Mastodawn

RE: https://infosec.exchange/@BleepingComputer/115770545217304518

I know this shit isn't new, but @Dio9sys and @da_667 if I send you one of these fake PoCs sometime, let me know. Depending on the day, I wouldn't mind some fuckery.

Dio9sys 1h ago

Show thread

da_667 1h ago

@Mustardfacial @cR0w @Dio9sys Well, the good news is, you don't have to guess how I do what I do for a living, I wrote a lot this year about that subject.

IoC Pivoting and the Pyramid of Pain: https://community.emergingthreats.net/t/introduction-to-ioc-pivoting-and-the-pyramid-of-pain/2566

Flexible Rule Writing: Seeing Around the Bend: https://community.emergingthreats.net/t/flexible-rule-writing-seeing-around-the-bend/2568

But more particularly, towards exploit reproduction, this is the good stuff:

Come Sail the CVEs, Part 1: https://community.emergingthreats.net/t/flexible-rule-writing-seeing-around-the-bend/2568 (building a decent RSS feed)

Come Sail the CVEs, Part 2: https://community.emergingthreats.net/t/come-sail-the-cves-part-2-turning-data-into-rules/2751 (exploit modification and reproduction)

Introduction to IOC Pivoting, and the Pyramid of Pain

Couple of days ago, my boss introduced me to this great blog post by sekoia.io, about the PolarEdge botnet. I love tearing apart research to make (hopefully) good IDS sigs for finding future exploit attempts, and/or retrohunting for evidence of other exploit attempts. Sekoia delivered me a trove of information. I have HTTP requests for CVEs used to compromise boxes. HTTP structs used for installing backdoors, HTTP structs for interacting with the backdoors, interaction with the C2, Domains, IP ...

Emerging Threats

Dio9sys 1h ago

Drinking beers and making deers. This one I spent more time on the sculpting of the head, and tried to make the nose a little more dynamic. Ears are still rough, but I can work on that