| https://twitter.com/nunohaien | |
| GitHub | https://github.com/tillmannw |
As malware authors increasingly adopt .NET for its ease of development and stability, they rely on sophisticated obfuscation techniques to thwart analysis. Traditional static deobfuscation approaches often fail against modern protections that incorporate runtime integrity checks. This presentation introduces a framework that leverages .NET profilers to perform dynamic binary instrumentation at the MSIL level. We demonstrate how this approach can bypass dynamic checks in obfuscation schemes, extract encrypted strings, and trace execution flows—all without modifying the original binary. Through real-world case studies and live demonstrations, we show how this technique provides reverse engineers with a powerful new tool to analyze obfuscated .NET malware.
45 years ago today
The Cost of Living is an EP by the English punk rock band the Clash, released on this day in 1979 in a gatefold sleeve
#punk #punks #punkrock #theclash #thecostofliving #history #punkrockhistory #otd
We at CrowdStrike are looking for a colleague that helps me study threats to the cloud! We are a remote first company, have a great data set, and I need some help to handle this influx of cloud cases. You would work as my direct counterpart in the Global Threat Analysis Cell which is focused on finding trends and clusters activities to adversaries with the intent of producing threat intelligence. The next SPIDER/…/PANDA/BEAR could carry a name that you chose:
If you have any questions, feel free to reach out to me via direct message.
I know the job description states USA-Remote but I’m sure we are more flexible on the location as I am based in Europe.
#cloudsecurity #cloud #threatintel #hiring #aws #azure #gcp #FediHire #fedihired #remotework #remote
#WeAreCrowdStrike and our mission is to stop breaches. As a global leader in cybersecurity, our team changed the game. Since our inception, our market leading cloud-native platform has offered unparalleled protection against the most sophisticated cyberattacks. We’re looking for people with limitless passion, a relentless focus on innovation and a fanatical commitment to the customer to join us in shaping the future of cybersecurity. Consistently recognized as a top workplace, CrowdStrike is committed to cultivating an inclusive, remote-first culture that offers people the autonomy and flexibility to balance the needs of work and life while taking their career to the next level. Interested in working for a company that sets the standard and leads with integrity? Join us on a mission that matters - one team, one fight. About the Role: CrowdStrike Intelligence, a core component of CrowdStrike, is seeking a motivated Intelligence Analyst with excellent analysis skills for the Global Threat Analysis Cell (GTAC) to identify, research and track trends associated with the cloud threat landscape. This role will be focused on tracking and documenting cloud-related techniques that are observed in the wild and their use by both targeted intrusion and eCrime adversaries in close collaboration with other subject matter experts on the Intelligence team. This position serves an important role in increasing our understanding of trends in the global cloud threat landscape, contributing to the continuous tracking of criminal and state-sponsored adversary groups, and ultimately developing finished intelligence products. The ideal candidate for this position is a specialist in AWS/Azure/GCP log analysis with the ability to track the adversary landscape based on intrusion behavior. We are also open to applications by experienced and talented Analysts without significant knowledge in this field that are willing to rapidly expand their skills to meet the following requirements: What You'll Do: Identify threats, trends, and new developments in the cloud threat landscape by analyzing raw intelligence and data. This may involve querying ElasticSearch or analyzing raw cloud logs like CloudTrail Identify and monitor the Tactics, Techniques, and Procedures (TTPs) employed by cyber threat actors that compromise cloud environments Apply understood analytic tradecraft to gathered intelligence in a consistent manner Provide and assist with finished intelligence analysis to internal and external customers through written reporting of varied depth on short deadlines, with minimal supervision Collaborate across teams to inform various functions within CrowdStrike Intelligence about activity of interest and to coordinate adversary/campaign tracking Identify intelligence gaps and submit requests for information to fill gaps Conduct briefings as needed for a variety of levels of customers as requested (via either phone, video conference, webcast, in-person briefing, or industry conference) What You'll Need: Minimum of 2-3 years’ experience in a threat intelligence environment Motivated self-starter with experience in the cyber threat intelligence field, preferably with experience in researching and reporting on cloud incidents in AWS, Azure, and GCP as well as adversary behavior Experience analyzing API logs (e.g. CloudTrail) from at least one of the three major cloud service providers: AWS, Azure, or GCP Basic understanding of identity and access management (IAM) concepts in the cloud Ability to identify and track adversary tradecraft trends Ability to produce quality finished intelligence products on short deadlines, as well as continuing to maintain analysis for and report on long term strategic assessments Basic knowledge of how malware is developed, functions, and is employed Desire to extend knowledge on intelligence tradecraft and technical terminology relevant to cloud intelligence, as well as provide assistance to other members of the intelligence team Undergraduate degree, military training or relevant experience in cyber intelligence, computer science, general intelligence studies, security studies, political science, international relations, etc. Other technical security certifications or academic background are a plus. #LI-AO1 Benefits of Working at CrowdStrike: Remote-first culture Market leader in compensation and equity awards Competitive vacation and flexible working arrangements Comprehensive and inclusive health benefits Physical and mental wellness programs Paid parental leave, including adoption A variety of professional development and mentorship opportunities Offices with stocked kitchens when you need to fuel innovation and collaboration We are committed to fostering a culture of belonging where everyone feels seen, heard, valued for who they are and empowered to succeed. Our approach to cultivating a diverse, equitable, and inclusive culture is rooted in listening, learning and collective action. By embracing the diversity of our people, we achieve our best work and fuel innovation - generating the best possible outcomes for our customers and the communities they serve. CrowdStrike is committed to maintaining an environment of Equal Opportunity and Affirmative Action. If you need reasonable accommodation to access the information provided on this website, please contact Recruiting@crowdstrike.com, for further assistance. CrowdStrike, Inc. is committed to fair and equitable compensation practices. The salary range for this position in the U.S. is $80,000 - $115,000 per year + bonus + equity + benefits. A candidate’s salary is determined by various factors including, but not limited to, relevant work experience, skills, certifications and location. CrowdStrike participates in the E-Verify program. Notice of E-Verify Participation Right to Work CrowdStrike was founded in 2011 to fix a fundamental problem: The sophisticated attacks that were forcing the world’s leading businesses into the headlines could not be solved with existing malware-based defenses. Founder George Kurtz realized that a brand new approach was needed — one that combines the most advanced endpoint protection with expert intelligence to pinpoint the adversaries perpetrating the attacks, not just the malware. There’s much more to the story of how Falcon has redefined endpoint protection but there’s only one thing to remember about CrowdStrike: We stop breaches.
#100DaysofYARA version 4.3 includes parsing for delayed imports for PE's! What are delayed imports? They encompass a separate data directory in the file format but the PE author may not choose to delay the import; sensei French told me its just the linker deciding 🤯
So whats that mean? Deriving imports just from the import directory and not the delayed import directory leaves some surface area left for us to check! Lets look for delayed imports involving Registry or Crypt functions
Some interesting families using these!
https://github.com/100DaysofYARA/2023/blob/main/glesnewich/INFO_DelayedImport_ADVAPI32.yar
Next in the malware analysis tools which give you quick wins thread: Binary Refinery (https://github.com/binref/refinery), by the esteemed Mr. @rattle ! This is my #1 most used tool for doing initial triage of malware samples with!
Binary Refinery is a cross-platform collection of command-line tools for processing binary data. The tools can be chained together via pipes to form processing pipelines to extract, decode, transform, and display data. Here is a simple example, where we Base64-decode then Gzip-decompress some data:
larsborn
Punkrock History
Inky Tartars
Sebastian Walla
Greg Lesnewich
Cindʎ Xiao 🍉$ emit "H4sIAAAAAAACA/NIzcnJVwjPL8pJAQBWsRdKCwAAAA==" | b64 | zl
Hello World
You can think of it as like CyberChef for the command line; however, there are many features that make it extremely useful for malware triage specifically, and which put it (in my opinion) above CyberChef:
There are many units which automagically carve out interesting embedded files in the input for you, similar to what binwalk can do. For example, the carve-pe unit extracts every block of bytes in the input that looks like a PE file; each individually carved PE file can then go through further processing in the pipeline, or be dumped to file.
Similarly, there are units which can automatically carve out text which looks like indicators, or text which looks like encoded data. For example, you can extract all URLs from the input data with xtp url; you can extract everything that looks like it could be Base64-encoded from the input data with carve b64.
It is possible to inspect the data in any part of the pipeline, by inserting the peek unit in a pipeline; by default, peek will give you a hexdump of the beginning of the data, and include some basic information about the size of the data, its entropy, and attempt to determine the filetype of the data.
It provides very good utilities for working with PE files specifically. Ever encounter one of those 300MB PE files filled with null bytes in the PE overlay which artificially inflate the size? You can strip it with the pestrip unit, or take a look at it with the peoverlay unit. You can also view PE file metadata (including signatures) with pemeta, extract each individual section or segment with vsect, or extract PE resources with perc.
As an example, let's take the sample e9e3154e1f71df58e61ade53bb23726927b5c23e8027a452e98b1dbcfafb1ade (available on Malware Bazaar if you want to download and follow along). It's a ZIP file which contains a ~300MB ISO file. With the following 2 pipelines (shown in the attached screenshot), we can extract the contents of the ISO, strip the extra PE overlay bytes from the PE file, peek at both the original and stripped file, dump the stripped file to disk, and look at the PE metadata of the stripped file:
ef 43_85_7369_PDF.ISO | xtiso.br [| peek.br -l5 | pestrip | peek -l5 | dump stripped/{path} ]
ef stripped/43_85_73.EXE | pemeta -t
If you want to go further, it is possible to build powerful malware processing pipelines with Binary Refinery. For good examples, see the tutorials folder on the Binary Refinery repository, which includes a mind-blowing #FlareOn9 writeup: https://github.com/binref/refinery/tree/master/tutorials
