@id1010terror Check out packettotal for samples once you can ID the c2 data, I’m on holidays right now but when I’m back I’ll send you a capture.
Posts made by ziran
RE: Scripting attacks besides PowerShell?
@neonprimetime Yeah I agree, I have also seen some accreditation recommendations for implementation of systems that denotes that, certain files (.js, .hta etc. etc. )are default opened with benign programs like notepad, usually pushed via domain GPO’s.
RE: VM Hardening for analysis
@joscandreu I would probably as the app.any.run team, they might give you some insight if you ask them (they have FUD as of now). Also in my experience, the steps you have completed have always been enough for me, without having to patch binaries to bypass checks.
RE: Is anyone a leader in Linux malware?
@network_packet You need to know what to look for when hunting and the references you supplied are well good enough to start. I would also recommend checking out and researching detecting said malware in logs, blowing up your own Linux malware samples then understanding what to look for. When it comes to nix based malware, prevention is 10x better than cure, well so is windows haha.
RE: Detection of Ransomware?
@moveax41h @xor_dhillon Most EDR tools I use and write rules for have components that identify the DLL’s used, cross-process execution and other identifying marks. If not all, but most ransomware variants use different calls so looking for API calls would most likely only work on that variant.
Malicious pcap extraction with docker|bro|tshark|suricata
I thought I would share my dockerfile that contains:
- suricata; and
Link to Github: https://github.com/MrThreat/suricata_the_tshark_bro
This setup can give your a quick file extraction and platform for pcap analysis.
Example commands that can be used are:
(there are near unlimited examples, but…)
File extraction from pcaps:
- bro -C -r *.pcap /usr/share/bro/site/file-extraction/scripts/plugins/extract-all-files.bro
Identifying malicious actions within pcaps:
- suricata -c /etc/suricata/suricata.yaml -r *.pcap && cat /var/log/suricata/fast.log
Identifying dns responces within pcaps:
- tshark -r *pcap -T fields -e dns.qry.name “dns.flags.response == 0x8180” |sort -u
Also if you need help or anything, been doing this too long haha drop me a message or @grotezinfosec