Sources & Methods Newsletter #16 - January 2024
Happy New Year! I hope your holidays were restful and you're ready to get back to it. At the risk of sounding cheesy, we know the adversaries are, so beat them to the punch.
Good luck,
Matthew Conway (@mattreduce)
π Sources
Unprotect Project - Actively maintained knowledge base for evasion and obfuscation techniques used in malware. It includes code examples in multiple languages, something both red and blue teams can appreciate.
π° Information
John Doyle - Helping CTI Analysts Approach and Report on Emerging Technology Threats and Trends (Part 2) #writing #trending
Jamf - Jamf Threat Labs discovers new malware embedded in pirated applications #macOS #malware
Troy Hunt - Inside the Massive Naz.API Credential Stuffing List #identity #credentials #stealers
Maltego - Improving your Intelligence Analysis with Structured Analytic Techniques #tradecraft #SAT
Adam Shostack - Threat Modeling Capabilities Released #threatmodeling #maturity
Red Canary - MSIX installer malware delivery on the rise across multiple campaigns #operational #TTPs #Windows
MITRE - Enriching Threat Intelligence with Mappings #defenses #actionability
Insikt Group - Leaks and Revelations: A Web of IRGC Networks and Cyber Companies [PDF] #strategic #Iran #IRGC #longreads
Filigran - OpenCTI for disinformation #tooling #disinformation
Freddy Murstad - Foresight Analysis: The Magic Eight Ball of Intelligence Analysis #strategic #foresight
π Tools
IntelRAGU
github.com/Cyb3rWard0g/IntelRAGU
A very interesting use of generative AI applied to CTI. Query MITRE ATT&CK's Groups dataset like a chatbot with Retrieval Augmented Generation (RAG). Note that it requires an OpenAI API key.
cvemap
github.com/projectdiscovery/cvemap
Here's a brand new tool from Project Discovery called cvemap. It helps you navigate and map CVE data to proof of concept exploits, CISA Known Exploited Vulnerability data, bug bounty reports and more.
Synapse-HashLookup
github.com/ancailliau/synapse-hashlookup
Rapid PowerUp for Vertex Synapse for checking file hashes against multiple databases of known files, including the NSRL RDS.
holehe
Use holehe to discover online accounts based on an email address.
mql-vscode
github.com/sublime-security/mql-vscode
Working with Sublime Security's Message Query Language (MQL)? Here's a Visual Studio Code extension you can use with MQL to define phishing rules for alerting and hunting.
gron
JSON and grep: depending on your role, both are indispensable but they mix like oil and water. Unless you use gron, which makes it easy to grep for parts of JSON data line-wise and see the path to that data. It makes your task easier whether you're quickly exploring an API or a dataset.
π‘ Tip
Don't forget to spend time building your technical knowledgeβor maintaining it if you've been doing this a long time. That'll help you make sound connections and impactful recommendations, and isn't that the whole point?
π Events
FIRST CTI
π Berlin, DE
π’ Mercure Hotel MOA
π April 15-17
π https://www.first.org/conference/firstcti24/
BSidesSF
CFP for workshops, villages, and BoF will close on February 5, 2024
π San Francisco, CA, US
π Conference May 4-5
π CFP https://bsidessf.org/cfp
SLEUTHCON
π Arlington, VA, US
π Conference May 24
π https://www.sleuthcon.com/
Member discussion