What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
RedTeam.pl.webp 2020-06-03 13:55:20 Kinsing cryptocurrency mining malware (TTPs & IOC) (lien direct) We would like to share with the community the following TTPs and IOC related to Kinsing cryptocurrency mining malware as most research is focused directly on analysis malware samples rather than how it infects the system.TTPsAttackers are using RCE vulnerability in Liferay which is identified as CVE-2020-7961 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961]. There is a publicly available PoC on GitHub [https://github.com/mzer0one/CVE-2020-7961-POC/blob/master/poc.py] for this vulnerability, which matched most artifacts we have found on the targeted system.Attackers are sending the payload using a HTTP POST request:POST /api/jsonws/invoke Malware Vulnerability
RedTeam.pl.webp 2020-03-18 17:56:30 DNS for red team purposes (lien direct) IntroductionIn the following blog post I would like to demonstrate a proof-of-concept for how red teamers can build DNS command & control (DNS C2, DNS C&C), perform DNS rebinding attack and create fast flux DNS. We will focus only on the DNS server part without building a complete working platform.This approach can also be used by Malware Threat
RedTeam.pl.webp 2019-08-14 21:45:48 Threat hunting using DNS firewalls and data enrichment (lien direct) After seeing a few advertisements about DNS firewalls and how expensive they are, I want to share my experience with blue teamers about how DNS firewalls work and how that knowledge can be used for in-house threat hunting solutions and/or building your own DNS firewall (aka do it yourself). These are examples of an approach to detect malicious behaviour, not a tailor made solutions.At the beginning I would like to highlight that it's a good practice to monitor not only logs but also DNS traffic in real time. Such traffic isn't encrypted and if you only check DNS server logs then you can miss direct requests to other DNS servers. Additionally you can also use recently published version of Sysmon [https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with Spam Malware Threat Guideline APT 18
Last update at: 2024-05-20 03:07:51
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter