Martin SK. πŸ”’

@[email protected]
108 Followers
79 Following
13 Posts
Security engineer, developer of Regipy 
#dfir #infosec #malware
Bloghttps://medium.com/dfir-dudes
GitHubhttps://github.com/mkorman90
Martin SK. πŸ”’Jan 6, 2023
Martijn GrootenJan 6, 2023

There are some whataboutism vibes to Microsoft writing about Mac ransomware, but this is a really good post on various techniques used by ransomware (and malware in general) on macOS https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-techniques-of-mac-ransomware/

(Edit: this blog post was a little bit too much based on the great work of Patrick Wardle so Microsoft, rightly, took it down.)

Unraveling the techniques of Mac ransomware - Microsoft Security Blog

Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks.

Microsoft Security Blog
Martin SK. πŸ”’Dec 29, 2022
Released regipy 3.1.2! https://github.com/mkorman90/regipy/releases/tag/3.1.2 Regipy is an os independent python library for offline parsing of windows registry hives. #dfir #infosec #forensics
Release 3.1.2 Β· mkorman90/regipy

What's Changed Typed Paths Artifact by @andreisss in #241 Update README.rst by @IlluminatiFish in #243 Release 3.1.2 by @mkorman90 in #244 New Contributors @andreisss made their first contributi...

GitHub
Martin SK. πŸ”’Nov 27, 2022
Hal PomeranzNov 27, 2022

Good night tonight. I got a chunk of time to work up a PR to add process memory dumping to UAC.

UAC is my current favorite tool for live collection on Linux and Unix systems. If you do Linux/Unix DFIR you should check it out.

https://github.com/tclahr/uac

#Linux #Unix #DFIR #memory

GitHub - tclahr/uac: UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.

UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of U...

GitHub
Martin SK. πŸ”’Nov 24, 2022
Show threadRoyce WilliamsNov 24, 2022

@j_opdenakker Much like pentests and honeypots, phishing simulation is attractive because it produces results that feel easily measurable ... but is a distraction from other measures that should be applied first, and deferred until there is more maturity.

Any resource-constrained org that's doing phishing simulation, but has not yet implemented FIDO security keys (including passkeys), should immediately start working on security keys first. They can focus future phishing simulation effort on whatever use cases remain after security keys make most of their phishing problems evaporate.

Martin SK. πŸ”’Nov 20, 2022
bitsavers.orgNov 20, 2022
Why is Rosetta 2 fast?
https://dougallj.wordpress.com/2022/11/09/why-is-rosetta-2-fast/
Why is Rosetta 2 fast?

Rosetta 2 is remarkably fast when compared to other x86-on-ARM emulators. I’ve spent a little time looking at how it works, out of idle curiosity, and found it to be quite unusual, so I figur…

dougallj
Martin SK. πŸ”’Nov 19, 2022
Dmitry BestuzhevNov 19, 2022

Google did a very good job on writing detection #yara rules for #cobaltstrike #sliver

official repo: https://github.com/chronicle/GCTI

I merged those rules in two master file rules and sharing it here:

_cobaltstrike_google.yar
_sliver_google.yar

https://drive.proton.me/urls/ZNET79XFTW#Zo8xit75CQyF

GitHub - chronicle/GCTI

Contribute to chronicle/GCTI development by creating an account on GitHub.

GitHub
Martin SK. πŸ”’Nov 16, 2022
Paul RascagneresNov 16, 2022

#tips of day #reverse: #x64dbg supports Python extensions. You simple need to install : https://github.com/x64dbg/x64dbgpy. Take the precompiled binaries and copy the files in the x64dbg Plugin repository.

Here is an example of script to switch from HTTPS (port 443) to HTTP (port 80) when InternetConnectW() is called. The logic is simple:
- I create a breakpoint on this API,
- I set a callback function
- this function will be called when the API is called
- if the 3rd argument of InternetConnectW() (stored in R8 in x64 arch) is 443, I change it by 80
- finally, the debugged file continues its execution.

Here is a screenshot:

GitHub - x64dbg/x64dbgpy: Automating x64dbg using Python, Snapshots:

Automating x64dbg using Python, Snapshots:. Contribute to x64dbg/x64dbgpy development by creating an account on GitHub.

GitHub
Martin SK. πŸ”’Nov 14, 2022
Kristofer RawlinsNov 14, 2022
Martin SK. πŸ”’Nov 14, 2022
danaNov 14, 2022

Some newly registered domains seemingly ready for MFA abuse, all with legitimate looking company logos in the login screen.

coinbase-sso[.]com
alorica-sso[.]com
assurant-sso[.]com
blockfi-sso[.]com
cricket-sso[.]com (showing AT&T login screen)
gsuite-sso[.]info
mdm-sso[.]com

#threatintel

Martin SK. πŸ”’Nov 14, 2022
yanNov 14, 2022

nobody:

absolutely nobody:

yubikey: cccjgjgkhcbbcvchfkfhiiuunbtnvgihdfiktncvlhck