Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Thomas Roccia 🤘 Profile picture
@fr0gger_
Nov 6, 2022 13 tweets 9 min read Read on X
Scrolly
🧵Thread: 10 underestimated resources about malware techniques.

This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! 🤓 #infosec #malware #threatintel #malwareanalysis #cybersecurity
#1: The Unprotect Project

Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc

🌐unprotect.it
#2: The LolBas project

Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.

🌐lolbas-project.github.io
#3: HijackLibs

DLL hijacking is a common technique used by malware. This project provides a list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables can be searched via this website. cf: @Wietze

🌐hijacklibs.net
#4: MalApi

Malware relies on Windows API to perform action in the infected system. MalAPI keeps a list of API used by malware. cf: @mrd0x

🌐malapi.io
#5: Living Off Trusted Sites

Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. cf: @mrd0x

🌐lots-project.com
#6: Malware Persistence

Malware uses persistence mechanisms to survive reboot. This list keeps track of resources related to malware persistence techniques.

🌐github.com/Karneades/awes…
#7: Malware Privilege Escalation

Privilege escalation is often used by malware to gain more access in an infected machine. This list keeps track of privilege escalation resources. cf: @m0nadlabs

🌐github.com/m0nad/awesome-…
#8: Malware Event ID

During execution malware will leave track on the system that can be retrieve in Windows events. This list keeps tracks of resources related to Event ID analysis. cf: @stuhlonsky

🌐github.com/stuhli/awesome…
#9: ORKL

This is a search engine dedicated to threat intelligence reports. You can use it to browse knowledge about attackers, tools, and tactics. cf: @orkleu

🌐orkl.eu
#10: Vx-Underground Malware Techniques Papers

This is a collection of whitepapers classified by techniques. cf: @vxunderground

🌐vx-underground.org/windows.html
#10 +1: The Malware Museum

This is a fun website that contains malware that were distributed between 1980 and 1990. cf: @mikko

🌐archive.org/details/malwar…
That's it! If you like this thread, you can share it, like it and get the list here👇

github.com/fr0gger/Awesom…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Thomas Roccia 🤘

Thomas Roccia 🤘 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fr0gger_

Thomas Roccia 🤘 Profile picture
Sep 15
🤓 Prompts are everywhere in modern AI systems.
Chatbots. Automations. Agentic workflows...

But they are also a new attack surface!

I introduced a common standard: Indicators of Prompt Compromise (IoPCs) – Adversarial Prompts

Here is a thread to explain👇Image
When we talk about adversarial prompts, most people think of prompt injection or prompt jailbreaking.

These are common AI attacks, but they are only the tip of the iceberg!
Threat actors are using AI for malware. ESET recently discovered a ransomware powered with LLM dubbed PromptLock. Even if it was a POC this is still an interesting case!

Read 15 tweets
Thomas Roccia 🤘 Profile picture
Sep 7
Prompt Injection is one of the first attack vectors used to exploit weaknesses or bypass behavior in AI models.

Here is an illustrated thread with 5 different prompt injection techniques 👇 Image
1️⃣ Direct Prompt Injection

The classic one, the attacker directly inserts malicious text into the input field of the AI model, the model interprets it as a legitimate instruction!

👉 Very simple but effective. It can bypass restrictions, force unwanted outputs or reveal sensitive data.Image
2️⃣ Indirect Prompt Injection

The malicious prompt is hidden inside an external source (like a webpage, PDF, metadata, or HTML comment). When the LLM retrieves or reads that content it processes the injected instruction.

👉 Dangerous because the user might not even know the payload exists, it is executed automatically when the model ingests the content!Image
Read 7 tweets
Thomas Roccia 🤘 Profile picture
Apr 29
🤓 Last week, Anthropic released a report on malicious uses of Claude.

The report is very interesting, but I think it is missing critical actionable insights to make it useful for threat analysts.

I broke down my POV in a blog, quick thread 👇🧵

blog.securitybreak.io/why-prompts-ar…
Before jumping into the details, if you want to learn more about AI and threat intelligence, I am running an advanced training at BlackHat USA.

Drop me a message if you have any questions.

➡️ store.securitybreak.io/ctiai
Back to the threat report! Anthropic identified four case studies:

🧠 Influence-as-a-Service:
Used Claude to run 100+ social media bots promoting moderate political content across multiple countries.

🔓 Credential Stuffing & IoT Targeting:
Improved scraping tools to target leaked credentials from security cameras.

🎯 Recruitment Fraud:
Polished scam messages targeting Eastern European job seekers by impersonating recruiters.

💻 Malware Development:
Novice actor used Claude to build advanced malware tools focused on persistence and evasion.
Read 15 tweets
Thomas Roccia 🤘 Profile picture
Feb 21, 2024
Analyzing data leaks is a very interesting Intel challenge, especially when you’re dealing with a foreign language 🤓

The I-SOON leak, which contains mostly PNG files of screenshots of documents, is a good example 🔎

Last night, I created a Notebook to automatically process and analyze the data to speed up your investigation.

Here is my process 👇 🧵

If you don't want to read the thread, you can directly jump to the notebook here:
#infosec #isoon #leak #threatintel #llm #python #jupyterjupyter.securitybreak.io/ISOON_DataLeak…Image
As always, when analyzing new data, check out the structures and formats, and spend time to understand what kind of data you're dealing with. THIS is crucial!🔍

With Python, you can easily peek into the content 💻

Here I created two simple chart to visualize the repartition of the data:

- .md: 70
- .png: 489
- .log: 6
- .txt: 11
- No Extension: 1

#dataanalysis #python #infosecImage
Image
We can see a high number of PNGs, mainly screenshots with Chinese characters as we can see in the example below 👇 Image
Read 12 tweets
Thomas Roccia 🤘 Profile picture
Dec 6, 2022
📢I recently investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. Here is a thread about this attack! 🧵👇

@MsftSecIntel @MicrosoftAU #infosec #cryptocurrency #threatintelligence #apt

microsoft.com/en-us/security…
The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec #malware #backdoor
🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.

👀They created fake profiles using details from employees of the company OKX. #infosec #Cryptocurency
Read 14 tweets
Thomas Roccia 🤘 Profile picture
Apr 20, 2022
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(