@hashford Oh snap thats a great idea, I would love to see YARA built into more kits that allows us to easily leverage rulesets like that...really neat idea. I wonder if it could be done with like some type of integration with a remote forensicating tool too...very interesting idea...have to noodle on it.

One of my #100daysofYARA goals for 2023 is to create a derivative of an existing PowerShell (or Python) + YARA scanning script and modify/expand it to do a bunch of stuff including:

- Download and coalesce a bunch of YARA rules from a selection of github repos
- Split the rules into subsets, one for memory (by stripping magic + modules, or removing ones that wont work) and one for files
- Iterate and scan process memory using the memory rulest
- Scan all files, while also passing in the file path and file name as external parameters
- Scan the matching files/processes with a third, decorative ruleset that is not meant to find evil but to contextualize initial results with important features
- Then, for the final results, Format-Table a pretty-ish output with a timeline, matching rules, and file attributes that I can pre-select based on filemime
- Package all this up in a Py2exe or Ps1toExe type of thing

Basically I just want my own little scanner that works the way I want it to work and gives me the results the way I want to see them.

@spike wish we could do FOIA for these types of things! :D

@Imlordofthering Unfortunately, yes. Largely because tightass corps are too cowardly (averse to risk, litigation etc.) to actually reveal the meaningful details that we might learn from.

@0xamit This is great, I find stoic reading very centering and calming, a great steady force in my life

@glesnewich I want it all. For example, how did Mandiant get to their Solarwinds server, that fateful day? Actually, when was that day? How did it all begin? What was the initial lead? What kicked off the investigation? Where were the dead ends? What alerts and data happened along the way? When did they first observe the C2 domain, and what detection logic did it hit on? And so many more facets of this incident have never been talked about publicly (by many people, Gov, Microsoft, other victims) and I think there could be a lot of lessons learned for folks if we could share and examine a fuller story. When is @ridt going to write a book on it? :D

@stvemillertime what would you want to see get shared? Like a pcap of a hands on keyboard session might be a tough ask but short of that what would be feasible? Like something closer to an incident report ala DFIR Report?

There are *so* many incredible detection, analysis, intel stories that come out of years of incident response and investigations at places like Mandiant, Microsoft, Google, .gov - and it is a damn shame that we cannot publicly share more of them, if only to help the next generation of cyber analysts learn.

Don't get me wrong - we're in a much better place now than in 2012, back when there weren't 1000 infosec conferences; back before the stories were in the newspapers and before my grandma heard about hacking; back before APT was talked about publicly and before intrusions and breaches were in the public consciousness; back when you were an IT person looking at logs, trying to figure out if your company had "a problem"; back when you hoped and prayed some forensicator blogged about a thing and you were lucky to find a sample of malware or a pcap to look at, let alone any details of how it was found or why or who it related to, just so you could learn a little bit more.

Nowadays we have vendors publishing reports on the regular and vast amounts of data and indicator sharing, which is all great. One thing though - and I know this from experience - that which we see and share publicly is the tip of an immense iceberg, and much of the real juice is lost to the eternities. I just wish that we could make more of the investigations and case studies more available (and more transparent, less obfuscated) to those getting into the industry.

'Tis the season, to hurt your back getting stuff in and out of the garage.

The Economist’s recent retrospective on the impacts (or lack thereof) of Russian computer network attack operations targeting Ukraine this year is required reading. With commentary from @gavinwilde @danny @Big_Bad_Wolf and @ciaranmartin

Barring as-yet-demonstrated data, it makes an impressive case supporting the perspective that Russian cyber during wartime has (A) revealed operational shortcomings on the behalf of the adversary actors involved and (B) contributed further weight to the school of thought that disruptive/destructive cyber is likely to remain an edge tool in actual open warfare — at least in the near-term. Artillery shells take out substations a lot more reliably than implants.

https://www.economist.com/science-and-technology/2022/11/30/lessons-from-russias-cyber-war-in-ukraine

After a year plus wait, I'm expecting to get my new Erica Synths PĒRKONS next week!

So long cyber, hello techno.

My Sunday mornings are for #YARA rules and malware.

@ridt I find myself wondering if a subreddit would be better

@cicadamikoto ports, protocols, the sands of time, all pouring abstractly over the edge of a meaningless cliff into oblivion

As I continue to learn about malware and adversary tradecraft, I am finding myself unlearning academic teachings about how #infosec and computers are supposed to work. Ports are meaningless, file formats are flexible, everything is a really just a guideline, because there are *no* rules.

@rattle Thank you for this comment! I had no idea that it might work this way so this is a really neat use case and I guess it illustrates that there may be a variety of hacks/workarounds for doing things this way. Really cool.

MSTIC is hiring a reverse engineer! If you love reversing cutting edge malware and writing signatures, check this job out.

Hybrid preferred in Reston or Redmond but remote possible for right candidate.

https://t.co/cgl2XXI7jj

I learned ages ago that only DLLs are supposed export functions, but of course I know better now that although that's a guideline, that was dead wrong.

I am curious to know from #malware authors and reverse engineers, what is the advantage, intent, or purpose behind building an EXE that exports functions?

I understand that: 1) both PE EXE and PE DLLs can have an export table and exported functions and 2) an EXE can actually load another EXE as a DLL.

I am unclear about what to expect as "typical" or *why* this may be done this way, especially for malware purposes. Why do some Windows OS EXEs do this?

In the malware space, I require an attribution model that enables denoting attribution to many users of different types:

1 - Creation or "genesis" (original dev)
2 - Ownership or "control" (source, builders)
3 - Handling (testing, staging, crypting etc)
4 - Operation (intrusion itw)

This is basic logistical analysis. Rather than reducing the attribution to just one entity, it is important to understand the many players along the supply chain. If my tools or analytical "model" over-simply attribution to just one single "threat group" then I am forced to make an analytical assessment that is not only deceptively incomplete, but also probably wrong.