Skip to content

Instantly share code, notes, and snippets.

We can make this file beautiful and searchable if this error is corrected: It looks like row 5 should actually have 12 columns, instead of 9 in line 4.
Anti-Sandboxing,Antivirus Evasion,Anti-Debugging,Process Manipulating,Anti-Disassembly,Anti-Monitoring,Data Obfuscation ,Anti-Forensic,Network Evasion,Others,Packers,Anti-Machine Learning
Checking memory artifcacts ,Evading hash signature,IsDebuggerPresent,Process hollowing,API Obfuscation,Disable process ,XOR,Remove event log,Fast flux,Infection by localisation,Packer compression,Direct gradient-based attacks
MAC address detection,Evading specific signature,CheckRemoteDebuggerPresent,Reflective DLL injection,Control Flow Graph Flatening,Check running process,Base64,Wipe disk,Double fast flux,Detect language installed,Crypter,Attacks against models that report a score
Registry keys detection,PE format tricks,NtQueryInformationProcess,Suspend inject and resume,Dead code insertion,Find window,Cesar/ROT,Melt file,DGA,Malicious shortcut,Virtual machine,Binary black-box attacks
Checking process,Fingerprinting emulator,NtSetInformationThread,Hook injection,Spaghetti code,Detect parent process,ROL,Hidden attributes,
@fr0gger
fr0gger / sunburst_glossary.csv
Last active September 12, 2021 16:48
Sunburst/Solorigate glossary to keep track of used terms
Name Description
Solarwinds Compromised company used to spread the Sunburst malware through the Orion platform.
Orion Platform Compromised platform used to deliver the Sunburst malware in a supply chain attack.
Sunspot Malware name attributed by CrowdStrike and used to insert the Sunburst backdoor.
Sunburst Malware name attributed by FireEye and inserted in the Orion platform. AKA Solorigate.
Solorigate Malware name attributed by Microsoft and inserted in the Orion platform. AKA Sunburst.
Teardrop Additional payload delivered by the Sunburst backdoor used to deploy a custom Cobalt Strike Beacon.
Raindrop Loader which delivers a payload of Cobalt Strike. Similar to Teardrop.
Beacon Malware name used by FireEye to define custom Cobalt Strike payload.
GoldMax Written in Go GoldMax acts as command-and-control backdoor for the actor. AKA Sunshuttle.
@fr0gger
fr0gger / yara_performance_guidelines.md
Created February 16, 2021 09:23 — forked from Neo23x0/yara_performance_guidelines.md
YARA Performance Guidelines

YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

  • Revision 1.4, October 2020, applies to all YARA versions higher than 3.7

Atoms

YARA extracts from the strings short substrings up to 4 bytes long that are called "atoms". Those atoms can be extracted from any place within the string, and YARA searches for those atoms while scanning the file, if it finds one of the atoms then it verifies that the string actually matches.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Rich Hash standalone support for python3 - Thomas Roccia - @fr0gger_
"""
import hashlib
import sys
import re
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html
import lief
import os
import argparse
http://abraajenergy.com/
http://abraajenergy.com/m9lowa3/discord-server-link-checker.html
http://chpok.site/
https://rockstorageplace.com/away.php
yourflash24.com
phonestar.info
dougale.com
gomusic.info
premiumbros.com
totalav.com
'''
Simple POC for calculating the Export Table Hash by Thomas Roccia | @fr0gger_
Similarly as ImpHash, the Export Hash is calculated by extracting the function names from the export table and hashing them.
Exported function names are extracted in order, then all characters are converted to lowercase.
The function names are then joined together and hashed using SHA256.
The hash is dubbed "ExpHash".
Example:
python .\exphash.py .\AppXDeploymentClient.dll
ExpHash: 50644ab76c9421984137aadca2ba9b2883763f0189daf4010a699c490d263a86
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://twitter.com/juanandres_gs/status/1496581710368358400?s=20&t=ceSYl9EWREXS0ELncl4grA
https://twitter.com/0xAmit/status/1496641159371837444?s=20&t=BGgh4TA4xPH1SbmShMkULw
https://twitter.com/JusticeRage/status/1496894253376720901?s=20&t=j42L_Y0O-Q2-oTI3YEcSZw
https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/a82e9105-2405-4e37-b2c3-28c773902d85
https://docs.microsoft.com/en-us/windows/win32/devnotes/attribute-list-entry
https://twitter.com/Lexsek_/status/1496806942630633475?s=20&t=BGgh4TA4xPH1SbmShMkULw
https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
@fr0gger
fr0gger / msthreatinfo.py
Last active October 29, 2024 19:48
Threat Info Lookup: Retrieve Microsoft Defender signature details from the Threat Encyclopedia
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Author: Thomas Roccia, @fr0gger_
"""Threat Encyclopedia Lookup, retrieve Defender Signature information.
This script will retrieve the information related to the specified signature.
Usage:
python threatinfo.py [options]
Requirements:
#!/usr/bin/env python3
'''
A simplified FLOSS implementation that only supports stackstrings.
requirements:
- yara-python
- unicorn
author: Willi Ballenthin
email: [email protected]