Digging Up the Past: Windows Registry Forensics Revisited
https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html
https://www.fireeye.com/blog/threat-research/2019/01/digging-up-the-past-windows-registry-forensics-revisited.html
Google Cloud Blog
Digging Up the Past: Windows Registry Forensics Revisited | Mandiant | Google Cloud Blog
Pe-sieve
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://github.com/hasherezade/pe-sieve
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://github.com/hasherezade/pe-sieve
GitHub
GitHub - hasherezade/pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected…
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). - hasherezade/pe-sieve
Which YARA Rules Rule: Basic
or Advanced?
https://www.sans.org/reading-room/whitepapers/tools/yara-rules-rule-basic-advanced-38560
or Advanced?
https://www.sans.org/reading-room/whitepapers/tools/yara-rules-rule-basic-advanced-38560
Ghidra 9.2 has been released!
This version has improvements to analysis, the user interface, new open source based graphing, decompiler quality enhancements, and more!
https://ghidra-sre.org/
This version has improvements to analysis, the user interface, new open source based graphing, decompiler quality enhancements, and more!
https://ghidra-sre.org/
Reverse Engineering with Ghidra | HackadayU
https://www.youtube.com/playlist?list=PL_tws4AXg7auglkFo6ZRoWGXnWL0FHAEi
https://www.youtube.com/playlist?list=PL_tws4AXg7auglkFo6ZRoWGXnWL0FHAEi
Malware Capabilities
Starting with version 4.1, MAEC offers a standard way of capturing the set of high-level abilities that a malware instance possesses, which we term Capabilities. For instance, to state that a malware instance is capable of exfiltrating data, one may simply specify a single MAEC "Data Exfiltration" Capability. We have defined an initial set of Capabilities for the MAEC v4.1 release, which is captured in detail in the hierarchy below.
https://github.com/MAECProject/schemas/wiki/Malware-Capabilities
Starting with version 4.1, MAEC offers a standard way of capturing the set of high-level abilities that a malware instance possesses, which we term Capabilities. For instance, to state that a malware instance is capable of exfiltrating data, one may simply specify a single MAEC "Data Exfiltration" Capability. We have defined an initial set of Capabilities for the MAEC v4.1 release, which is captured in detail in the hierarchy below.
https://github.com/MAECProject/schemas/wiki/Malware-Capabilities
GitHub
Malware Capabilities
MAEC Schemas and Schema Development. Contribute to MAECProject/schemas development by creating an account on GitHub.
Malware Behavior Catalog v2.0
The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.
https://github.com/MBCProject/mbc-markdown
The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting.
https://github.com/MBCProject/mbc-markdown
GitHub
GitHub - MBCProject/mbc-markdown: MBC content in markdown
MBC content in markdown. Contribute to MBCProject/mbc-markdown development by creating an account on GitHub.
Collection of malware source code for a variety of platforms in an array of different programming languages.
https://github.com/vxunderground/MalwareSourceCode
https://github.com/vxunderground/MalwareSourceCode
GitHub
GitHub - vxunderground/MalwareSourceCode: Collection of malware source code for a variety of platforms in an array of different…
Collection of malware source code for a variety of platforms in an array of different programming languages. - vxunderground/MalwareSourceCode
Reverse Engineering: Process Hollowing | Process Doppelgang-ing Hybrid used by The Osiris Dropper
https://youtu.be/VPKjHBQyMR0
https://youtu.be/VPKjHBQyMR0
YouTube
Reverse Engineering: Process Hollowing | Process Doppelgang-ing Hybrid used by The Osiris Dropper
This Video is a follow-up on The Unpacking Of Osiris, Covering how the Dropper used a Hybrid of Process Hollowing + Process Dopplegang-ing for its Injection.
Unpacking Osiris: https://ghostinthehive.github.io/thehive/Unpacking-Osiris.html
Process Injection…
Unpacking Osiris: https://ghostinthehive.github.io/thehive/Unpacking-Osiris.html
Process Injection…
SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros
https://www.sans.org/blog/srp-streams-in-ms-office-documents-reveal-earlier-versions-of-malicious-macros/
https://www.sans.org/blog/srp-streams-in-ms-office-documents-reveal-earlier-versions-of-malicious-macros/
www.sans.org
SANS Digital Forensics and Incident Response Blog | SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros…
SANS Digital Forensics and Incident Response Blog blog pertaining to SRP Streams in MS Office Documents Reveal Earlier Versions of Malicious Macros