bwiese + malware   72

A New Wave of the Separ Info-Stealer is Infecting Organizations through “Living off the Land” Attack Methods - Deep Instinct : Deep Instinct
Use Cypherpath for malware sandbox analysis
1) Notified of new malware
2) Goto Hybrid Analysis – dig around a bit until you find a shared sample
a. Download sample
3) Add sample to Cypherpath shared folders
4) Spin up an isolated Windows instance on Cypherpath.
5) Run malware in this isolated vm on Cypherpath
6) Explore artifacts and RE
malware  cybersecurity  sandbox 
9 weeks ago by bwiese
New malware found using Google Drive as its command-and-control server
backdoor Trojan, called RogueRobin, which infects victims' computers by tricking them into opening a Microsoft Excel document containing embedded VBA macros, instead of exploiting any Windows zero-day vulnerability.

Enabling the macro drops a malicious text (.txt) file in the temporary directory and then leverages the legitimate 'regsvr32.exe' application to run it, eventually installing the RogueRobin backdoor written in C# programming language on the compromised system

The new malware campaign suggests that the APT hacking groups are shifting more towards abusing legitimate services for their command-and-control infrastructure to evade detection.

It should be noted that since VBA macros is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code.
cybersecurity  google  threathunting  malware  c2  backdoor  macro 
january 2019 by bwiese
Concealing Network Traffic via Google Translate | Running the Gauntlet
This translate proxying method is often used by the malware if their domain or IP is blocked. The malware uses either Google Translate, Bing Translator, or Yahoo! Babel Fish for this purpose

After the malware downloads the webpage, they can parse the embedded iframe to access the data in the page. This even allows the malware to access embedded HTML comments on the page if that is what they are after.
cybersecurity  proxy  malware  google 
december 2018 by bwiese
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
Caveat: "The tool described above is able to update the system’s firmware only if the SPI flash memory protections are vulnerable or misconfigured. Thus, you should make sure that you are using the latest available UEFI/BIOS available for your motherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008)."
cybersecurity  uefi  malware  rootkit  bios 
october 2018 by bwiese
Linksys Worm ("TheMoon") Captured - SANS Internet Storm Center
One important update: This affects other Linksys routers as well. For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4)
linksys  malware  sans  forensics  router 
october 2018 by bwiese
20/20 malware vision - SANS Internet Storm Center
Here I use Python's map function to calculate the difference between the numerical value of the cleartext string and the obfuscated string:
I can see the difference is always -11. So you just need to substract 11 from each character to get the deobfuscated string (using
cybersecurity  forensics  python  visualbasic  malware  todo 
september 2018 by bwiese
Researchers Developed Artificial Intelligence-Powered Stealthy Malware
To demonstrate DeepLocker's capabilities, the researchers designed a proof of concept, camouflaging well-known WannaCry ransomware in a video conferencing app so that it remains undetected by security tools, including antivirus engines and malware sandboxes.
With the built-in triggering condition, DeepLocker did not unlock and execute the ransomware on the system until it recognized the face of the target, which can be matched using publicly available photos of the target
cybersecurity  ai  malware  research  ibm 
august 2018 by bwiese
REMnux: A free Linux Toolkit for Reverse-Engineering and Analyzing Malware
REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.
forensics  software  malware  cybersecurity  dfir  linux  docker  vm 
august 2018 by bwiese
CCleaner Adds Data Collection Feature With No Way to Opt-Out
Last year, CCleaner made headlines when it suffered a massive supply-chain malware attack of all times, wherein hackers compromised its servers for over a month and replaced the original version of the software with the malicious one, infecting over 2.3 million users worldwide.
supplychain  scrm  software  cybersecurity  ccleaner  malware 
august 2018 by bwiese
RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families
In our research we found at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to launch the malware. Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document.

By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small footprint can help enable evasion of automated detection mechanisms based on macro content.
cybersecurity  malware  office  exif  backdoor 
july 2018 by bwiese
Fileless attacks against enterprise networks - Securelist
Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.
fileless  cybersecurity  malware  analysis 
june 2018 by bwiese
Now you see me: Exposing fileless malware – Microsoft Secure
The second tool was a strain of fileless malware called Misfox. Once Misfox was running in memory, it:

Created a registry run key that launches a “one-liner” PowerShell cmdlet
Launched an obfuscated PowerShell script stored in the registry BLOB; the obfuscated PowerShell script contained a reflective portable executable (PE) loader that loaded a Base64-encoded PE from the registry
Misfox did not drop any executable files, but the script stored in the registry ensured the malware persisted.

Reflective DLL injection
Memory exploits
Script-based techniques
WMI persistence
malware  cybersecurity  microsoft  powershell  fileless 
june 2018 by bwiese
Stuxnet-style code signing is more widespread than anyone thought | Ars Technica
Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed.
malware  certificates  cybersecurity 
june 2018 by bwiese
Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance | Ars Technica
For its part, Cylance denied the screenshot actually showed Protect's code. "It’s a hex view of a sample packed with MPRESS and VMprotect, it looks like," a Cylance spokesperson said in response to that allegation. "It’s a sample from TestMyAV, I believe. It's malware, not Cylance."

However, Balazs insists the code is from Cylance's product. "Yes, it was Cylance Protect," he told Ars, "but we did not reverse engineer their software, we just looked at strings in the binaries." [Update: Balazs further backed up his claims in a YouTube video he posted after this article was published.]

An analysis by Ars of other MPRESS- and VMprotect-packed files found no internal references to either piece of software. (Additionally, Gottlieb had already mentioned he doesn't use MPRESS for files on TestMyAV.)

demonstrate the predictive nature of Cylance by using a version of CylancePROTECT created a full year before Goldeneye was even released.
cylance  cybersecurity  malware  analysis  reference  sophos  antivirus 
june 2018 by bwiese
Memory-Based Attacks are on the Rise: How to Stop Them
these attacks are based on instructions and using local applications, now you see where the names, “fileless” and “living-off-the-land” come from.

You can, however, prevent these attacks by being vigilant in the following areas:

Stay up to date on patching.
Block websites running Flash, Silverlight, or Javascript or block these from running on websites requesting them to be enabled.
Restrict usage of macros in documents.
Defend against Mimikatz by starting on page 11 of this SANS paper by Jim Mulder (PDF).
malware  cylance  cybersecurity  fileless  analytics  attack  volatility 
june 2018 by bwiese
Petya Returns as Goldeneye Strikes Germany
Does not demo other AV products detection rate though...

With most legacy AV solutions, it may take days to weeks to provide signature protection against this specific attack. In the meantime, many users will become victims of the Goldeneye ransomware.

Even though the version of CylancePROTECT we’re using is one year old, it has completely prevented the VBScript from executing the Goldeneye dropper and has protected the system from this ransomware.
cylance  malware  cybersecurity 
june 2018 by bwiese
I am Jon Miller, Cylance Chief Research Officer & hacker type guy... we use AI to stop bad guys from doing bad things. Ask Me Anything! : IAmA
During the machine learning classification process, each file analyzed is converted to a vector, or a point in high dimensional space. A centroid is another point in high dimensional space, determined to be the center of the files that need to have a patched classification. If a sample falls within a defined distance from the centroid, the sample matches the specified classification.

You can find more details on distances in high dimensional space in this blog post
cylance  malware  reddit  cybersecurity 
june 2018 by bwiese
Don’t Test a Bomb With a Hammer
Q: "Do you do behavioral analysis?"
A: No. Behavioral analysis requires allowing the malware to execute in order to determine what it does. Cylance determines that a file is malicious pre-execution. We never want it to run because if it runs then it's game over. You wouldn’t test a bomb by hitting it with a hammer, would you?

Every file analyzed is parsed into 15 million static features that are extrapolated for analysis.

Our proprietary machine learning algorithm trains on all that data and automatically chooses the features that are statistically significant and that represent the entire body of known malware.
cylance  malware  cybersecurity 
june 2018 by bwiese
A bomb just dropped in endpoint security... and I'm not sure anyone noticed - Alex Eckelberry
Just for fun, take any piece of malware and package it up with AutoIT and then run it on a machine “protected” by Cylance … Cylance will fail to block it. Every time.
cylance  virustotal  malware  reference  packer 
june 2018 by bwiese
“Not If, but When” - Reflections on the OPM Breach
While that discovery was painful, it reflected the positive fact that OPM was, as an organization, looking forward beyond its peers, embracing the new paradigm of the future: the artificially intelligent, machine learning powered capabilities of Cylance’s products and services.

Following the initial internal suspicion of a data breach, OPM made the unprecedented decision to engage with Cylance immediately and to deploy us enterprise-wide and in prevention mode in a matter of four days. OPM knew that Cylance was the only solution to detect and mitigate the attack, and concluded that if they had us deployed before the barbarians approached the gate, they would have completely prevented this particular breach. Their brave leap of faith in us and our technology to close the gap in their armor - once the exclusive role of their internal IT team - will go down as one of the boldest events in modern cybersecurity history. It was in that effort that we locked shields with them and not only discovered countless compromises beyond the initial breach, but also cleaned up a very unclean environment formerly ‘protected’ by legacy antivirus. OPM took immediate and effective action, leveraging our partnership to assist them in turning the adversary aside and protecting against future attacks.
cylance  opm  cybersecurity  machinelearning  malware 
june 2018 by bwiese
Trisis has the security world spooked, stumped and searching for answers
Unbeknownst to Dragos, Schneider had also been in contact with DHS, providing the agency with insight into the malware. Once DHS saw the evidence, officials connected Schneider with the Fulton, Maryland-based startup in order to gain a more complete picture of the case — which allowed for further analysis and a private warning to partners.

The Office of the Director of National Intelligence (ODNI) and NSA declined to comment for this story.
malware  ics  cybersecurity  dhs  dragos  trisis 
june 2018 by bwiese
Endgame AI Chatbot Artemis | Endgame
chatbot to triage malware, automated tool to empower analysts with workflows in intuitive and conversational manner
chatbot  endgame  cybersecurity  triage  malware 
may 2018 by bwiese
Why Fileless Malware Will Continue Its Rapid Expansion - Security Boulevard
McAfee found that fileless malware rose 267 percent in Q4 2017—and are now even being used by cybercriminals to mine cryptocurrency.

No Signatures to Detect
Static Analysis Doesn’t Work
RAM is an Ideal Location for Malware
It’s Profitable to Cybercriminals
malware  fileless  cybersecurity 
may 2018 by bwiese
Analyzing the Fileless, Code-injecting SOREBRECT Ransomware - TrendLabs Security Intelligence Blog
Fileless threats and ransomware aren’t new, but a malware that incorporates a combination of their characteristics can be dangerous. Take for instance the fileless, code-injecting ransomware we’ve uncovered—SOREBRECT, which Trend Micro detects as RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B.

SOREBRECT takes this a notch further by maliciously deploying PsExec and performing code injection. It injects its code into Windows’ svchost.exe process, while the main binary self-destructs. The combination is potent: once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service-hosting system process—resumes the execution of the payload (file encryption). Because SOREBRECT becomes fileless after code injection, sourcing its binary sample at the endpoint level is challenging.
cybersecurity  fileless  malware  psexec  threathunting  tor  eventlogs  ransomware 
may 2018 by bwiese
Darknet Vendors Sell Counterfeit TLS Certificates
"For a number of years, security researchers have warned the public about cybercriminals using counterfeited code-signing certificates in their efforts to obfuscate malicious payloads, but only a handful of times were these underground services researched thoroughly,"
tls  certificate  cybersecurity  malware 
april 2018 by bwiese
Introducing Ember: An Open Source Classifier and Dataset | Endgame
Ember (Endgame Malware BEnchmark for Research) is an open source collection of 1.1 million portable executable file (PE file) sha256 hashes that were scanned by VirusTotal sometime in 2017. The dataset includes metadata, derived features from the PE files, and a benchmark model trained on those features. Importantly, ember does NOT include the files themselves so that we can avoid releasing others’ intellectual property. With this dataset, researchers can now quantify the effectiveness of new machine learning techniques against a well defined and openly available benchmark.
endgame  virustotal  machinelearning  classifier  malware  cybersecurity 
april 2018 by bwiese
A Closer Look at Unpopular Software Downloads and the Risks They Pose to Organizations - TrendLabs Security Intelligence Blog
Internet Explorer is automatically used as the default browser and automatically patched by corporate policies, some users tend to install a second personal browser (like Chrome) that they fail to keep updated. As a result, these unpatched browsers become critical attack vectors for their endpoints and the entire corporate network.

Acrobat Reader and Java are among the primary vectors of infection, with Acrobat users experiencing an infection rate of almost 80% upon download
A consistent number of machines (27%) run unpatched or unsupported versions of Windows (e.g., Windows XP) – representing a primary infection vector
Droppers represent the main form of infection and a critical entry point for cybercriminals

malware operators tend to specialize in the businesses they ran. For example, an operator of a ransomware campaign is 80% more likely to continue operating a ransomware campaign without changing business models. We observed the same behavior across operators of botnets, spyware, bankers, fakeavs, and adware.
trendmicro  cybersecurity  malware  chrome 
april 2018 by bwiese
Understanding Code Signing Abuse in Malware Campaigns - TrendLabs Security Intelligence Blog
more malicious software appear to be signed than legitimate or benign apps (66% versus 30.7%). This is also true for malware made available via a direct link such as browsers (81% versus 32.1%)

serious concern of issuers that both sign benign and unwanted/malicious software.
Either they are stolen or re-sold in the underground, or legitimate organizations offer both benign and questionable applications like PUPs.
$1600 for EV software signed certificate on DeepWeb
trendmicro  cybersecurity  certificates  malware 
april 2018 by bwiese
GoScanSSH Malware Avoids Government and Military Servers
second scan checks if the domains have any of the following TLDs — .mil, .gov, .army, .airforce, .navy,,,,,,,,,,,,,,,

GoScanSSH uses the default creds associated with Open Embedded Linux Entertainment Center (OpenELEC) systems, Raspberry Pi boards, Open Source Media Center (OSMC) devices, Ubiquiti routers, PolyCom SIP phones, Huawei devices, and Asterisk servers.
cybersecurity  ssh  vulnerability  malware  iot  botnet 
march 2018 by bwiese
GitHub - Defense-Cyber-Crime-Center/DC3-MWCP
DC3 Malware Configuration Parser (DC3-MWCP) is a framework for parsing configuration information from malware. The information extracted from malware includes items such as addresses, passwords, filenames, and mutex names. A parser module is usually created per malware family. DC3-MWCP is designed to help ensure consistency in parser function and output, ease parser development, and facilitate parser sharing. DC3-MWCP supports both analyst directed analysis and large-scale automated execution, utilizing either the native python API, a REST API, or a provided command line tool. DC3-MWCP is authored by the Defense Cyber Crime Center (DC3).
cybersecurity  malware  software  dc3 
march 2018 by bwiese
InfoSec Handlers Diary Blog - Analyzing MSI files
MSI files are Composite Document Files, or as I like to call them, ole files. MSI files can be inspected with tools that handle OLE files, like 7-Zip, oletools, oledump

developed a new oledump plugin, plugin_msi, to decode MSI stream names, and also provide info like the header (ASCII) and MD5 hash of the of stream 5 ( is a good indicator that the embedded PE file is a DLL. This can be confirmed by inspecting the embedded PE file, with a tool like pecheck
msi  cybersecurity  malware  tools  signature  sans 
february 2018 by bwiese
Finding VBA signatures in Word documents - SANS Internet Storm Center
UNICODE strings SigAgile and Sign start the digital signature in binary Word documents
cybersecurity  doc  malware  signature  yara 
february 2018 by bwiese
An autograph from the Dridex gang - SANS Internet Storm Center
As happens often now, the PDF does not contain malicious code, just a malicious link. This URL can be detected and extracted with pdfid and pdf-parser:
plugin_vba_summary, we can produce a report summarizing the VBA code used in this malicious Word document:
sans  cybersecurity  pdf  malware  signature 
february 2018 by bwiese
SANS Digital Forensics and Incident Response Blog | Automated Hunting of Software Update Supply Chain Attacks | SANS Institute
Software that automatically updates itself presents an attack surface, which can be leveraged en masse through the compromise of the vendor's infrastructure. This has been seen multiple times during 2017, with high profile examples including NotPetya and CCleaner.
threathunting  sans  supplychain  cybersecurity  malware  notpetya 
february 2018 by bwiese
Deciphering Malware’s use of TLS (without Decryption)
1) Flow Metadata - f inbound bytes, outbound bytes, inbound
packets, outbound packets; the source and destination ports;
and the total duration of the flow in second
2) Sequence of Packet Lengths and Times - sequence of packet lengths and packet inter-arrival times (SPLT) has been well studied [25], [39]. In our open source implementation, the SPLT elements are collected for the first 50 packets of a flow. Zero-length payloads (such as ACKs) and retransmissions are ignored. A Markov chain representation is used to model the SPLT data
3) Byte Distribution - the byte distribution can give information about the header-to-payload ratios, the composition of the application headers, and if any poorly implemented padding is added.
4) Unencrypted TLS Header Information - TLS version, the ordered list of offered ciphersuites,
and the list of supported TLS extensions are collected from
the client hello message. The selected ciphersuite and
selected TLS extensions are collected from the server
hello message. The server’s certificate is collected from the
certificate message. The client’s public key length is
collected from the client key exchange message, and
is the length of the RSA ciphertext or DH/ECDH public key,
depending on the ciphersuite. Similar to the sequence of packet
lengths and times, the sequence of record lengths, times, and
types is collected from TLS sessions
tls  malware  cisco  machinelearning  research 
february 2018 by bwiese
Bears, Kittens, and Chollimas — Thoughts on Attribution and Reporting It
Don’t lay out analysis if you’re not going to say something beyond “look at all these interesting things!”. Give me the “so-what” or get out.

True attribution can be done by organizations (usually governments) who have the authorities to clandestinely collect supporting information that can associate cyber activity with human actors.... taking weeks, months, years.

Let’s focus on analyzing and defending against adversary TTPs
olympics  malware  attribution  cybersecurity  cyberthreatintel 
february 2018 by bwiese
Stopping Olympic Destroyer: New Process Injection Insights | Endgame
sample leverages “notepad.exe” for shellcode injection

It leverages a multitude of tactics described in MITRE’s ATT&CK Matrix such as the file deletion technique T1107.. these noisy techniques have worked successfully within the domain of ransomware and unsurprisingly are very effective when ransom isn’t your objective.

Code injection is a method wherein malware can write to the memory of another running process, copying new code into into the other processes’ memory and executing it as that process with that process’ privileges. This allows the malware to execute stealthily in the address space of that process, often evading security products. In the case of the main executable, it gains the ability to do this by using privileges that it already found and new ones attained through lateral movement to write to notepad.exe on infected hosts
olympics  malware  analysis  endgamge 
february 2018 by bwiese
Cisco's Talos Intelligence Group Blog: Olympic Destroyer Takes Aim At Winter Olympics
perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample... aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI, VBscript to further move through the environment. Also witnessed previously with BadRabbit and Nyetya.

custom binaries - malware dynamically updates this list after using the password stealers. A new version of the binary is generated with the newly discovered credentials. This new binary will be used on the new infected systems via the propagation. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems.

Collect local creds from browsers & system LSASS
Arp check and ds scan for lateral movement

drops legit MS signed copy of psexec.exe

cmd.exe, vssadmin.exe (delete shadow copies), wbadmin.exe (delete backups), (boot config), wevtutil.exe (clear System & Security logs)

deletes writeable files from shares

Disruption of services included the Olympic website being offline, meaning individuals could not print their tickets... wifi was down.
olympics  malware  analysis  snort  cisco  talos 
february 2018 by bwiese
In-depth Malware Analysis: Malware Lingers with BITS | Secureworks
Figure 1. Sample log entry from Microsoft-Windows-Bits-Client/(Microsoft-Windows-Bits-Client/Operational.evtx) event log. (Source: SecureWorks)

Logged details about the pending tasks were terse. The log indicated that new jobs had been created but did not provide detail. CTU researchers used tools that parsed the BITS job database and provided the missing details (see Figure 2)

CTU researchers recommend that clients consider enumerating active BITS tasks on a host ...(bitsadmin /list /allusers /verbose)

now use powershell bits commandlet
microsoft  bits  malware  incidentresponse  auditing  forensics  exploit  cybersecurity 
february 2018 by bwiese
Since the summer of 2013, this site has published over 1,300 blog entries about malicious network traffic. Almost every post on this site has pcap files or malware samples (or both).
pcap  malware  cybersecurity 
february 2018 by bwiese
Kovter malware learns from Poweliks with persistent fileless registry update | Symantec Connect Community
Poweliks made headlines in 2014 as the first persistent, fileless, registry-based malware. This technique had not been seen before Poweliks (Trojan.Poweliks) arrived, but it was only a matter of time until other malware authors adopted it. A variant of Kovter (Trojan.Kotver), first seen in May 2015, looks to be one of the first to incorporate techniques from Poweliks in order to evade detection and remain persistent on the compromised computer. 
malware  fileless  cybersecurity  registry 
february 2018 by bwiese
The CCleaner Attack Was Worse Than We Knew
But according to Cisco, at least 20 machines at eight companies worldwide were served the second, more dangerous payload. In a blog post this morning, Avast warned that the actual number of infected victims is more likely in the hundreds.
ccleaner  cybersecurity  malware 
january 2018 by bwiese
Researchers find exploit affecting Microsoft's BITS
“The poisoned BITS tasks, which created installation and clean-up scripts after their payloads were downloaded, were self-contained in the BITS job database, with no files or registry modifications to detect on the host,” a SecureWorks blog post stated.
Malware creators have previously used Microsoft's BITS to launch similar attacks by downloading malware updates, initially in May 2007 and most recently in December 2015.
malware  bits  windowsupdate  cybersecurity 
december 2017 by bwiese
American Gets Targeted by Digital Spy Tool Sold to Foreign Governments | Threat Level |
“I’ve been told by a U.S. official that I should never travel to Turkey, that it would be dangerous for me,” she told Wired.

The body of the email she received read, “Hi, There is a new site about Gülen movement. It is Also you should read an essay which I sent. (passwprd:12345).”
hacking  turkey  malware  hack  phishing  security  wired 
june 2013 by bwiese

related tags

ai  airgap  analysis  analytics  android  antivirus  apple  apt  attack  attribution  auditing  backdoor  badbios  bios  bits  botnet  c2  ccleaner  certificate  certificates  chatbot  chrome  cisco  classifier  cybercom  cybercrime  cyberreason  cybersecurity  cyberthreatintel  cylance  dc3  dfir  dhs  dns  doc  docker  download  dragos  endgame  endgamge  eventlogs  exif  exploit  fbi  fileless  firmware  forensics  forensicschallenge  fuzzy  gartner  google  hack  hacking  harddrive  hash  history  ibm  ics  incidentresponse  internet  iot  iphone  kaspersky  linksys  linux  machinelearning  macro  malware  microsoft  mikrotik  mitre  msi  netgear  networking  notpetya  nsa  office  olympics  opm  packer  pcap  pdf  phishing  powershell  proxy  psexec  python  qemu  ransomware  reddit  reference  registry  research  rootkit  router  routers  russia  sandbox  sans  schneier  scrm  secrepo  security  signature  snort  software  sophos  splunk  spyware  ssdeep  ssh  stego  supplychain  sysmon  talos  threathunting  threatintel  tls  todo  tool  tools  tor  towatch  tplink  training  trendmicro  triage  trisis  trojan  ttf  turkey  ueba  uefi  ultrasonic  video  virus  virustotal  visualbasic  vm  volatility  vpnfilter  vulnerability  windowsupdate  wired  worm  yara 

Copy this bookmark: