Discover and read the best of Twitter Threads about #detection

Most recents (24)

🐲 Ghidra Tips 🐲- Malware Encryption and Hashing functions often produce byte sequences that are great for #Yara rules.

Using #Ghidra and a Text Editor - You can quickly develop Yara rules to detect common malware families.
(Demonstrated with #Qakbot)

[1/20]
#Malware #RE
[2/20]
Hashing and encryption functions make good targets for #detection as they are reasonably unique to each malware family and often contain lengthy and specific byte sequences due to the mathematical operations involved.

These characteristics make for good Yara rules 😁
[3/20] The biggest challenge is locating the functions responsible for hashing and encryption. I'll leave that for another thread, but for now...

You can typically recognize hashing/encryption through the use of bitwise operators inside a loop. (xor ^ and shift >> etc).
Read 22 tweets
If you utilise API hashing in your #malware or offensive security tooling. Try rotating your API hashes. This can have a significant impact on #detection rates and improve your chances of remaining undetected by AV/EDR. See below for an example with a Bind Shell vs #Virustotal.
Since API hashing can be confusing, most attackers won't rotate their hashes with each iteration of malware. Those same hashes can be a reliable detection mechanism if you can recognize them in code.
Luckily finding these hashes isn't too difficult, just look for random hex values prior to a "call rbp".
If you're unsure whether the value is an API hash, just google it and see if you get any hits. Most of the time, identification can be a simple google search away.
Read 6 tweets
The first Network Security session at #PESW (organized by @FIT_CTU) has been started by @vaclavbartos1, the chair who introduces our speaker Lukáš Hejcman @FIT_VUT & @CESNET_cz. You may still visit us in Horoměřice at pesw.fit.cvut.cz/2022 until Saturday!
Matej Hulák (@FIT_CTU & @CESNET_cz) is the second speaker. We move from Packet Capture by Lukáš H. to Traffic classification topic by Matej.
3rd speaker of "Session 3 - Traffic Capture and Detection" - Richard Plný presents #CryptoMining #detection in #network #traffic. Using #IPFIX and "weak classifiers".
Read 5 tweets
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets
Daily Bookmarks to GAVNet 12/15/2021 greeneracresvaluenetwork.wordpress.com/2021/12/15/dai…
Well-Structured German Study Shows No Deaths among Healthy German Kids Ages 5 to 11 ⋆ Brownstone Institute

brownstone.org/articles/well-…

#MedicalStudy, #germany, #COVID19, #mortality, #children, #SchoolClosures
Fast superhighway through the Solar System discovered - Big Think

bigthink.com/hard-science/f…

#ArchesOfChaos, #SpaceTravel, #SolarSystem, ScientificDiscovery
Read 20 tweets
Daily Bookmarks to GAVNet 12/05/2021 greeneracresvaluenetwork.wordpress.com/2021/12/05/dai…
A Nitrogen Shortage is Brewing, So What Will it Take to Cure The World's Fertilizer Deficiency?

agweb.com/news/crops/cro…

#NitrogenFertilizer #NaturalGas #prices #shortages #CropYield #projections
Scientists Concerned About New COVID-19 Variant Detected in South Africa With High Number of Mutations

time.com/6124039/south-…

#COVID19 #evolution #variants #detection #transmissibility #virulence #PublicHealth
Read 13 tweets
Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.

Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
Read 14 tweets
Mieux comprendre les catastrophes naturelles et nous en protéger : voici l'objectif de plusieurs services nationaux d'observation #SNO de l'INSU ⛈️🌪️☀️🌊🌋
On vous en parle toute la semaine dans ce #thread

#OnlyTogether #DRRday #CatastropheNaturelle Image
@UNDRR @CNRS Le #SNO Dynalit étudie les risques qui menacent le littoral : érosion, #submersion et pollution🌊
Pour en savoir plus ➡️ insu.cnrs.fr/fr/Observation…

#OnlyTogether #DRRday #CatastropheNaturelle Image
Le #SNO BCSF-Rénass est dédié à la #détection et la localisation des #séismes en France 💣
Pour en savoir plus ➡️insu.cnrs.fr/fr/observation…
#OnlyTogether #DRRday #CatastropheNaturelle Image
Read 16 tweets
😱Video of New Zealand PM 'smoking crack'😱

#Real or #fake? Let’s find out. 👇👇👇 1/...

#OSINT 🔎
#Verification 📹
#SpeurJeMee? 🧐 #HowToOSINT Image
On 1 Oct. someone posts a video on #Twitter.

We see two videos superimposed. According to the caption , we would see the New Zealand Prime Minister Jacinda Ardern twice.

At the top she appears to be talking to #BillGates and at the bottom she appears to be using #crack. 🔞2/. Image
We also find the same video in various other posts on #Twitter, #YouTube, #Facebook and on the alternative video site #BitChute.

In total, these videos were viewed more than 31,000 times. Let's verify! 3/...
Read 34 tweets
Meanwhile in #France,
"the peak of this second wave is over"

(according to the President in his Adress to the Nation):
Wait... "the peak is over" doesn´t mean "it´s back to normal"!

Confinement will only fall on December 15,
if there´s less than 5.000 new cases a day.
(today it´s ~9.000).

France is disappointed.🙁

Although they certainly can make it happen.
Meanwhile in #Switzerland:
(excess mortality of the second wave is significant)

Good news: fastest decrease in infections happens in the worst hit areas now.
Image
Read 2817 tweets
So, I was trying to summarize my thoughts on why THREAT #DETECTION is hard (1/m)
Naturally, first a quip on "well, the attackers don't want to be detected" came to my mind ... (2/m)
Well, except for ransomware after they are ready ... (3/m)
Read 5 tweets
As #COVID19 cases are found to spread, #Melbourne (city of ~5 million) tries to contain them by going into #Lockdown.
(The interview features the idea of a dedicated #Quarantine building - that would actually help, I guess)...
"People acting as if the pandemic was over was 'not the answer, it is part of the problem' ".

"The virus had leaked from postcodes already under the stay-at-home orders to other parts of #Melbourne."
(and beyond, it is feared).
Due to #Melbourne's outbreak, neighbouring South Australia is about to completely close it's borders to #Victoria.

(Nearly) no exceptions. And those essential few who are allowed in, will have to wear facemasks the entire time...
Read 2915 tweets
Daily Bookmarks to GAVNet 6/27/2020-2

greeneracresvaluenetwork.wordpress.com/2020/06/27/dai…

New Geometric Perspective Cracks Old Problem About Rectangles

quantamagazine.org/new-geometric-…

#geometry #perspective
Detecting Regions At Risk for Spreading COVID-19 Using Existing Cellular Wireless Network Functionalities - IEEE Journals & Magazine

ieeexplore.ieee.org/document/91170…

#detection #network #coronavirus #regions #wireless #cellular
The Dudes Who Won't Wear Masks - The Atlantic

theatlantic.com/ideas/archive/…

#coronavirus #masks
Read 4 tweets
Vorpommern-Greifswald district (where rejections of #Gütersloh residents took place, yesterday)
has specific rules:
"Those who return from international risk areas (out of Germany) or whose Corona-Warning App has alerted them, need to report to authorites"
kreis-vg.de Image
In fact, Mecklenburg-Vorpommern's Corona-ordinance really prohibits entry of people from international risk areas AND german risk areas as well.
It's just not prominently featured on their websites.

(Overlooked that myself, hence deleted earlier tweet)
landesrecht-mv.de/jportal/portal… Image
People from #Gütersloh district may have to scrap all their holiday plans anyway...

An official #Lockdown is just being announced for the entire district.
(for one week, as of now)
Read 2556 tweets
Moving average of new cases of #COVID19 and new deaths in #India

#Gujarat has a way higher case fatality ratio than the national value, followed by #WestBengal and #MadhyaPradesh.

We need the CFR to fall to 0!

(1/3)

@aparanjape @c_aashish @MulaMutha @nebuer42 @oommen
In the next 12 states, #Telangana has the worst CFR followed by #Punjab - though the latter is lower than the national CFR.

#Uttarakhand has seen a sudden spike in deaths over the last few days, though luckily the base is low

(2/3)
Deaths due to #COVID19 in #India is yet to really slowdown, we need this to happen.

Early #detection, #quarantine, #treatment & #Masks4All is crucial for this.

Given that we have to live with this for a while, we need to reduce the #deaths to zero!

(3/3)
Read 3 tweets
Subdomain takeover detection #OneLiners

- used command and details are in the thread.

#bugbountytips #security #takeover #detection Image
- used command

subfinder -d hackerone.com -silent | dnsprobe -silent -f domain | httprobe -prefer-https | nuclei -t nuclei-templates/subdomain-takeover/detect-all-takeovers.yaml
- details Image
Read 4 tweets
#Myanmar reports 1st 2 confirmed #COVID19 #coronavirus cases in nation after some 3 months since virus outbreak. Both appear to be imported from citizens returning from abroad. 1 reportedly returned from the #UK, other the #US. US has more than 41,000 cases, UK more than 5,900
This 1st #Myanmar report of #COVID19 #coronavirus is just beginning of potentially more to come as thousands head home from different parts of the world esp from #Thailand as many nations temporarily shut borders. Hope Myanmar can cope with #detection #ContactTracing #treatment
Already there've been complaints of poor #COVID19 #coronavirus facilities by at least 1 person under #quarantine in #Myanmar after flying in from the #UK few days ago. Experience posted on person's #FB described how there's no sleeping/showering privacy
m.facebook.com/story.php?stor… ImageImageImageImage
Read 7 tweets
🚨 New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
• ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ 👀
@snort 🐷 #detection tricks (negative distance, exploitation flowbits)
👉🔗 fireeye.com/blog/products-…
#DFIR tips ⤵️ ImageImage
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-…

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 😅

As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 🙇🏽‍♂️
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!