Summary
— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!
Tools and Tips
- Malware Training Sets: FollowUP
- MITRE ATT&CK framework for container runtime security with Falco
- Mordor: pre-recorded security events generated by emulated adversarial techniques in the form of JSON files for easy consumption
- Total Commander Plugins & Their Automated Installation
- REDasm verstion 2.1: an interactive, multi-architecture disassembler written in modern C++11 using Qt5 as UI Framework
- Shellcode to Dump the Lsass Process
- Blue Team Hacks – Binary Rename
- WORKING WITH GHIDRA’S P-CODE TO IDENTIFY VULNERABLE FUNCTION CALLS
- Active Directory Kill Chain Attack & Defense
- Microsoft Office 365 Security Observations
- ATT&CK Research and Analysis Repository — matching threat groups to techniques with data analysis
- “Godmode” YARA Rule – YMMV
- igevtx – Windows EVTX file format parser: an experiment in Go
- Malware Clustering
- MISP 2.4.107 released (aka similar objects review, yara native export)
- Ghidra Tutorial 1: Installing Ghidra on linux
- YARA rule for RobbinHood
- Strelka: a real-time, container-based file scanning system used for threat hunting, threat detection, and incident response.
- Malware Unicorn’s Reverse Engineering Workshops:
- New KAPE module for SPARK Core IOC and YARA scanner
- Reverse Shell Cheat Sheet
- Twint: An advanced Twitter scraping & OSINT tool written in Python that doesn’t use Twitter’s API
- Quickpost: Retrieving an SSL Certificate with nmap
Industry Reports, and Miscellany
- The Week in Ransomware – May 17th 2019 – BTW, It’s NOT Dead
- The Decline of Hacktivism: Attacks Drop 95 Percent Since 2015
- Spam and phishing in Q1 2019
- New research: How effective is basic account hygiene at preventing hijacking
Threat Research – Malware, Phishing, and other Campaigns in the Wild
- ScarCruft continues to evolve, introduces Bluetooth harvester
- Ransomware Bulletin: LockerGoga
- MegaCortex, deconstructed: mysteries mount as analysis continues
- Threat Actor Profile: TA542, From Banker to Malware Distribution Service
- Assessing risk in Office documents – Part 1: Introduction
- Exploit kits: spring 2019 review
- Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses
- How to Cost-Effectively Dynamically Analyze UEFI Malware
- The Stealthy Email Stealer in the TA505 Arsenal
- Babylon RAT Raises the Bar in Malware Multi-tasking
- Quick, Urgent, Request: Agari Research Reveals Top Ten Subject Lines Used for BEC
- BOTS Tampering with TLS to Avoid Detection
- Emotet: the Story of Disposable C2 Servers
- Reaver: Mapping Connections Between Disparate Chinese APT Groups
- Chinese Threat Intelligence: Part Three
Vulnerabilities and Exploits
- Vulnerabilities disclosed during the first three months of 2019 reach a Q1 all-time high
- The NSO WhatsApp Vulnerability – This is How It Happened
- May’s Patch Tuesday Include Fixes for ‘Wormable’ Flaw in Windows XP, Zero-Day Vulnerability
- ICS Impact from Microsoft RDP Vulnerability
- CVE-2019-0708 Researchers get a working PoC for this. No plans to reveal technical details or release code.
- Microarchitectural Data Sampling: Speculative Execution Side-Channel Vulnerabilities Found in Intel CPUs
- Yet Another Meltdown – A Microarchitectural Fill Buffer Data Sampling Vulnerability (CVE-2018-12130)
- MDS ‘Zombieload’ attacks against Intel CPUs: What’s your patch status?
- 0day “In the Wild” Spreadsheet from Google Project Zero
Breaches, Government, and Law Enforcement
- GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation
- GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation
- Cybercriminals break into production systems of Stack Overflow
- TeamViewer Confirms Undisclosed Breach From 2016
- Alleged Breach of Antivirus Companies