-
#DFIR tip: when you share hashes for malicious files, share also the size. Many tools are able to search based on multiple conditions: (size < x) && (hash == x) This will decrease the analysis time!#CoRIIN2020 -
"DFIR ORC was designed for forensic use from the start".
@_jeanga_ presenting the open source tool released by@ANSSI_FR at#Coriin2020 pic.twitter.com/3bMIza0okY
-
RDAP replaces whois, and returned formatted JSON, which is good for automation. You can use « nicinfo » tool, which parse the result for you.
#coriin2020 pic.twitter.com/W0uciK5H96
Prikaži ovu nit -
-
Conclusion: automated static analysis: comparing the binaries on target router with binaries on a « clean » router to detect compromission.
#CoRIIN2020 pic.twitter.com/NfqKH5YUyn
Prikaži ovu nit -
-
Showing graph structure with connections between processes from the memory dump.
#CorIIN2020 pic.twitter.com/XCdUOWrZOU
Prikaži ovu nit -
In IOS XR, Cisco removed the 'chmod' command. To execute your binary, upload one with +x bit set and overwrite it with yours ;)
#CoRIIN2020 -
Remember the
#NAFT "router-forensics" project by@DidierStevens? (https://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/ …) Everything changes and, today, we have tools for Cisco IOS XR!#CoRIIN2020 -
Next session from Solal Jacob, working for
@ANSSI_FR on memory analysis on Cisco IOS-XR 32 bits router#coriin2020Prikaži ovu nit -
First solution for a SOC will be to block PasteBin, which is not bullet proof. 1. Signatures from network sensors: vulnerable to basic variants 2. Sandbox: first target for evasion (anti-vm/sandbox in powershell is frequent) 3. EDR 4. SIEM No NTA? ;)
#CorIIN2020Prikaži ovu nit -
Interesting talk, but fast pace, so tough to comment. Powershell example summary:
#CorIIN2020 pic.twitter.com/YA0St3b3xY
Prikaži ovu nit -
Funny fact, security researchers are searching only what
@pastebin does not allow :)#CoRIIN2020 pic.twitter.com/gk5a6v3fYJ
-
Next conference is on Pastebin usage
#coriin2020Prikaži ovu nit -
No, it’s not a DDoS... Just the effect of credential stuffing on a login page...
#CoRIIN2020 pic.twitter.com/XsMVuvLscd
-
Two numbers: 52%... of users use the same pwd everywhere 85%... of users re-use pwd on e-commerce sites
#CoRIIN2020 -
Interesting analysis of data leaks. Not how stolen data are (ab)used but how they are leaked...
#CoRIIN2020 -
Even attackers benefit from increased computing power...
#CoRIIN2020 pic.twitter.com/qAP0WKhvqi
-
Next converence from Sebastien Merio, head of CSIRT from OVH « Data leakage and credential stuffing »
#coriin2020Prikaži ovu nit -
Conclusion is boring but important: In the cloud too, prepare and monitor before you need it.
#CorIIN2020Prikaži ovu nit
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.