I'm going to love this Kernel Rootkit blog post series! The first part covers some of the classic techniques such as SSDT Hooking, DKOM or IDT Hooking!👌#infosec #rootkit #malware cyberark.com/resources/thre…

And so it begins ... To learn a new programming language I usually start a project in which I have to apply what I've just learned This time started to rewrite my YARA and IOC scanner Loki in Rust (although I don't know if my vacation is long enough to complete that project)

Another new group called #Meow 🐱 Ransomware. it is a modified version of #conti ransomware. it uses same obfuscated techniques. So i share some screenshots form it. #malware #reverse #ransomware

My @DEFCON talk on DLL Hijacking using environment variables + the launch of #HijackLibs is now on YouTube: youtube.com/watch?v=LxjnI5…

Some noteworthy details about this week's #QakBot infection + #threat_hunting & detection opportunities👇🧵: ➡️ WMI queries via API calls to collect system-related info and send to C2 ➡️ Finally moved away from wermgr.exe and now it is injecting to dxdiag.exe😅

The DGSI in France has identified Russian spies on leboncoin, they have published a tutorial to be able to detect a potential approach of a spy! 👇#Espionage #spy #threatintelligence dgsi.interieur.gouv.fr/la-dgsi-a-vos-…

Hello ! La prochaine DC11333 aura lieu le lundi 31 octobre prochain à la Boulangerie Bar. Nous sommes à la recherche d’un dernier Talk / Rump 💻👾 N’hésitez pas à venir proposer vos idées directement en DM ! #cybersecurite #defcon #Lille

This is the most comprehensive blog you will read on the tangled web that is raspberry robin, how it’s delivered & multitude of ransomware operators Microsoft Threat Intelligence has seen it hand off to as an access broker Hands down the most prevalent piece of malware we are seeing right now

VELOCON REWIND: Watch as Wes Lambert discusses Velocistack, a Docker-based, free and open investigation stack centered around Velociraptor. It's a powerful 1-2 punch that can benefit analysts and incident responders alike. Catch it here: youtube.com/watch?v=IFChO6…

As part of our tracking of #OST frameworks, we decided to revisit one of the graphics from the below blog post. Based on today's data, we observe the number of online #Sliver servers has increased significantly since September (#CobaltStrike retains first place 🥇). (1/3)

My so-called godmode rules try to answer the following question: If you could only apply one rule, what would it look like? - One shot! - and cover as much malicious stuff as possible with a minimum of FPs YARA Rule gist.github.com/Neo23x0/f1bb64… Sigma Rule github.com/SigmaHQ/sigma/…

On a recent incident we came across these files as a result of #CobaltStrike running on the host. It provided great insight on what tools they were running as these exe's weren't on disk. For more info check out bohops's blog: bohops.com/2021/03/16/inv… #DFIR

Palo Alto vs Crowdstrike giving credit. 😂 cc Dray Agha

This is how it's organized - Month 1: Machine Learning Month 2: Deep Learning Month 3: Machine Learning Operations And for the final project, you'll build a self-driving car, which will integrate everything you've learned into one data pipeline. It looks like this:

I'm just gonna go ahead and say it. If you have: Cisco VPN No MFA for it You may get a surprise knock from #Akira #Ransomware soon. So yeah, go look at your AD auth logs for 4624/4625 from a WIN-* machine in your user VPN range. If you have a hit, may the IR Gods help you.

How security engineers flex on each other

ATTENTION DÉCALAGE AU MARDI (only may) Rendez-vous ce MARDI 28/05 pour le meetup 👇🏼👾 Au programme : - « Les artefacts (DFIR) fantastiques » par Loïc Castel 📍Boulangerie Bar - 28/05 à partir de 19h #Lille #DFIR #infosec #defcon

How Sigma rules for emerging threats take shape - Someone noticed CVE-2024-49113 (#LDAPNightmare) could be detected and shared raw logs - I realized we needed a Sigma rule to fully unlock its potential - Another person created the rule - A third refined and prepared it for