What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-09-03 18:00:04 | Le secret du 961C151D2E87F2686A955A9BE24D316F1362BF21 The secret of 961c151d2e87f2686a955a9be24d316f1362bf21 (lien direct) |
Un récemment est tombé sur un échantillon qui comprenait la chaîne mystérieuse suivante: j'ai googlé et non seulement j'ai trouvé quelques occurrences supplémentaires de cette chaîne, mais j'ai également trouvé une règle Yara (avertissement PDF) qui l'a fait référence.J'ai dû & # 8230; continuer la lecture & # 8594;/ span>
A recently came across a sample that included the following, mysterious string: I googled around and not only found a few more occurrences of this string, but also found a yara rule (PDF warning) that referenced it. I had to … Continue reading → |
Technical | ★★★ | |
|
2023-08-26 00:15:33 | Écrire de meilleures règles Yara en 2023… Writing better Yara rules in 2023… (lien direct) |
Dans mon article précédent, je pensais à une tâche impossible :comment consolider un vaste ensemble de règles Yara non organisées (que beaucoup d'entre nous, certes, collectent et accumulent - il suffit de télécharger le tout, au hasard, depuis tous les coins d'Internet - Continuer la lecture →
In my previous post I mused about an impossible task – how to consolidate a large, unorganized yara ruleset (that lots of us, admittedly, collect and hoard – just downloading it all, randomly, from all the corners of the internet … Continue reading → |
★★★★ | ||
|
2023-08-25 23:05:18 | Des lolbins pour les connaisseurs… Lolbins for connoisseurs… (lien direct) |
Nous sommes tous assez obsédés par la pureté des lolbins.Mieux encore, s'il s'agit d'un comportement caché/non documenté/inattendu d'un binaire natif du système d'exploitation qui peut être abusé à des fins néfastes.Évidemment, je les aime le plus aussi.Cependant…Vivre …Continuer la lecture →
We are all quite fixated on a purity of lolbins. Best if it is a hidden/undocumented/unexpected behavior of a native OS binary that can be abused for some nefarious purposes. I, obviously, love these the most, too. However… Living Off … Continue reading → |
Technical | ★★★ | |
|
2023-07-14 23:34:32 | Comment démarrer votre propre entreprise de menace? How to start your own threat intel company? (lien direct) |
Vous êtes-vous déjà demandé d'où viennent toutes les menaces que les aliments Intel?Comment ces entreprises savent-elles que cela ou ce compte de messagerie a été compromis?Comment identifient-ils [& # 8230;]
Have you ever wondered where all the threat intel feeds come from? How do these companies know that this, or that email account has been compromised? How do they identify […] |
Threat | ★★★ | |
|
2023-07-13 23:36:15 | Entrez Sandbox 27: Création de compte Enter Sandbox 27: Account creation (lien direct) |
Cela fait près de 4 ans depuis que j'ai publié mon dernier article dans cette série, fournissant à la communauté un grand corps de rapports de sandbox (APILOG_2019-07-14).L'un des moins connus [& # 8230;]
It’s been nearly 4 years since I published my last article in this series providing the community with a large corpora of sandbox reports (apilog_2019-07-14). One of the less known […] |
★★★ | ||
|
2023-06-22 23:54:19 | Le mythe de «Connaître votre org» -> Know_your_org.docx The myth of “knowing your org” -> know_your_org.docx (lien direct) |
Le monde du cyber-conseil fournit de nombreux travaux de sécurité utiles.Ils font des ateliers, des formations, des exercices de table, ils rédigent des manuels, l'équipe rouge, fournissent des évaluations et aident les entreprises avec GAP [& # 8230;]
The cyber consulting world delivers a lot of useful security work. They do workshops, trainings, table top exercises, they write playbooks, red team, provide assessments, and help companies with gap […] |
★★ | ||
|
2023-06-14 23:21:58 | Mitre att & ck & # 8211;De JSON à CSV Mitre Att&ck – from JSON to CSV (lien direct) |
J'adore tellement les données aux format JSON que & # 8230;Chaque fois que je vois quelque chose de précieux stocké dans ce format, je ne peux vraiment pas résister à la tentation de la convertir en CSV afin que je [& # 8230;]
I love JSON-formatted data so much that… anytime I see something valuable stored in this format I really can’t resist the temptation of converting it to CSV so that I […] |
★★ | ||
|
2023-06-09 23:33:10 | Modèles de script Perl et Python… Perl and Python Scripting Templates… (lien direct) |
L'une des compétences techniques les plus importantes (de base) en cybersécurité est: Connaître Excel (ou Google Sheets) Connaître la programmation / script de base (bash, CMD, PowerShell, VBS, VBA, AutoIt, Python, Perl, etc.) Connaître et [&# 8230;]
One of the most important (basic) technical skills in cybersecurity are: Knowing Excel (or Google sheets) Knowing basic programming/scripting (bash, cmd, powershell, vbs, vba, autoit, python, perl, etc.) Knowing and […] |
★★ | ||
|
2023-06-07 21:54:04 | Ce lolbin n'existe pas… This LOLBIN doesn\\'t exist… (lien direct) |
J'ai écrit sur Nullsoft Installer plusieurs fois auparavant.J'en suis un peu fasciné, car il n'y a pas beaucoup de recherches à ce sujet, en général, et même [& # 8230;]
I have written about Nullsoft installer a few times before. I am a bit fascinated by it, because there is not that much research about it, in general, and even […] |
★★ | ||
|
2023-06-03 22:07:18 | Analyse des fichiers PHP imbriqués imbriqués… Analyzing nested, obfuscated PHP files… (lien direct) |
De nombreuses coteaux de web PHP sont cryptés, codés, obscurcis de différentes manières, mais la plupart utilisent une approche rudimentaire reposant sur l'engagement de la même séquence de code & # 8216; cachette & # 8217;routines répétitivement, séquences qui [& # 8230;]
Many PHP webshells are encrypted, encoded, obfuscated in many different ways, but most use a rudimentary approach relying on engaging the same sequence of code ‘hiding’ routines repetitively, sequences that […] |
★★★ | ||
|
2023-06-01 22:52:56 | Analyse des exécutables PS2EXE… Analysing PS2EXE executables… (lien direct) |
Dans mes anciens messages, j'ai montré comment gérer & # 8216; crypté & # 8217;ou autrement & # 8216; protégé & # 8217;Des fichiers exécutables de script à l'exe visent à masquer, à obscurcir ou à faire des scripts utilisés pour générer [& # 8230;]
In my older posts I have shown how to deal with ‘encrypted’ or otherwise ‘protected’ script-to-exe executable files that aim to hide, obfuscate, or otherwise make scripts used to generate […] |
★★★ | ||
|
2023-05-23 22:56:08 | Dexray, DFIR et l'art de l'ambulance Chasing… DeXRAY, DFIR, and the art of ambulance chasing… (lien direct) |
Presque tous mes articles Dexray ont jamais été publiés sur les nouvelles versions de cet outil publiées.Aujourd'hui, je vais parler de la fabrication des saucisses & # 8217;partie [& # 8230;]
Pretty much all of my DeXRAY posts ever published been focusing on new versions of this tool being released. Today I will talk about the ‘making of the sausages’ part […] |
Tool | ★★★★ | |
|
2023-05-17 22:57:44 | Blue Teaming & # 8211;Les données sont compliquées… Blue teaming – it\\'s DATa complicated… (lien direct) |
Il y a dix ans, Blue Teaming était & # 8230;Facile (c'est une très mauvaise blague, je sais!).En toute honnêteté, nous avions moins de cibles, moins de langages de programmation pour gérer, moins de plates-formes, [& # 8230;]
A decade ago blue teaming was … easy (this is a really bad joke, I know!). In fairness, we had less targets, less programming languages to deal with, less platforms, […] |
★★ | ||
|
2023-05-12 22:50:39 | Da li \\ 'l World of DLL Exportts and Points d'entrée, partie 6 Da Li\\'L World of DLL Exports and Entry Points, Part 6 (lien direct) |
J'adore regarder des grappes de fichiers, car c'est le moyen le plus simple de trouver des modèles.Dans la dernière partie de cette série, je me suis concentré sur les installateurs nullsoft (DLLS!) Seulement, et [& # 8230;]
I love looking at clusters of files, because it’s the easiest way to find patterns. In the last part of this series I focused on Nullsoft installers (DLLs!) only, and […] |
★★ | ||
|
2023-05-12 21:35:49 | Matlab persistant lolbin & # 8211;2 ans trop tard, mais toujours… Matlab persistent lolbin – 2 years too late, but always… (lien direct) |
Je viens de réaliser que je n'ai jamais publié de post sur la fonctionnalité de Matlab Lolbinish / Persistenh que j'ai fait référence dans ce twit.Le tl; dr;Est-ce que Matlab peut charger une DLL de [& # 8230;]
I just realized I have never published a post about lolbinish/persistencish Matlab feature that I referred to in this twit. The Tl;dr; is that Matlab can load a DLL of […] |
★★ | ||
|
2023-05-11 23:16:10 | Noms de la section PE & # 8211;revisité, encore une fois, en 2023 PE Section names – re-visited, again, in 2023 (lien direct) |
Dans mes articles précédents, j'ai énuméré de nombreuses sections PE présentes dans différents types de binaires.Aujourd'hui, je regarde les sections Win11 PE et je suis heureux de signaler que [& # 8230;]
In my previous posts I have listed many PE sections present in different types of binaries. Today I am looking at win11 PE sections and am happy to report that […] |
★★★ | ||
|
2023-05-11 22:29:20 | Un elfe entre dans le bar… An Elf walks into the bar… (lien direct) |
Advapi32.dll de Windows 11. Entloga elfopenbackupEventlogw elfopeneventloga elfopeneventlogw elfreadeveventloga elfreadEventlogw elfregisterEventsourcea elfregisterEventsourcew elfreportEventa elfreportEventAndSourcew elfreportEventw et i [& # 8230;]
Windows 11’s advapi32.dll includes interesting export functions: ElfBackupEventLogFileA ElfBackupEventLogFileW ElfChangeNotify ElfClearEventLogFileA ElfClearEventLogFileW ElfCloseEventLog ElfDeregisterEventSource ElfFlushEventLog ElfNumberOfRecords ElfOldestRecord ElfOpenBackupEventLogA ElfOpenBackupEventLogW ElfOpenEventLogA ElfOpenEventLogW ElfReadEventLogA ElfReadEventLogW ElfRegisterEventSourceA ElfRegisterEventSourceW ElfReportEventA ElfReportEventAndSourceW ElfReportEventW And I […] |
★★ | ||
|
2023-05-05 23:23:12 | Malware & # 8211;Quelques réflexions sur le sens du mot… Malware – some musings about the meaning of the word… (lien direct) |
J'ai lu la question avec un grand intérêt, car c'est les questions comme celle-ci qui vous font faire une pause et réfléchir.Dans ma réponse, j'ai suggéré que le contexte est [& # 8230;]
I have read Ali‘s question with a great interest, because it’s the questions like this that make you pause and think. In my reply I suggested that the context is […] |
Malware | ★★ | |
|
2023-05-04 23:23:19 | Menage Hunting & # 8211;Problèmes d'architecture… Threat Hunting – architecture issues… (lien direct) |
Dans mon article récent, je me suis concentré sur les problèmes de localisation, mais il y a (toujours!) Plus & # 8230;Jetez un œil à la version ARM de Windows 11 & # 8211;Lorsque vous l'installez, vous le ferez [& # 8230;]
In my recent post I focused on localization issues, but there is (always!) more… Take a look at the Windows 11 ARM version – when you install it you will […] |
Threat | ★★★ | |
|
2023-04-21 23:49:48 | Utilisation de détecter facile à… détecter facilement Using Detect It Easy to… detect it easy (lien direct) |
J'adore le détecter facilement.Il est mon outil de prédilection en ce qui concerne les échantillons malveillants et dépasse continuellement mes attentes & # 8230;Sauf les moments où j'ai oublié d'utiliser [& # 8230;]
I love Detect It Easy. It’s my go-to tool when it comes to triaging malicious samples and it continuously exceeds my expectations… Except the times when I forgot to use […] |
Tool | ★★ | |
|
2023-04-20 22:46:15 | Les mots qui vont adapataadadapata The words that go adapataadadapata (lien direct) |
Il y a longtemps (quand je faisais mes propres mots croisés), l'une de mes cibles préférées était de les construire d'une manière qui les a fait avoir des propriétés spéciales, [& # 8230;]
Long time ago (when I used to make my own cross-words), one of my favorite targets was building them in a way that made them either have some special properties, […] |
★★★ | ||
|
2023-04-14 21:47:41 | Au-delà de la bonne clé de run ol \\ ', partie 142 Beyond good ol\\' Run key, Part 142 (lien direct) |
Je n'ai jamais entendu parler d'OBS (Open Broadcaster Software), jusqu'à ce que je voie ce fil Twitter.Après l'avoir téléchargé, l'essayer, bricoler avec lui & # 8230;En fait, je l'ai trouvé beaucoup plus déroutant que [& # 8230;]
I never heard of OBS (Open Broadcaster Software), until I saw this Twitter thread. After downloading it, trying it, tinkering with it… I actually found it far more confusing than […] |
★★ | ||
|
2023-04-01 22:56:02 | Les mots qui vont (.) [A-z] \ 1 [a-z] \ 1 [a-z] \ 1 [a-z] \ 1 [a-z] \ 1 The words that go (.)[a-z]\1[a-z]\1[a-z]\1[a-z]\1[a-z]\1 (lien direct) |
Un de mes anciens passe-temps est de jouer avec des mots.J'adore toutes sortes de blagues papa, & # 8220; le plus long & # 8221;mots, & # 8220; le plus étrange & # 8221;mots, & # 8220; mots étrangers & # 8221;, homonymes, homophones, palindromes, synonymes, antonymes, métonymes, [& # 8230;]
One of my old hobbies is playing with words. I love all sort of dad jokes, “the longest” words, “the weirdest” words, “foreign words”, homonyms, homophones, palindromes, synonyms, antonyms, metonyms, […] |
★★★ | ||
|
2023-03-28 22:14:05 | Convertir des questions douteuses en opportunités incontestables… [Converting questionable questions into unquestionable opportunities…] (lien direct) | Les médias sociaux sont pleins de questions qui sont formulées d'une manière passive, passive-agressive ou agressive initiale, utilisant souvent des erreurs communes de manière manipulative pour décourager le dialogue.C'est [& # 8230;]
Social media are full of questions that are formulated in a passive, passive-aggressive, or upfront aggressive way, often using common fallacies in a manipulative way to discourage dialogue. It is […] |
★★ | ||
|
2023-03-12 00:03:36 | List of clean mutexes and mutants (lien direct) | A few years ago I released a list of ‘bad’ mutexes/mutants. That list was generated from my malware sandbox reports. I thought that it may be good to revisit the […] | Malware | ★★★★ | |
|
2023-03-10 23:47:21 | Threat Hunting – localization issues (lien direct) | So you finished writing your perfect threat hunting query. Done and dusted, right? Hmm, sorry… chances are, it is… broken. How come? One reason, but it has many acronyms: L10N, […] | Threat | ★★★★ | |
|
2023-02-25 23:55:35 | Beyond good ol\' Run key, Part 141 (lien direct) | In my recent post on Mastodon I asked if there is any repo of Shadowpad side-loading combos. I asked, because long time ago I have created one for PlugX, and […] | ★★★ | ||
|
2023-01-22 00:56:23 | Excelling at Excel, Part 3 (lien direct) | One of the most common use cases we come across during our malware analysis exercises is a ROI-driven comparison of features between many samples of the same malware family. Yes, […] | Malware | ★★★★★ | |
|
2023-01-21 00:12:05 | Yara rules pageant (lien direct) | A few days ago I posted a very specific question on Twitter and Mastodon: You’ve got gazillion of random yara rules stored inside many random .yar files scattered around many […] | ★★★ | ||
|
2023-01-13 23:37:28 | Decrypting SHell Compiled (SHC) ELF files (lien direct) | In its recent blog post AhnLab described a campaign that relies on SHell Compiled (SHC) ELF files. I wanted to see if I can replicate their reverse engineering work and […] | ★★★ | ||
|
2023-01-08 00:01:01 | Excelling at Excel, Part 2 (lien direct) | Today I will talk about automated query-building using Excel. Working as a detection engineering and/or threat hunting specialist we often need to create a lot of queries including a lot […] | Threat | ★★★ | |
|
2023-01-07 00:18:24 | Excelling at Excel, Part 1 (lien direct) | In my old article I have demonstrated an atypical approach one may take to browse through similarly-looking security artifacts while analyzing a gazillion of similarly looking URls in Excel. I […] | ★★ | ||
|
2023-01-03 00:20:48 | Putting ELF on the shelf… (lien direct) | In my last post I referred to something what I call “putting elf on the shelf”. The idea is simple — Windows is a very rich environment when it comes […] | ★★★★ | ||
|
2023-01-01 00:44:53 | A bunch of OLD-School RCE tricks… (lien direct) | Every once in a while I come across questions from RCE analysts who are asking how to analyze samples when either existing tools don’t work, or when they (analysts) get […] | ★★★★ | ||
|
2022-12-30 23:29:04 | Beyond good ol\' Run key, Part 140 (lien direct) | This is a real oldie, but still worth a mention… Java gives us a lot of persistence possibilities and one of them are environment variables; when set, they will be […] | ★★ | ||
|
2022-12-15 00:12:54 | How to be a good quitter? (lien direct) | It is now. It is happening. You have finally submitted your resignation letter and you are leaving the company. Your accounts will be closed, and access to all company systems […] | ★★ | ||
|
2022-12-09 22:51:12 | Marrying client-side Windows-based CryptEncrypt and server-side,Linux-based Crypt::OpenSSL::RSA (lien direct) | Time flies and it does so very quickly. The story I am about to tell you is 8 years old, but it does feel like I wrote it yesterday. In […] | ★★ | ||
|
2022-12-08 23:32:52 | The Future of SOC (lien direct) | Over last few years we moved away from a SOC that used to be almost solely focused on Network and Windows events and artifacts (probably a strong fintech bias here) […] | ★★ | ||
|
2022-12-03 22:43:03 | Using make_sc_hash_db.py to create API hashing DBs (lien direct) | If you ever used shellcode_hashes IDA plugin from Mandiant, you probably have also used make_sc_hash_db.py before. But, if you haven’t, this post is for you. The focus of the article […] | ★★★ | ||
|
2022-12-02 23:15:00 | Environment… is variable (lien direct) | I love environmental variables. They are often post-worthy, and sometimes they are just simply cool. Yet, many are still not known. Many are still not described. Looking for ‘easy’ research […] | ★★★ | ||
|
2022-11-19 23:29:55 | Cracking Zeppelin (lien direct) | A few days ago Brian Krebs published a piece about Zeppelin key cracking, so … since I was also involved in recovering files for some of the ransomware gang victims […] | Ransomware | ||
|
2022-11-19 22:53:09 | Beyond good ol\' Run key, Part 139 (lien direct) | This one is a curious one. I actually don’t know how to trigger it! Yet, I will document some bits and bobs, so that you may take these entry points […] | |||
|
2022-10-08 21:49:42 | Dealing with alert fatigue, Part 2 (lien direct) | In the first part of this series I found myself jumping from one topic to another. I will do so in part 2, too 🙂 Dealing with alert fatigue requires […] | |||
|
2022-10-01 23:43:03 | Dealing with alert fatigue, Part 1 (lien direct) | Gazillion tickets, gazillion emails a day. The business as usual for most SOCs… It actually doesn’t matter how we got here (although I will cover some bits later on) – […] | |||
|
2022-09-21 22:05:59 | Inserting data into other processes\' address space, part 1a (lien direct) | I never thought I will write the part 1a of my old post, but here it is. As usual, I have not explored the below topic in-depth, but have certainly […] |
To see everything:
Our RSS (filtrered)
