shellcromancer 

@[email protected]
247 Followers
649 Following
263 Posts
Threat Detection & Response @ Brex; previously @Cloudflare. Hobbyist reverse engineer of 🍎/🐧 things. Dogs are obviously better than people.
Twitterhttps://twitter.com/shellcromancer
Sitehttps://shellcromancer.io
GitHubhttps://github.com/shellcromancer
Blue Skyhttps://bsky.app/profile/shellcromancer.io
shellcromancer May 8, 2024

I wrote some words on how detection teams can push portions of their threat intel matching into ETL pipelines as they ingest data.

https://shellcromancer.io/posts/threat-intel-in-your-etl/

This pushes towards to goal of keeping logic inside of SIEMs simple enough to understand in a 60 seconds, maximally decorating events at ingest time, and optimizing for cost.

TI in your ETL :: Shellcromancer

Mature Security Operations (SecOps) programs have a good handle on ingesting the right security telemetry for their organization and make good use of it in threat detection and incident response processes. As these SecOps teams mature their use of telemetry, a common project is surfacing externally known threats that are present in their environment by matching on Indicators of Compromise (IOCs). Common types of IOCs are IP addresses, file hash values, domains, and URLs.

shellcromancer Apr 23, 2024

The Open Cybersecurity Schema Framework project released version 1.2.0 of the schema this morning! πŸŽ‰πŸš’ You should check out the full changelog to see how you could apply it, but if you're lazy take this summary:

πŸ•΅οΈβ€β™‚οΈ 16 new buckets of "Query" classes which seem useful in representing the the state of the system in a normalized way across your endpoints from osquery.io, or your cloud environment from CSPM tools.
πŸ” Detailed "Authentication Factor" objects to categorize how the methods used, this is key for understanding how phishable an authentication event is!
πŸ›œ Network endpoints now have fields for the owning Autonomous Systems (I added this part πŸ₯³).
πŸ’» Endpoint objects now have fields to specify their owner and what agents are run on them! Key parts of the device trust story of 0-trust that we all love to buzzword around.
πŸ‘€ More atomic indicators types added to the set of observables in the schema.
... and many more!

This was my first release contributing to the project, and I have a few changes queued for the 1.3.0 release coming next! If y'all find shortcomings it the schema's representation, you should jump in the community Slack or GitHub issues to make it better instead of just complaining. πŸ”₯

https://github.com/ocsf/ocsf-schema/releases/tag/v1.2.0

Release v1.2.0 Β· ocsf/ocsf-schema

[v1.2.0] - April 23rd, 2024 Added Categories n/a Event Classes Added Data Security Finding event class. #953 Added File Query event class. #967 Added Folder Query event class. #967 Added Group...

GitHub
shellcromancer Apr 22, 2024
Taggart Apr 22, 2024
You don't see evasion techniques for Linux very often! vvx7.io/posts/2024/04/falco-evasion-techniques/
Falco - Evasion Techniques

Let's break Falco rules :3

VVX7
shellcromancer Jan 22, 2024
Dave AitelJan 19, 2024

Here is my draft initial essay on Secure By Design/Secure By Default #CISA #essays . Feel free to comment on it. @thedarktangent @boblord

https://docs.google.com/document/d/1s__73KUZgZQnbV-24PdduJKcy8pxbbN5e5oaGpzSPe8/edit?usp=sharing

0xC15A: Some thoughts on Secure By Design and Secure By Default

Google Docs
shellcromancer Jan 21, 2024

Seems like people enjoyed reading Microsoft's 8-K filing (https://www.sec.gov/ix?doc=/Archives/edgar/data/789019/000119312524011295/d708866d8k.htm) on their Material Cybersecurity Incident and related blog post on Friday. If you want to stay in the loop, schedule this JavaScript in Cloudflare Workers, then send yourself webhooks/emails to know before your friends 🫑

https://gist.github.com/shellcromancer/2f0a5b400aaadf097f32226f9a6c0bc8

Inline XBRL Viewer

shellcromancer Jan 15, 2024
matteyeuxJan 14, 2024
Seems like someone pushed a bunch of iBoot symbols to Hexrays's Lumina server
shellcromancer Jan 13, 2024

#100DaysofYARA -- I threw my first rust code into the internet tonight!

https://github.com/VirusTotal/yara-x/pull/72 πŸŽ‰

You could use this to add a CI check like for rule formatting if you're a stylistic linting fan:

for r in $(find . -type f -name '*.yar*'); do yr fmt --test "$r"; done

feat: adds --test flag in yr fmt by shellcromancer Β· Pull Request #72 Β· VirusTotal/yara-x

Adds -t/--test flag in yr fmt which returns an error code if formatting made changes on the file. This feature exists in a few other language formatting tools (jsonnet, terraform, gofmt) which is u...

GitHub
shellcromancer Jan 8, 2024
Thomas Roccia Jan 8, 2024

πŸ“’ As part of the #100daysofYara challenge I've been working on a new app called Yara Toolkit! πŸš€

Yara Toolkit is an online platform dedicated to all things Yara. I created this app for anyone who wants to learn more about Yara and practice with it. πŸ› οΈ

The current version of the app combines four different tools:

βœ… A simple Yara editor that allows you to edit your rule and check if it is valid.

πŸ“ A Yara rule generator, generating a basic template based on the input you provide.

πŸ” A Yara scanner that enables you to paste your rules and run it against a file you upload, to check if it matches or to simply scan a file against rules.

🧬 A strings mutator, based on the script Cerebro from Steve Miller, where you can enter a string and mutate it to hunt for potential variations.

I will continue the development during the challenge, so feel free to follow the journey on my blog. 🐦

For more details, check out the video, the blog and the app below πŸ‘‡

➑ Blog: https://blog.securitybreak.io/introducing-yara-toolkit-43dcab9caba1
➑ App: https://yaratoolkit.securitybreak.io/

#100daysOfYara #infosec #malware #yara #cybersecurity

Introducing Yara Toolkit - SecurityBreak

I began this year by participating in the #100DaysofYara challenge. Yara is a powerful open-source tool that enables the creation of rules to identify files based on their characteristics. It can be…

SecurityBreak
shellcromancer Jan 2, 2024

Excited to watch others journey and rules for #100DaysofYARA this year! Last year was a lot of learning fun, but this year I'm targeting a different learning goal (δΈ­ζ–‡)! To kick off the repo for others this year I added a SwearEngine variant in Chinese

https://github.com/shellcromancer/Days-of-YARA-2024/commit/19a29b2c9759b30b93d19dfe3b886bcb8071dba1

feat: add swear_engine_f_cn Β· shellcromancer/Days-of-YARA-2024@19a29b2

Rules shared by the community from 100 Days of YARA 2024 - feat: add swear_engine_f_cn Β· shellcromancer/Days-of-YARA-2024@19a29b2

GitHub
shellcromancer Oct 25, 2023

Talk about helping to build a better Internet -> https://har-sanitizer.pages.dev

Thanks @cloudflare

HAR Sanitizer tool by Cloudflare

At Cloudflare, we're committed to building a better Internet. We want to make it possible to troubleshoot with HAR files without the threat of a stolen session. The HAR File Sanitizer will remove sensitive data using β€œclientside” logic.