Posts

  • Cobalt Group Report

    Cobalt Group Report Update/correction It has been brought to my attention that the attribution of this activity to cobalt group is not ironclad, it may change in the future. Recently an excellent report by Checkpoint was published explaining recent developments of the Cobalt Group threat actor group. The Checkpoint report covers a lot of interesting TTPs and the evolution of techniques and procedures, but for now we will focus on detecting the unique C2 used...
    Read more...

  • Machete Malware Unsheathed

    Machete Following on the excellent reporting by ESET, I decided to have a look at the malware myself to see if I could tease out Suricata signatures. The sample I found was a SFX Rar file that launched another SFX Rar containing several py2exe files: ;El comentario siguiente contiene secuencias de órdenes para auto extracción Setup=GoogleCrash.exe TempMode Silent=1 Overwrite=1 Within the decompiled exe files, we can see the python code used to generate the network...
    Read more...

  • About the Anubis Sinkhole

    A question that frequently comes up is: “What is the Anubis Networks Sinkhole, and what does it mean when I see IDS alerts for it?”. What is a Sinkhole? When you type a domain name like “google.com” into your browser’s address bar, your computer generates a DNS request to turn that name into an IP address. The same process happens when your computer is infected with a malicious program, and that program wants to communicate...
    Read more...

  • Online Safety - Top 10 Tips

    These are my top tips for remaining safe online: Only install apps from the default authorized app store Never install something because you are asked to Never open unexpected email attachments Check links in email before clicking Use 2 factor authentication for banking and email logins Use a password manager Don’t reuse passwords If you think something is a scam, search the web for similar scams Use antivirus software, but know it is a 65%...
    Read more...

  • AutoIDS vs SIGPIPE

    Round 1: The problem Have you ever used flask’s built in webserver and thought “this is probably good enough to use for my little thing”? I’ve discovered that it isn’t good for production, and it took a few missteps to find out why. I deployed AutoIDS on a low cost VPS, fired up the .py file, and after a few hours/days, the app would simply hang. If you press ctrl+c in the console window, you’d...
    Read more...

  • Dangerous Paste

    How many times have we been working hard on an issue, searching forums, blogposts, stack overflow, etc, and come across a proposed solution that says “just paste this into your terminal”? In the heat of the moment it is easy to forget that this situation deserves caution. The problem is that it is easy to sneak extra commands into those cut/copy/pastes thusly: example 1: git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e...
    Read more...

  • Introducing AutoIDS

    Have you ever been on the road or mobile, and you don’t have a snort/suricata test environment set up? AutoIDS is a new(ish) research tool running many versions of Suricata and Snort in a web app. You can use it to: check for malicious traffic develop sigs test basic sig performance test pcap for malicious traffic check for INFO level events in traffic Using AutoIDS To use it simply visit the front page and click...
    Read more...

subscribe via RSS