Discover and read the best of Twitter Threads about #malwareanalysis
Most recents (3)
1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK (buff.ly/3BHn9iR): The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK #ThreatHunting 
3/ 🔍 Sigma(buff.ly/3q12WOC ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma #SIEM
🧵Thread: 10 underestimated resources about malware techniques.
This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! 🤓 #infosec #malware #threatintel #malwareanalysis #cybersecurity
This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! 🤓 #infosec #malware #threatintel #malwareanalysis #cybersecurity
#1: The Unprotect Project
Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc
🌐unprotect.it
Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc
🌐unprotect.it
#2: The LolBas project
Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.
🌐lolbas-project.github.io
Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.
🌐lolbas-project.github.io
1\ #MalwareAnalysis: Detecting Process Hollowing
The first pattern to look for are any calls to create processes in a suspended state:
> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED
Purpose is to disguise malicious code in a legit exe by replacing the contents.
The first pattern to look for are any calls to create processes in a suspended state:
> CreateProcessA
"dwCreationFlags" set 0x04 CREATE_SUSPENDED
Purpose is to disguise malicious code in a legit exe by replacing the contents.
2\ Following the process being started in a suspended state... (usually svchost.exe but who's counting). Then there are API calls to native/non native APIs:
> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
> ZwUnmapviewofsection
> virtualallocex
> writeprocessmemory
> setthreadcontext
> NTgetcontextthread
> ntreadvirtualmemory
3\ Other ones:
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread
The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
> NTResumethread
> NTwritevirtualmemory
> ntsetcontextthread
The logic is to look for signs of processes being started in suspended state - then the process being hollowed, replaced with "malicious" contents and resuming of execution.
