Collaborate Disseminate
We are excited to announce our integration with DOCGuard for the analysis of
Office documents, PDFs and other file
types as a behavioral analysis engine. This document analysis collaboration will
allow the community to ge… Continue reading VirusTotal += Docguard
Velociraptor is a great DFIR tool that becomes more and more popular amongst Incident Handlers. Velociraptor works with agents that are deployed on endpoints. Once installed, the agent automatically “phones home” and keep s a connection with the server… exactly like a malware with it’s C2 server but this time
The post Velociraptor & Loki appeared first on /dev/random.
For forensics purposes, I am looking to find suspicious scripts or patterns that could give me clues to find crypto-mining malware on a Linux server.
I have a copy of suspicious data but it is not possible to run the virtual machine in the… Continue reading How to detect crypto mining malware [closed]
What are the indicators of compromise (IoCs) that indicate methods used by the Pegasus spyware on mobile phones?
How is penetration still possible when the latest and up-to-date OS of the phone is used?
I recently saw an unsolicited report done by a security(1) company A about the security posture of company B.
I got interested by one of the points in the report about analysis of malware activity from company B.
It was a table of the malw… Continue reading How can IPs connecting to a C&C become public knowledge? (the C&C is sinkholed) [closed]
As part of incident response to malicious code outbreak and given the hash value of the malicious artifact, I would like to search across the entire organization for this specific hash value.
Do you know of best practices or solutions that… Continue reading Enpoint protection: How to search an organisation for hash value
TL;DR: VirusTotal allows you to search for similar files according to different orthogonal notions (structure, visual layout, icons, execution behaviour, etc.). File similarity can be combined with the “have:” search modifier in order to gain more cont… Continue reading Using similarity to expand context and map out threat campaigns
I published the following diary on isc.sans.edu: “Simple Blacklisting with MISP & pfSense“: Here is an example of a simple but effective blacklist system that I’m using on my pfSense firewalls. pfSense is a very modular firewall that can be expanded with many packages. About blacklists, there is a well-known
The post [SANS ISC] Simple Blacklisting with MISP & pfSense appeared first on /dev/random.
Continue reading [SANS ISC] Simple Blacklisting with MISP & pfSense
TAXII feeds are a great addition to a monitoring solution such as a SIEM. However, to my knowledge, there are only three distinct openly available providers:
Hail A TAXII
OTX
Limo
What other threat feeds based on TAXII/STIX are availab… Continue reading Essential / popular TAXII feeds [closed]
I published the following diary on isc.sans.edu: “Collecting IOCs from IMAP Folder“: I’ve plenty of subscriptions to “cyber security” mailing lists that generate a lot of traffic. Even if we try to get rid of emails, that’s a fact: email remains a key communication channel. Some mailing lists posts contain
[The post [SANS ISC] Collecting IOCs from IMAP Folder has been first published on /dev/random]
Continue reading [SANS ISC] Collecting IOCs from IMAP Folder