Feb 20 2021 This Week's Read List - 14-20 FEB 2021

This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.

Malware, Campaigns and TTPs

20 Common Tools & Techniques Used by macOS Threat Actors & Malware - The title says it all. Some of these are not unexpected, others may be more obscure to the non-macOS familiar. Each tool comes with examples of usage, and a mapping to the MITRE ATT&CK Matrix techniques.

Hackers abusing the Ngrok platform phishing attacks - The first time I came across `ngrok` I immediately thought of its capabilities for exfiltrating data from a network. It appears that hackers have found a way to leverage the tool during a phishing campaign to get access to a one-time password (OTP) to log in to a legitimate service.

IronNetInjector: Turla’s New Malware Loading Tool - Turla is using a technique call Bring Your Own Interpreter (BYOI) to run scripts on a victim's computer. IronNetInjector is an IronPython script that contains a .NET injector and payloads. IoCs provided.

Tools

CASCADE - A research project related to the MITRE ATT&CK Matrix which seeks to automate much of the blue team's investigative work to determine the scope and maliciousness of suspicious behavior on a network.

EQL Analytics Library - Analytics written in the Event Query Language (EQL) for use with Elastic Endgame.

Sourcetrail - Sourcetrail is a cross-platform code explorer with built in tools to explore source code to help developers get more familiar with projects.

nuclei - nuclei is a fast and customizable vulnerability scanner that uses YAML templates to specify how it behaves.

Ray.so - Need to display your code in some pretty pictures? Ray.so provides complete customization of your code in a language-formatted window.

When you go fighting malware don´t forget your VT plugins - VirusTotal plugins are available for IDA Pro and GHIDRA which provide analysts with the ability to leverage VT's knowledge base to aid in analysis.

Tauri - Tauri is an Electron-like cross-platform development framework written in Rust.

Educational Resources

REDTEAM.GUIDE - Looking for some Red Team resources? Check out the Red Team Guide site which has everything from theoreticals and concepts to templates and checklists for red teaming.

Using eBPF to uncover in-memory loading - Berkley Packet Filters (BPF) are incredibly powerful. This post uses enhanced BPFs (eBPF) to detect malware conducting in-memory loading from the internet using '|' (pipe) command.

Unleash the Power of MITRE for a More Mature SOC - Ever wondered how all of MITRE's cybersecurity projects fit together? This article breaks it down and provides and excellent diagram of how MITRE's ` ATT&CK <https://attack.mitre.org/>`_, SHIELD, CAPEC, CWE, CVE, and CPE all work together in a singular ecosystem.

ELF Malware Analysis - Intezer's 3-part ELF Malware Analysis posts begins in Part 1 by taking a look at the Linux threat landscape. Part 2 looks at the basics of an ELF executable and some basic analysis. Part 3 dives into some of the more advanced aspects of ELF analysis.

Python Programming and Numerical Methods - A Guide for Engineers and Scientists - An excerpt/e-book provide by Berkeley University which provides a great overview for a lot of number and math manipulation in Python.

Python Concurrency: The Tricky Bits - A look at Python threads and asynchronous programming using a simple web server and a Fibonacci sequence.

Hunting For Anomalies With Time-Series Analysis - A look at how to use Time-Series analysis to hunt for anomalies in in Azure Active Directory Logs using Kusto Query Language (KQL).

Miscellaneous

Red Star OS Media - interested in the North Korean Red Star Operating systems? Github user 'BlackOtton' has extracted some of the media files and placed them in a repository for consumption.

6 strategies to reduce cybersecurity alert fatigue in your SOC - This blog post from Microsoft highlights 6 key things to help focus your security analysts in the SOC on the important alerts.

Threat Intelligence and the Limits of Malware Analysis - A great write-up from Dragos on how malware analysis will continue to remain a vital part of threat intelligence production, especially when accounting for the the specific circumstances of a defender's network, that may differ from those where the commercial reports were generated from.