This Week's Read List - 14-20 MAR 2021
This Week's Read List (TWRL) is a collection of articles, blog posts, and other content that I've discovered throughout the last week. The collection may seem eclectic at times, but my hope is that you'll find these articles just as helpful and interesting as I have.
Malware, Campaigns and TTPs
Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10 - BIG-IP appliances from F5 Networks are being exploited after a severe vulnerability was revealed last week. According to the NCC Group, the attacked have successfully achieve full chain exploitation in the wild.
Blue Team Techniques
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 - NCC Group releases their detections to assist with triaging the exploitation of vulnerabilitis in F5 BIG IP appliances after the disclosure of vulnerability with a 9.8 severity score.
Detecting Cobalt Strike with memory signatures - Cobalt Strike continues to be used by malicious cyber actors ranging from low-level criminals to sophisticated APTs. Detecting Cobalt Strike is something every security must do. Elastic demonstrates some YARA rules to help detect Cobalt Strike in memory.
Tools
Kuiper - Kuiper is a digital investigative platform. Its like SIEM meets SOAR meets Case Management System. With its built-in rule-based alerting and ability to tag and timeline events, Kuiper could be a great tool for analysts.
eBPFSnitch - eBPFSnitch is a Linux application level firewall based on eBPF. eBPFSnitch supports filtering all outgoing IPv4 based protocols. Pv6 and incoming connections should be supported in the near future. eBPFSnitch seeks to integrate with containerized applications.
Buildroot - Buildroot is a tool to help generate embedded Linux operating systems using cross compilation.
CHIRP - CHIRP (CISA Hunt and Incident Response Program) is a tool from CISA to dynamically query IoCs on a host and output the information in JSON format for ingestion into a SIEM.
outrun - outrun allows you to run local commands using the processing power of another Linux machine.
<Silver Sniffle - Silver Sniffle is an encrypted chat client for the commandline using ncurses. Silver sniffle comes with a server, client and CLI interface and used public key cryptography for the encryption.
Educational Resources
Get Ready to Explore gRPC in the DevNet IOS XR Always-on Sandbox - Interested in learning about gRPC? This Cisco post walks through some gRPC concepts using IOS XR and their sandbox environment.
How to Read ARM64 Assembly Language - This blog post helps break down some of the entry barriers to understanding ARM64 assembly with some foundational assembly instructions.
How APTs Use Reverse Proxies to Nmap Internal Networks - This blog post from Varonis walks through how malicious cyber actors can use a reverse proxy to nmap internal networks. The post walks through the setup steps for setting up a SOCKS proxy, and then using nmap with crackmapexec and proxychains. The post wraps up with some detections and mitigations.