Banger from Just Another Nerd. I assign tasks to my leaders, and I encourage my team to assign tasks to me. It's actually a blessing, because that's one less thing I didn't have to write down. Also, management, leadership, and obstacle clearing is real work. 🫶🏼

Link to original

APT Emulation Labs: NOW LIVE 🎉

Solve incidents emulating APT29, APT10 and other threat groups.

$45 per month access to ALL labs:
👀 150+ hours of lab content
👀 Disk forensics + ELK logs
👀 Hints, questions and point system
👀 7 days free trial

Labs are created & designed

🎉 Announcing DFIR Labs! 🎉

Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help.

1/2

Recently, we published lists for both, APT groups as well as financially motivated threat groups, targeting organizations in Germany. These pages are now also available in english.
#threatintelligence #APT

#100DaysofYARA
I created a web service that allows you to verify on which yara versions your rule compiles.
In the past, shipping rules to customers, I wondered if there were limitations but couldn't find out easily. Now I can.

yaravalidator.manalyzer.org

happy new year and #100DaysOfYara !

Getting right to the nitty gritty - tracking an Andariel/TA430/Onyx Sleet in-memory payloads (as found by our pals at MSFT and Talos!) with Hatching and YARA!

g-les.github.io/yara/2024/01/0…

Great suggestion by pcSc0ut

EDR Tip: If you monitor EDR for systems that run a secondary AV engine, and you don't have access to the AV management console for visibility, you can still know when the AV engine quarantines new detections by monitoring for folder creation events with the EDR under ProgramData:

Frank Frank Boldewin created a neat #Yara workshop some time ago and released the materials this weekend. If you want to learn Yara (or know someone who does) - this is a very good place to start.
#threatintel #detectionengineering

In the blog, we detail malware dubbed 'SnappyTCP', a simple reverse shell for Linux/Unix systems:
pwc.com/gx/en/issues/c…

#threatintel #seaturtle #marbleddust #snappytcp

The YARA enthusiast community is friendly, skilled and growing, and you can be a part of it. Come learn and have fun, push yourself and your peers, and let's jam on some YARA rules together.

github.com/100DaysofYARA/…

TellYouThePass #ransomware

Interesting SANS post by @[email protected]: Exploiting #SharePoint CVE-2023-29357.

June MS releases patch▶️late Sept exploit released▶️via CVE-2023-24955 (patched in May).

Honeypots identify low threshold scanning 30th Sept but recent spike in activity...

Ongoing investigation into Qlik Sense Exploitation in Cactus Ransomware Campaign

arcticwolf.com/resources/blog…

Currently assessed to be related to CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365 identified by Praetorian

.Trend Micro kudos to the team that put this together.

180+ page report - Exploring forensic evidence and detection methods for remote monitoring and management (RMM) tooling. Also including common sync tools used in incidents.

jsac.jpcert.or.jp/archive/2023/p…
#DFIR #RMM

MemProcFS-Analyzer v1.0 released with various enhancements. New checkboxes, 318 YARA rules for malware detection, improved hunting for suspicious scheduled tasks, Kroll RECmd Batch File v1.22, and much more. #MemProcFS #MemoryAnalysis #DFIR
github.com/evild3ad/MemPr…

Yara rules too slow? Not finding the needle in the APT haystack? Too many warnings or too many false positives? Turkey in the oven, got spare time? Join Vicente Diaz and myself tomorrow for cool yara tips and tricks, #Thanksgiving edition! brighttalk.com/webcast/18282/…

After #Sandworm , now #APT29 also embracing Winrar #CVE -2023-38831 with their evergreen spearphishing doc theme 'Diplomatic car for sale' :)