Discover and read the best of Twitter Threads about #threathunting

Most recents (8)

Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network โ€” and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
Read 19 tweets
Only about two months later than I originally planned, but here we go. I'll summarise areas we are hiring into in the thread ๐Ÿ‘‡, along with a steer on experience and location where possible (all UK, but happy to make introductions elsewhere).
We have space for a mix of junior and experienced folks in most roles, and there is also a mix of location and partial remote working options depending on the role, so please DM to ask clarification questions or to ask about applying :) A little background on the team:
Cyber Threat Operations is PwC's front-line technical security services group, responsible for a portfolio of blue & red team services to global clients. Blue includes subscription & bespoke #threatintel & research services, short-term & managed endpoint/network threat hunting,
Read 18 tweets
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
At least one single "fuck" is present in some samples of the following malware families: AGENTBTZ, ASCENTOR, ZXSHELL, SOGU, TRICKBOT, GHOST, VIPER, WANNACRY, WARP, NETWIRE, COREBOT, REMCOS, VIPER, ORCUSRAT, PONY, etc. I can't even name the coolest ones. There are hundreds.
Read 6 tweets
Mal devs themselves introduce some of the funniest & hi-fi (although short lived) detection opportunities. Amongst several applicable HTTP methodologies, we see "Content-Type:application/octect-stream." Don't manually type out your HPTP headers for your C2 protocolols. #dailypcap
This network traffic comes from newish backdoor ExileRAT (compiled 2019-01-30T07:05:47Z) 606e943b93a2a450c971291e394745a6 that was hanging (with a multitude of other evil) on recently #opendir "http://27.126.188[.]212" There are ties to a humongous cluster of probs CN espionage.
The attackers from IP 27.126.188[.]212 are rollin' deep with kit. get_robin.py (1) looks to be some derivative of github.com/bhdresh python toolkit and also does some logging of connections. Sc.dat (2) is HTML that does JS get and creates a scheduled task for the exe.
Read 5 tweets
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (ํ™์‚ผ6ํ’ˆ๋‹จ๊ฐ€ .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also ํ™€๋ฆฌ๋ฐ์ด ์™€์ดํผ(Operation Holiday Wiper)๋กœ ๊ท€ํ™˜ํ•œ ๋กœ์ผ“๋งจ APT ์บ ํŽ˜์ธ by @alac blog.alyac.co.kr/2089
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
Read 8 tweets
My @FireEye friends @DavidPany and @deeemdee4 put out a badass blog on tunneled RDP. What is it? How is it used? What can you do to find it? Read more here: fireeye.com/blog/threat-reโ€ฆ
Tunneled RDP typically refers to an interactive RDP session that occurs over the same "channel" as another comms session. This is done in a variety of ways, but primarily established through either a backdoor implant or a utility with some sort of port forwarding setup.
On RDP tunneled over SSH with PLINK. We've seen the *standard* PLINK file used. We've also seen PLINK variants with hard-coded parameters and configs and whatnot.
Read 18 tweets
ู„ุง ุฃูƒุงุฏ ุฃุฐูƒุฑ ุญุงุฏุซุฉ ู…ู† ุงู„ุญูˆุงุฏุซ ุงู„ุฃู…ู†ูŠุฉ ุงู„ุชูŠ ุนู…ู„ุช ุนู„ูŠู‡ุง ูˆ ู„ู… ูŠูุณุชุฎุฏู… ููŠู‡ุง webshell ููŠ ู…ุฑุญู„ุฉ ู…ู† ุงู„ู…ุฑุงุญู„ุŒ ุฎุตูˆุตุงู‹ ุงู„ุญูˆุงุฏุซ ุงู„ุชูŠ ุนู…ู„ุช ููŠู‡ุง ููŠ ู…ู†ุทู‚ุชู†ุง (ุงู„ุดุฑู‚ ุงู„ุฃูˆุณุท). ู…ุฌู…ูˆุนุฉ ุชุบุฑูŠุฏุงุช ุนู† ุงู„ู€ webshells ูˆ ุฃููƒุงุฑ ู„ุตูŠุฏู‡ุง (hunting). #threathunting #dfir
ุงู„ู€ webshell ุนุจุงุฑุฉ ุนู† malware ููŠ ุดูƒู„ script ูŠุณุชู‡ุฏู ุงู„ู€ web servers (ุบุงู„ุจุงู‹ ุงู„ุชูŠ ูŠู…ูƒู† ุงู„ูˆุตูˆู„ ุฅู„ูŠู‡ุง ู…ู† ุงู„ุฅู†ุชุฑู†ุช) ูˆ ูŠุฏุนู… ู…ุฌู…ูˆุนุฉ ู…ู† ุงู„ุนู…ู„ูŠุงุช ูŠุณุชููŠุฏ ู…ู† ุงู„ู…ู‡ุงุฌู… ู…ุซู„: ู†ู‚ู„ ู…ู„ูุงุช/ุจูŠุงู†ุงุช ู…ู† ูˆ ุฅู„ูŠ ุงู„ู€ู†ุธุงู…ุŒ ุชู†ููŠุฐ ุฃูˆุงู…ุฑุŒ ุนู…ู„ tunnelsุŒ ูˆ ู‡ู„ู… ุฌุฑุง...
ุงู„ู€ webshells ุชุณุชุฎุฏู… ููŠ ุฃูƒุซุฑ ู…ู† ู…ุฑุญู„ุฉ ู…ู† ู…ุฑุงุญู„ ุงู„ู‡ุฌูˆู… (attack life cycle) ู…ุซู„:
โ€” Initial Foothold: ุจุนุฏ ุงูŠุฌุงุฏ ุซุบุฑุฉ ุชู…ูƒู† ู…ู† ุฑูุน ู…ู„ูุงุช ุนู„ูŠ web serverุŒ ุงู„ู…ู‡ุงุฌู… ู‚ุฏ ูŠุณุชุนู…ู„ ุงู„ุซุบุฑุฉ ู„ุชุญู…ูŠู„ webshell ุนู„ูŠ ุงู„ุฎุงุฏู… ู…ู…ุง ูŠุนุทูŠู‡ ู…ูˆุถุน ู‚ุฏู… ู…ู†ู‡ ูŠูƒู…ู„.
Read 18 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!