor korisniku/ci @Pawp81 @JohnLaTwC @DidierStevens
This is not DDE, but an Excel 4 macro (aka XLM). Here the trick is that the xls contains both a benign VBA macro, and a malicious XLM macro. XLM parsing has been added to olevba last year, by integrating the excellent biff_plugin developed by , thanks Didier!
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
John Lambert 30. sij
Malware that just quits? I think there's more to the formula in this maldoc. reveals all cc/ 🔗
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
ATT&CK 20. pro
The present everyone has been asking for is here! We are excited to announce the beta release of TRAM, a tool to aid in mapping reports to ATT&CK. You can find our latest blog with all the details at and the source code at .
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
marc ochsenmeier 29. sij
that hides commands in Metadata of Office Documents
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Decalage proslijedio/la je tweet
Red Canary 28. sij
From the folks that brought you Atomic Red Team, Chain Reactor is a new open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints.
Prikaz fotografije · Reply Retweet Označi sa "sviđa mi se"
Učitaj starije tweetove