Martin Korman

@MartinKorman

Malware Analyst and Forensic Investigator. Tweets represent my own opinion.

Vrijeme pridruživanja: listopad 2011.

Tweetovi

Blokirali ste korisnika/cu @MartinKorman

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @MartinKorman

  1. Prikvačeni tweet
    6. ožu 2019.

    I'm releasing Regipy: an OS independent python library for parsing offline registry hives, with a lot of awesome features!

    Poništi
  2. proslijedio/la je Tweet
    2. velj

    This is how we start the week! What about you? BsidesTLV 2020 CFP is open Submit and share.

    Poništi
  3. proslijedio/la je Tweet
    31. sij

    I keep forgetting how to use the Python bindings for the Unicorn Engine, so I created a nice README for it. I plan to add a complete code walkthrough but for now it’s still a nice reference.

    Poništi
  4. proslijedio/la je Tweet
    29. sij

    1\ I've written a little compiler to ship ML models as standalone Yara rules, and done proof of concept detectors for Macho-O, RTF files, and powershell scripts. So far I have decision trees, random forests, and logistic regression (LR) working.

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    30. sij

    Large scale malware similarity visualization work by , myself, and others. We built a prototype set of analytics and accompanying GUI to accelerate malware analysis over many samples, and did a user study showing efficacy.

    Poništi
  6. proslijedio/la je Tweet
    21. sij

    Pipeline tests are like unit tests for datasets: they help you guard against upstream data changes and monitor data quality.

    Poništi
  7. proslijedio/la je Tweet
    21. sij

    New Trickbot module 'ADll' dumps Active Directory database files (ntds.dit & ntds.jfm) and registry hives using the 'ntdsutil' and 'reg save' commands:

    Poništi
  8. proslijedio/la je Tweet
    19. sij

    A new NTFS sample ("ntfs_extremely_fragmented_mft.raw") uploaded: This was an attempt to check if there is a limit for fragmentation. The resulting file uses 12 file record segments, 3 of them have high numbers (like "user files").

    Prikaži ovu nit
    Poništi
  9. proslijedio/la je Tweet
    17. sij

    Want to make service removal really fun? Create a service with a unicode name. The service will run but won't show in sc.exe, services.msc, or taskmgr.exe and will sometimes cause a critical error while trying to find it with PowerShell/WMI. Unicode wins again.🤦‍♂️

    Prikaži ovu nit
    Poništi
  10. proslijedio/la je Tweet
    15. sij

    Microsoft added Event ID 1 to the Application Log to show attempted exploitation of CVE-2020-0601 (via new CveEventWrite function). Use Splunk? Collect that EID and alert on: sourcetype=WinEventLog EventCode=1 LogName=Application Message="*[CVE-2020-0601]*" (tweak as needed)

    Prikaži ovu nit
    Poništi
  11. proslijedio/la je Tweet
    15. sij

    Added USN monitoring to trigger when an MFT entry gets touched to allow for real-time MFT entry watching. The more I do this the more I realize how interdependent all these components are. In this example, I create a hardlink and see the MFT changes.

    Poništi
  12. proslijedio/la je Tweet
    15. sij

    CVE-2019-19781 Live Response First Steps ========================= Some tips on how to go about running a micro-compromise assessment on Netscaler boxes, this is what I've been using: >>> Check the root user command history: history /1

    Prikaži ovu nit
    Poništi
  13. proslijedio/la je Tweet
    14. sij

    A PDF containing an overview and alphabetical listing of Windows commands

    Poništi
  14. proslijedio/la je Tweet
    14. sij

    PSA: just got even faster on 0.6.5. Especially if you are running it under windows (3x increase for `evtx_dump`)! Linux is also faster by 30-40%!

    Poništi
  15. proslijedio/la je Tweet
    13. sij

    The Dog Whisperer’s Handbook - great work && must read by my friend

    Poništi
  16. proslijedio/la je Tweet
    25. pro 2019.

    I uploaded a video example using DbgChild plugin for x64dbg:

    Poništi
  17. proslijedio/la je Tweet
    28. pro 2019.

    My Signature Creation Mind Map Input: Sample > the things that I check to create YARA signatures, Sigma rules or IOCs > or pivot to related samples in order to improve the signatures / rules

    Poništi
  18. proslijedio/la je Tweet
    23. pro 2019.

    Made some major updates to the Event Listener! Watch all channels or just a subset with multiple -c values. Get historical events + listen to live changes with the --historical option. XML is an option too if you dont like json lines.

    Poništi
  19. proslijedio/la je Tweet
    19. pro 2019.

    the cool thing about those 2 newly introducted MS security eventid 4799, 4798 is that they will capture any local group/user discovery attempts even if done via winapis, below an e.g. with the checkadmin.exe custom recon tool referenced in Operation Wocao :D

    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    15. pro 2019.

    Ever wish you could color a cell so you can quickly find it when scanning a notebook? 🎮TRY IT:

    Poništi
  21. proslijedio/la je Tweet

    Fall 2019 Capture the Flag is now available to the public! There’s OSINT, Crypto, Windows, AND a super secret mystery device! Please RT and share so everyone can take advantage of these cool challenges!

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·