Collaborate Disseminate
I often see advice in discussions about malware detection that emphasizes monitoring for suspicious network traffic. Honestly, this task seems easier said than done. For example, when using tools like Wireshark or GlassWire to capture netw… Continue reading What are reliable indicators of suspicious network traffic? [duplicate]
We are excited to announce our integration with DOCGuard for the analysis of
Office documents, PDFs and other file
types as a behavioral analysis engine. This document analysis collaboration will
allow the community to ge… Continue reading VirusTotal += Docguard
Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server… exactly like a malware with it’s C2 server but this time
The post Velociraptor & Loki appeared first on /dev/random.
For forensics purposes, I am looking to find suspicious scripts or patterns that could give me clues to find crypto-mining malware on a Linux server.
I have a copy of suspicious data but it is not possible to run the virtual machine in the… Continue reading How to detect crypto mining malware [closed]
What are the indicators of compromise (IoCs) that indicate methods used by the Pegasus spyware on mobile phones?
How is penetration still possible when the latest and up-to-date OS of the phone is used?
I recently saw an unsolicited report done by a security(1) company A about the security posture of company B.
I got interested by one of the points in the report about analysis of malware activity from company B.
It was a table of the malw… Continue reading How can IPs connecting to a C&C become public knowledge? (the C&C is sinkholed) [closed]
As part of incident response to malicious code outbreak and given the hash value of the malicious artifact, I would like to search across the entire organization for this specific hash value.
Do you know of best practices or solutions that… Continue reading Enpoint protection: How to search an organisation for hash value
TL;DR: VirusTotal allows you to search for similar files according to different orthogonal notions (structure, visual layout, icons, execution behaviour, etc.). File similarity can be combined with the “have:” search modifier in order to gain more cont… Continue reading Using similarity to expand context and map out threat campaigns
I published the following diary on isc.sans.edu: “Simple Blacklisting with MISP & pfSense“: Here is an example of a simple but effective blacklist system that I’m using on my pfSense firewalls. pfSense is a very modular firewall that can be expanded with many packages. About blacklists, there is a well-known
The post [SANS ISC] Simple Blacklisting with MISP & pfSense appeared first on /dev/random.
Continue reading [SANS ISC] Simple Blacklisting with MISP & pfSense
TAXII feeds are a great addition to a monitoring solution such as a SIEM. However, to my knowledge, there are only three distinct openly available providers:
Hail A TAXII
OTX
Limo
What other threat feeds based on TAXII/STIX are availab… Continue reading Essential / popular TAXII feeds [closed]