Albert Zsigovits albertzsigovits
🕹️
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #0: | |
| strings are always evaluated first | |
| filesize < 100KB will not help | |
| #1: | |
| // condition order does not matter, will only short-circuit | |
| condition: | |
| $str1 and $str2 and uint16(0) == 0xFFFF and ... | |
| uint16(0) == 0xFFFF and $str1 and $str2 and ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://www.bootloaders.io/ | |
| https://loldrivers.io | |
| https://gtfobins.github.io | |
| https://lolbas-project.github.io | |
| https://wtfbins.wtf | |
| https://lots-project.com | |
| https://filesec.io | |
| https://malapi.io | |
| https://hijacklibs.net | |
| https://wadcoms.github.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| YARA use cases: | |
| =============== | |
| Conditions: | |
| ----------- | |
| uint16(0) == 0x5A4D // MZ | |
| uint32(uint32(0x3C)) == 0x00004550 // PE | |
| uint32(0) == 0x464C457F // ELF | |
| uint8be(uint32(0x3C)+4) == 0x64 // 64-bit | |
| uint32be(uint32(0x3C)+8) == 0x174a505c // Compiled time |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("file_path", help="path to input file") | |
| args = parser.parse_args() | |
| KEY_OFFSET = 0x5000 | |
| DATA_OFFSET = 0x15000 | |
| KEY_SIZE = 8 | |
| DATA_SIZE = 256 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| References to malware configuration extraction and memory dumping: | |
| https://www.vmray.com/cyber-security-blog/vmray-platform-feature-highlight-extended-smart-memory-dumping/ | |
| https://www.vmray.com/cyber-security-blog/malware-configuration-extraction-vmray-analyzer-4-5-feature-highlight/ | |
| https://any.run/cybersecurity-blog/malware-configuration/ | |
| https://developers.virustotal.com/reference/malware_config | |
| Commercial projects: | |
| https://malwareconfig.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # APT resources | |
| https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085 | |
| https://www.mandiant.com/resources/insights/apt-groups | |
| https://attack.mitre.org/groups/ | |
| https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Commercial tools | |
| Cobalt Strike - https://www.cobaltstrike.com | |
| Brute Ratel C4 - https://bruteratel.com | |
| Nighthawk - https://www.mdsec.co.uk/nighthawk | |
| # Open-source tools | |
| Metasploit - https://www.metasploit.com | |
| Posh C2 - https://github.com/nettitude/PoshC2 | |
| Empire - https://github.com/BC-SECURITY/Empire | |
| Sliver - https://github.com/BishopFox/sliver |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Breached - breached[.]co - DOWN | |
| Eternia - eternia[.]to | |
| Cracked - cracked[.]to | |
| Nulled - nulled[.]to | |
| Raidforums - DOWN - DoJ hijacked | |
| Hackforums - hackforums[.]net | |
| Eleaks - eleaks[.]to | |
| Sinister - sinister[.]ly | |
| XSS - xss[.]is | |
| Exploit - exploit[.]in |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| VirusTotal - https://www.virustotal.com | |
| JoeSandbox - https://www.joesandbox.com | |
| VMRay - https://www.vmray.com | |
| ReversingLabs - https://www.reversinglabs.com | |
| HybridAnalysis - https://www.hybrid-analysis.com | |
| Any.Run - https://app.any.run/submissions | |
| Tria.ge - https://tria.ge/reports/public | |
| Threat.Zone - https://app.threat.zone/public-submissions | |
| CAPE Sandbox - https://capesandbox.com | |
| Cuckoo CERT-EE - https://cuckoo.cert.ee |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Viriback's tracker - https://tracker.viriback.com/ | |
| DRM Ransomware tracker - https://ransom.insicurezzadigitale.com/?date=2022 | |
| Virusdeck - https://virusdeck.com/ | |
| Threatshare.io - https://threatshare.io/malware/ | |
| Xily's tracker - https://cybercrime-tracker.net/ | |
| VXVault - https://vxvault.net/ViriList.php | |
| Fumik0's tracker - https://tracker.fumik0.com/ | |
| CVE trends - https://cvetrends.com/ | |
| TweetIOC - https://tweettioc.com/ |