Mastodawn

James Apr 15, 2023

Decided it was time to upload a few Yara rules to my Github. Most of them are pretty old unfortunately but there's some stuff in there that might be useful. I'll add more if/when I can.

Here's some I had luck with:

Hunting for Github/Telegram integration in a PowerShell script (in conjunction with -Uri):

https://github.com/ozuriexv/Detection-Rules/blob/main/YARA/misc/service_usage_powershell.yar

Common file magic other than PE but contains XORed DOS stub:

https://github.com/ozuriexv/Detection-Rules/blob/main/YARA/obfuscation/misc_obfuscation.yar#L1-L14

Generic/common Windows paths targeted by stealers:

https://github.com/ozuriexv/Detection-Rules/blob/main/YARA/hunting/hunt_stealers.yar

Detection-Rules/service_usage_powershell.yar at main · ozuriexv/Detection-Rules

Random YARA rules I write that I decide to make public - Detection-Rules/service_usage_powershell.yar at main · ozuriexv/Detection-Rules

GitHub

James Feb 23, 2023

@da_667 create your own server and load it up with your own emojis

Show thread

James Nov 18, 2022

@hexadecim8 tax loopholes are absolutely everywhere and are even abused by people barely considered millionaires. Drastically increasing their tax would just result in them moving elsewhere.

Show thread

James Nov 18, 2022

@hexadecim8 I agree but how is such a problem solved? Is there even a solution?

James Nov 16, 2022

@Iaintshootinmis I'm currently positioned to focus on both proactive and reactive detections but as most will know, proactive is extremely difficult relative to reactive.

Unfortunately, many organizations do not have the resources to engineer the environments you're describing. I know for a fact that some of these same organizations consider open source offensive tooling to be a plague, what would be the solution for these teams that are lacking the required resources? I realize we're quickly heading down a path of "just increase your security budget" here which is unfortunate.

James Nov 16, 2022

@staticnoisexyz I agree, how do we establish that balance? IOCs coupled with the release of open source offensive tooling is a tough one. Blue's priority is to develop detection for said C2 frameworks, Red's priority is to bypass detections or rather, remain undetected.

James Nov 16, 2022

@Iaintshootinmis I feel that most of what I say here (https://infosec.exchange/@ozurie/109355833508031830) applies to what you've just said. I do see value in open source offensive tooling but why is there seemingly no line drawn? When I've thought about this in the past, I've thought to myself "why not at least include signatures when publishing the framework" but, maybe that's contradictory to what the red team wants to achieve. That confuses me further because I often see statements implying that red and blue must work together, this is the opposite, no?

I'm unsure about CobaltStrike in this scenario due to it being a paid-for product but of course, there are plenty of cracked/leaked versions floating around.

James (@[email protected])

@GoblinLucy again, do the cons not outweigh the pros in this scenario? I definitely understand and appreciate additional material but when it's at the cost of assisting malicious actors, surely we draw a line? Adversaries will indeed build their own frameworks regardless but why assist them and hand them something on a silver platter that not only speeds up the rate of their operations, but can also cloud attribution efforts too? It's the same concept as strategic detection building. Ideally you'd want to base detections on elements that are costly to the adversary. For example if your Yara rule consists of a few strings, sure you may catch samples but those strings are easily changed. If you instead base your signatures on opcodes for some custom encryption routine, that will be significantly more damaging and as a result, will (usually) slow operations. Handing adversaries free C2 frameworks contradicts the end goal of slowing down their operations.

Infosec Exchange

Show thread

James Nov 16, 2022

It's the same concept as strategic detection building. Ideally you'd want to base detections on elements that are costly to the adversary. For example if your Yara rule consists of a few strings, sure you may catch samples but those strings are easily changed. If you instead base your signatures on opcodes for some custom encryption routine, that will be significantly more damaging and as a result, will (usually) slow operations.

Handing adversaries free C2 frameworks contradicts the end goal of slowing down their operations.

James Nov 16, 2022

While my following/reach is relatively small on here compared to Twitter, I want to start this discussion regardless.

Red Team vs.(?) Blue Team

Frequent releases of offensive tooling, specifically C2 frameworks are awfully detrimental to blue teams. As someone that works on network detections, observing newly published frameworks regularly is disheartening and frustrating. It's no secret that open source offensive tooling is adopted by APTs and cybercrime groups and that leaves me with one question, why do it?

From my perspective, I can see some value in open sourcing such tooling for the purpose of assisting other red teams with engagements but surely the fact that malicious actors adopt the same tooling heavily outweighs the pros here?

For the red teamers following me (if any), what is your opinion on this issue? Why does it feel like 'vs.' is legitimate here but for the wrong reasons? These practices are also (in my opinion) contradictory to what purple teams stand for and shouldn't be considered purple teaming by any stretch of the any imagination.

I'd like to keep snarky/passive aggressive remarks (I've been guilty in the past) to non-existent here please. If you want to call me an idiot, my DMs are open.

Show thread

James Nov 16, 2022

@munin would you consider 'folks' acceptable? I kinda defaulted to 'folks' a while back.

Twitter	https://twitter.com/ozuriexv
Github	https://github.com/ozuriexv