Introducing entropyscan-rs, a #RustLang entropy scanner for analyzing files and directories during incident response. Used carefully, this can quickly identify likely malware when not all stages of an attack have been discovered, such as during a web server compromise without adequate logging. Enjoy!
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
For anyone that ever wanted to get some threat hunting experience, feel free to join us on March 20th for our monthly workshop, this time we will be tackling the MITRE ATT&CK Tactic of Initial Access! Hope to see you there!
We had a customer shift their assessment date out 2 months, so our march is available if there's anyone out there who needs assessment/architecture/engineering/redteam/bluteam work on short notice
@kev Wow that is pretty nice, especially from a company one works for. As an adult I don't recall ever getting something from an employer for Valentines Day let alone someone else.
Just because you are in the midst of a pen test // red team exercise doesn’t mean the malicious behavior belongs to the red team. Physical penetration attempts, phishes, and other means of entry are still being used by adversaries while testing is occurring. The real adversaries don’t care about your calendar. #infosec #blueteam
The BlackBerry research team reports on a financially motivated threat actor that is targeting banks and cryptocurrency trading entities. The malware seen in these attacks is the #AllaKore RAT (remote access trojan) that contains a suite of capabilities and the targets were organizations that had a large revenue.
Through the analysis, the team was able to identify some PowerShell scripts, the user-agent used by the malware, and the ability to capture input text and screen captures. You can find more technical analysis in this report that I haven't mentioned! Enjoy and Happy Hunting!
Ending the mini-series that covers the Cisco Talos Intelligence Group's Year In Review report, we will be diving into the MITRE ATT&CK Technique T1068, Exploitation for Privilege Escalation. This technique falls under the Tactic of Privilege Escalation (TA0004) and has no sub-techniques. This technique can be seen when adversaries "exploit software vulnerabilities in an attempt to elevate privileges" (https://attack.mitre.org/techniques/T1068/) and has been used by groups like #ScatteredSpider and seen in the #Stuxnet malware.
IN another example, the #REvil ransomware-as-a-service group used this technique when they targeted the Microsoft Windows Malware Protection Engine and abused it by side-loading a DLL that executed the ransomware. Of course, I can't leave you empty handed, so here is the Community Hunt Package that you can use to hunt for that activity!