Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc
Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.
DLL hijacking is a common technique used by malware. This project provides a list of DLL Hijacking candidates. A mapping between DLLs and vulnerable executables can be searched via this website. cf: @Wietze
Privilege escalation is often used by malware to gain more access in an infected machine. This list keeps track of privilege escalation resources. cf: @m0nadlabs
During execution malware will leave track on the system that can be retrieve in Windows events. This list keeps tracks of resources related to Event ID analysis. cf: @stuhlonsky
🤓 Prompts are everywhere in modern AI systems.
Chatbots. Automations. Agentic workflows...
But they are also a new attack surface!
I introduced a common standard: Indicators of Prompt Compromise (IoPCs) – Adversarial Prompts
Here is a thread to explain👇
When we talk about adversarial prompts, most people think of prompt injection or prompt jailbreaking.
These are common AI attacks, but they are only the tip of the iceberg!
Threat actors are using AI for malware. ESET recently discovered a ransomware powered with LLM dubbed PromptLock. Even if it was a POC this is still an interesting case!
Prompt Injection is one of the first attack vectors used to exploit weaknesses or bypass behavior in AI models.
Here is an illustrated thread with 5 different prompt injection techniques 👇
1️⃣ Direct Prompt Injection
The classic one, the attacker directly inserts malicious text into the input field of the AI model, the model interprets it as a legitimate instruction!
👉 Very simple but effective. It can bypass restrictions, force unwanted outputs or reveal sensitive data.
2️⃣ Indirect Prompt Injection
The malicious prompt is hidden inside an external source (like a webpage, PDF, metadata, or HTML comment). When the LLM retrieves or reads that content it processes the injected instruction.
👉 Dangerous because the user might not even know the payload exists, it is executed automatically when the model ingests the content!
Analyzing data leaks is a very interesting Intel challenge, especially when you’re dealing with a foreign language 🤓
The I-SOON leak, which contains mostly PNG files of screenshots of documents, is a good example 🔎
Last night, I created a Notebook to automatically process and analyze the data to speed up your investigation.
Here is my process 👇 🧵
If you don't want to read the thread, you can directly jump to the notebook here:
#infosec #isoon #leak #threatintel #llm #python #jupyterjupyter.securitybreak.io/ISOON_DataLeak…
As always, when analyzing new data, check out the structures and formats, and spend time to understand what kind of data you're dealing with. THIS is crucial!🔍
With Python, you can easily peek into the content 💻
Here I created two simple chart to visualize the repartition of the data:
📢I recently investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. Here is a thread about this attack! 🧵👇
The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec#malware#backdoor
🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.
👀They created fake profiles using details from employees of the company OKX. #infosec#Cryptocurency
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec#threatintel
1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec#ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity