Greg Lesnewich @greglesnewich Twitter profile

Last Seen Profiles

@louiseloveland

@VirgilVanPinto

@ElisaNath90

@mini_kikirara1

@luobao1221

@asadmalik156

@ChairAudio

@CoachEgan71

@Sharonray1512

@msbreewcinfo

@35numaracom

@ANORAKOFWEB3

@ARCalisant

@djgtdoalto

@wlydsjd236052

@Moonlightsth

@dxvid699

@LMCwemeVJa58692

@The_JarredIvory

@ElisaNath90

@antonellavanoni

@wonuubabii

@CourseClubs

@BTCyase

@dps

@ohan_JH

@shalini_kamam

@stw_pdg

@heritage_ggn

@tjack4628512

@EaqIop80073

@XoxoLumos

@StPaulNewport

@GamerAdvantage

@stw46

@Menyn_noey

Greg Lesnewich

@greglesnewich

1 year

Of course that’s your contention. You’re a first-year threat intel analyst. You’ve just read up on the MITRE ATT&CK framework and are convinced every problem is solve-able with a T-code

Glenn

@GlennLuk

1 year

Of course that’s your contention. You’re a first-year associate on Morgan Stanley’s international desk. You just finished reading Business Insider and are convinced that the CCP has taken out a trillion dollars of debt …

107

903

11K

19

71

342

Greg Lesnewich

@greglesnewich

2 years

Little after school project 🔬🔭 a few examples of common encoding/encryption mechanisms to help newer analysts learn to eyeball them: heavily inspired by work from @c3rb3ru5d3d53c and @cyb3rops 💝 was fun to get some practice using Jupyter notebooks

5

95

314

Greg Lesnewich

@greglesnewich

3 years

there's nothing like the disappointment of chasing down a hot new exploit, where the only IP sending a probe not from a TOR node initiates a multi-step chain all leading to... a cryptominer

2

19

223

Greg Lesnewich

@greglesnewich

1 year

What, dear reader, are in your opinion, some of the best conference talks on discovering & tracking APT groups? Think less “here’s a stock profile of this actor”, more “here’s how we found this thing” I’ll start:

6

61

205

Greg Lesnewich

@greglesnewich

3 years

are you new to using YARA or are seasoned vet? are you looking for a warm, collaborative environment to get creative new ideas with random internet friends? if so, #100DaysofYARA is for you! Kicks off Jan 1, join us won't you?

11

40

200

Greg Lesnewich

@greglesnewich

11 months

Do you want to learn YARA to track malware but don't know where to start? In anticipation of #100DaysofYARA we're giving away 3 free seats to AND's YARA Course! To enter, reply to this tweet with what malware you want to track. Most creative responses by Friday 2023-11-24 win!

56

77

179

Greg Lesnewich

@greglesnewich

4 years

For everyone buying a @shodanhq account today, give @ninoseki 's Shodan Dojo a shot to learn how to track evil!

GitHub - ninoseki/shodan-dojo: Learning Shodan through katas

Learning Shodan through katas. Contribute to ninoseki/shodan-dojo development by creating an account on GitHub.

github.com

5

66

177

Greg Lesnewich

@greglesnewich

1 year

🚨 Job Openings! Our team is looking to hire for 2 positions on our APT tracking team. Primary responsibilities & day-to-day will be disrupting state-aligned or state-sponsored actors trying to deliver malware, phish, or otherwise engage with our customers, in email data.

4

59

140

Greg Lesnewich

@greglesnewich

2 years

Happy new year and happy #100DaysofYARA to all those subjected to them! Toying with some longer tutorials on GitHub for this go round, on a likely weekly basis. Today's subject matter: a look at triage and bulk analysis, and rule writing for LNK files

3

40

141

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA #100DaysofYARA2 gang! We've got a game plan for Jan 1! 100 Days of YARA is a self-enforced challenge to learn YARA for the first time, or learn new techniques for creating rules, or submit rules for cool malware you've observed! 🧵

4

44

125

Greg Lesnewich

@greglesnewich

3 years

Day 100 #100DaysofYARA we made it! Reflecting on the last 100 days, it has been fun to see participation and encouragement (yes those things are possible on Twitter) Some highlights ⬇️🧵

9

33

127

Greg Lesnewich

@greglesnewich

11 months

The whole gang got up for this one to wrap up on TA422 (aka APT28, Fancy Bear, Forest Blizzard, FROZENLAKE, BlueDelta, Sednit, etc.) spraying n-day exploits August through November TL,DR:

1

42

121

Greg Lesnewich

@greglesnewich

2 years

I started this week with the Proofpoint @threatinsight team. I’ll be working alongside the hyper talented APT crew @Zydecaa @aRtAGGI @ChicagoCyber and #CristaNeedsATwitter and I’ve been learning from them all daily I’ll be working DPRK 🇰🇵 so any tips are appreciated!

15

0

111

Greg Lesnewich

@greglesnewich

1 year

The next CTI blog is gonna blow minds…. Actor: 1 of 4 active APT groups Setting: a high value target TTPs: one new one detections: banging IOCs: in an image - not on VT ATT&CK: not done bc is more work Outlook: actor will continue doing this Share of voice: Number 1 💪

16

10

110

Greg Lesnewich

@greglesnewich

3 years

Weekend Reading (or viewing) - a pretty clever set of C2 mechanisms, steganography and backdoors targeting Japan from @TeamT5_Official might be a new favorite cluster Thinking face check it out!

2

33

105

Greg Lesnewich

@greglesnewich

2 years

#dailyyara did you know that you can pull out PDB age (aka number of times the PDB file has been saved/updated) out of PE's to get an idea of how many times its been updated?

4

15

101

Greg Lesnewich

@greglesnewich

2 years

half of Mandiant right now

4

11

94

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA LNK files often store a CLSID in the TargetID fields - the previous file we looked at (GOLDBACKDOOR) did not include this header, so I suspected looking for LNKs without that CLSID might surface some anomalies More on LNK file structure:

5

21

95

Greg Lesnewich

@greglesnewich

2 years

Today is my last day @RecordedFuture - it has been an amazing ride. I am grateful to have worked at such a special place with such incredible colleagues

4

2

93

Greg Lesnewich

@greglesnewich

1 year

Shameless plug - Sleuthcon videos are up! Check ‘em all out Had fun taking 🇰🇵 #TA444 initial access methods for cryptoheists 💰 & first sighting of targeting 🍎 MacOS thanks @JohnHultquist for letting an APT ghuy join the fun!

6

25

89

Greg Lesnewich

@greglesnewich

3 years

Since the FireEye YouTube channel has unlisted/privatized most of the content, wanted to share a list of some of my favorite talks from CDS tech tracks that I still had links for (hope someone else finds them useful) Add your faves / tag folks below! These are in no order

3

18

91

Greg Lesnewich

@greglesnewich

3 years

Happy #100DaysofYARA - here's the gist I'll be using to keep the rules as I write them: . Today's is a nice hangover cure to look for PE files using... the hashing module??

100 Days of YARA to be updated with rules & ideas as the year progresses

100 Days of YARA to be updated with rules & ideas as the year progresses - 100_days_of_yara.yar

gist.github.com

1

13

86

Greg Lesnewich

@greglesnewich

1 year

Friday drop - a lil POC for trying to find similarity across Macho files! tl;dr two scripts to get: 🔧 dylib hash (dependencies) 🏗️ export hash 🛂 import hash 👷‍♂️ certificate name hoping we can use this to a our quick pivots across Mac malware !

GitHub - g-les/macho_similarity: Conceptual Methods for Finding Commonalities in Macho Files

Conceptual Methods for Finding Commonalities in Macho Files - g-les/macho_similarity

github.com

4

38

84

Greg Lesnewich

@greglesnewich

3 years

We're on to day 2 of #100DaysofYARA Looking for super duper high entropies in .text PE sections. New rules on top of zee gist:

100 Days of YARA to be updated with rules & ideas as the year progresses

100 Days of YARA to be updated with rules & ideas as the year progresses - 100_days_of_yara.yar

gist.github.com

1

20

83

Greg Lesnewich

@greglesnewich

2 years

Okay palingtons, #100DaysOfYARA2 is popping off Jan 1, 2023 🎉🥳 More details to come, but watch this space for details We’ll be using this repo where ALL the rules will live 👾 To participate, just commit rules or tools! (git how-to forthcoming)

6

24

81

Greg Lesnewich

@greglesnewich

8 months

Nice piece on some kit attributed to TA421 / APT29 / Midnight Blizzard / BlueBravo / Cozy Bear See also:

Backchannel Diplomacy: APT29's Rapidly Evolving Diplomatic Phishing Operations | Mandiant | Google...

cloud.google.com

Zscaler ThreatLabz

@Threatlabz

8 months

🚨New threat actor, SPIKEDWINE, impersonates Indian government officials to deliver WINELOADER malware in a #phishing campaign that targets European diplomats. Check out our technical analysis here:

3

24

78

4

12

78

Greg Lesnewich

@greglesnewich

3 years

Day 64 #100DaysofYARA looking for PE headers where the prevalence of 0x0 bytes are less than 50%. Normalish PE headers from offset 0x0 to 0x40 are composed of roughly 80% 0x00 bytes

5

19

77

Greg Lesnewich

@greglesnewich

8 months

Mick Baccio

@nohackme

8 months

this is such fantastic design CFP open - submit now!

0

1

22

1

8

74

Greg Lesnewich

@greglesnewich

11 months

About a month from now, #100DaysofYARA will kick off! Explainer on how to participate is linked below but the TL;DR is: A self-paced, concerted effort to learn YARA by writing a new rule everyday, starting January 1

1

22

71

Greg Lesnewich

@greglesnewich

1 year

🚨 ATTN Mac Malware Analysts! Do you hate triaging Macho samples because you have to use 8 tools? Well hate no more because @cxiao__ & @huettenhain just built the machometa unit for BinaryRefinery get signing info, dylibs, header info, exports, and more in one command!

3

15

70

Greg Lesnewich

@greglesnewich

1 year

in reviewing papers on DPRK tooling, like great research from ESET, Mandiant, and AhnLab on FudModule/LIGHTSHOW, and LightlessCan I get the sense that there is a team within TA404/TEMP.Hermit/Diamond Sleet tasked to reverse the Windows OS to improve tooling for long term access

7

17

68

Greg Lesnewich

@greglesnewich

10 months

#100DaysofYARA day 03 - talking SpectralBlur, a MacOS (and other OS 🤫) backdoor linked to TA444/Bluenoroff, that I suspect is a cousin of the KandyKorn family our pals at Elastic found!

1

18

66

Greg Lesnewich

@greglesnewich

3 years

thanks #CyberDefenseSummit for having @ConnorSecurity and I! for those that could not attend or wanted easy copy-paste, our slides are here:

GitHub - g-les/YARA-PE-Features: Slides from Cyber Defense Summit 2021

Slides from Cyber Defense Summit 2021. Contribute to g-les/YARA-PE-Features development by creating an account on GitHub.

github.com

3

18

65

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA more Mac malwares - today our specimen will be CloudMensis (used by APT37 🇰🇵) as analyzed by the amazing teams at ESET and Volexity Walkthrough using binja to sig functions, command line tools for string extraction, and binref for slicing

1

19

62

Greg Lesnewich

@greglesnewich

8 months

KV-Botnet: Don’t Call It A Comeback excellent work from Lumen about how Volt reacted to their first blog and how it fought to regain its infrastructure DURING and after disruption efforts

1

19

61

Greg Lesnewich

@greglesnewich

2 years

Great news @CYBERWARCON attendees! To atone for their god awful candy bracket from Halloween, the team at @GreyNoiseIO is offering actually GOOD candy varieties as a token of goodwill to the community!

8

2

63

Greg Lesnewich

@greglesnewich

2 years

⚡️📡cool new @GreyNoiseIO feature - IP Similarity. This IP () has some gross content in its web paths - before IP similarity, I'd have to manually query for combos of Powershell and that X-Cmd-Response string

2

18

62

Greg Lesnewich

@greglesnewich

2 years

Baby’s first blog! Check out our reporting on TA444 which has more AKAs than the Bodega Boys - but long story short they steal 💰cryptocurrencies for 🇰🇵 We rolled up their activity from 2022 where they rolled out new products, changed their GTM, and maybe tested in prod??

Threat Insight

@threatinsight

2 years

TA444, the North Korea-sponsored #APT group behind the Bangladesh Bank heist, continues with its upstart mentality. New report by @proofpoint @threatinsight researchers: #APT38 #Bluenoroff

1

41

83

7

14

61

Greg Lesnewich

@greglesnewich

1 year

There are few MUST ATTEND conferences every year. CYBERWARCON is at the very top of the list See the very cutting edge research on ACTUAL cyber attacks (disruption, destruction, and degrading systems), hack and leak operations, and coordinated inauthentic behavior.

CYBERWARCON

@CYBERWARCON

1 year

CYBERWARCON is coming!!! Registration and CFP are now open for this year’s #CYBERWARCON ! Our keynote will be from @vzhora , one of Ukraine’s esteemed cyber leaders. The in-person event is in Arlington, VA on Nov. 9th and virtual tickets are available. 1/x

9

88

196

1

12

58

Greg Lesnewich

@greglesnewich

10 months

happy new year and #100DaysOfYara ! Getting right to the nitty gritty - tracking an Andariel/TA430/Onyx Sleet in-memory payloads (as found by our pals at MSFT and Talos!) with @hatching_io and YARA!

0

13

55

Greg Lesnewich

@greglesnewich

2 years

Had a blast at @GreyNoiseIO road show first stop in NYC! The audience was subjected to rants about the physics of mass exploitation from @Andrew___Morris and myself, and some other collection benefits from their platform 📡🛰 Go see them when they stop by YOUR city!

3

54

Greg Lesnewich

@greglesnewich

1 year

some days chasing DPRK 🇰🇵 crypto activity be like

2

5

53

Greg Lesnewich

@greglesnewich

11 months

the homie @jacoblatonis dropped a blog on getting a Macho module added to YARA-X (the future of YARA) super excited to have all of these macho's parseable to hone in on discrete features & developer choices 🚀🚀🚀

YARA and Me: Contributing to YARA's Upcoming Release

latonis.github.io

4

10

53

Greg Lesnewich

@greglesnewich

2 years

💝 post for @patrickwardle book The Art of Mac Malware. its FREE and it explains malware concepts very clearly. Its been super helpful for me working 🇰🇵👾 if you've been wanting to start learning malware analysis, the book is the PERFECT starting place

The Art of Mac Malware

Books about Mac malware (by Patrick Wardle)

taomm.org

1

18

52

Greg Lesnewich

@greglesnewich

3 years

Day 4 of #100DaysofYARA : 🎉introducing ExpHash 🎉 ?! yara can hash any part of a file. this is a dumb attempt to hash the export table (like imphash). I don't think the export address table is a PERFECT measure or detection

7

10

51

Greg Lesnewich

@greglesnewich

1 year

in my pursuit of dense and succulent YARA rules, I don't know if anyone has had more impact on my rule writing process than @stvemillertime Steve has kindly written a course for @NetworkDefense about using YARA and I ABSOLUTELY recommend taking it 🧵

Chris Sanders 🔎 🧠

@chrissanders88

1 year

I’m excited to launch our latest online course, YARA for Security Analysts. We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intel research. #Yara #DetectionEngineering #DFIR #Malware

6

171

651

3

6

50

Greg Lesnewich

@greglesnewich

11 months

If you are looking to get into, or are in, the threat research / intel or malware analysis spaces, you gotta be following @embee_research and read every piece of content they drop Dropping 🔥 every damn day

Matthew

@embee_research

11 months

New blog looking at dealing with Encrypted strings in Ghidra. Leveraging debuggers to semi-automate string decryption and fix up an obfuscated Ghidra file 🤓 #Malware #ghidra

0

40

164

0

10

51

Greg Lesnewich

@greglesnewich

1 year

Excited for this one! LABSCon is a must-attend con for tracking TAs 🇰🇵 is trying to make 💰for 🚀 by hitting macOS 🖥️🍎 This talk will give a whirlwind tour of the groups and dive into their tooling ➕ 🔬 analysis methods 🧬 how we link families together 🌶️ new malfams

LABScon

@labscon_io

1 year

At #LABScon23 , Proofpoint's Greg Lesnewich will take a close look at similarities in macOS components used in North Korean crypto heists @greglesnewich

0

10

32

4

5

48

Greg Lesnewich

@greglesnewich

1 year

One under-discussed problem in infosec is blatant meme theft I don’t need to see that alien next to the PMA book 15 times. Just the original post will do just fine

10

1

47

Greg Lesnewich

@greglesnewich

1 year

No Easy Breach from @ItsReallyNick & @matthewdunwoody Operation ShadowHammer from @craiu & @vkamluk Mystery of the Metador from @juanandres_gs @AmitaiBs3 @milenkowski

The Mystery of Metador | An Unattributed Threat Hiding in Telcos,...

By Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski- SentinelLabs researchers uncovered a never-before-seen advanced threat ...

www.youtube.com

2

7

49

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA day 2 - more LNK fun! Today taking a gander at GOLDBACKDOOR loader as reported on by @silascutler + @InsideStairwell

1

13

50

Greg Lesnewich

@greglesnewich

1 year

I had a lot of fun working on Floss2Yar with the genius @ConnorSecurity (any good code is his) and giving this talk @labscon_io The Lamberts are academically interesting because of the small sample count & code sharing, but really this talk is my love letter to YARA

SentinelOne

@SentinelOne

1 year

🕵️ Discover the power of YARA in pursuing apex actors in the cyber world. Join @greglesnewich , senior threat researcher at @proofpoint , in his #LABScon talk. #cybersecurity #YARA #malwareanalysis

0

11

22

2

12

49

Greg Lesnewich

@greglesnewich

1 year

We see this group (TA427) operating fast and furiously. Recent subject lines: - Request for reviewing - Request for your contribution to our column - Re: Invitation to Review - Your opinion - Request for your comments - Request for Meeting(Korean Embassy)

NSA Cyber

@NSACyber

1 year

DPRK cyber actors continue impersonating legitimate journalists, academics, and think tank employees in coordinated spearphishing campaigns. Read our joint advisory to learn about their tactics and our mitigations to protect against these attacks.

54

185

364

1

11

49

Greg Lesnewich

@greglesnewich

2 years

Come check out team Proofpoint at @SLEUTHCON talking about Life After Macros and some #TA444 fun! Say hello if you see TR gang members @selenalarson @joewise34 or @sherrod_im

2

11

49

Greg Lesnewich

@greglesnewich

1 year

the duality of GreyNoise some of the most kind and brilliant individuals unite to make an insanely helpful product but every year they join forces to come up with the most idiotic candy brackets these eyes have ever seen

GreyNoise

@GreyNoiseIO

1 year

Happy Halloween 🎃

12

3

36

11

3

47

Greg Lesnewich

@greglesnewich

1 year

The KANDYKORN family has some super consistent "features" 🍭🌽👀👾 shameless methodology plug: cc @techyteachme @patrickwardle @DefSecSentinel

Objective-See Foundation

@objective_see

1 year

@elasticseclabs exposed an attempt by the DPRK to infect blockchain engineers w/ novel macOS malware 🍎🐛🇰🇵 Read: We've just added the full sample to our public macOS malware repo #SharingIsCaring ☣️ KandyKorn: (pw: infect3d)

3

21

52

0

12

46

Greg Lesnewich

@greglesnewich

3 years

Day 65 #100DaysofYARA - looking for PE's or ZIPs inside of dotnet resources to spot some loaders! uses the dotnet module because they are parsed differently than PEs Good blog on other methods of finding dotnet loaders from ReversingLabs here:

2

16

43

Greg Lesnewich

@greglesnewich

11 months

Taking any and all references to passive backdoors (excluding IIS for now - whole diff topic imo) Off top: White Lambert Exforel Daxin HIGHNOON/Winnti BPFdoor SEASPY LOWKEY Mata FoggyWeb I know I’m missing a bunch cc @craiu @juanandres_gs @stvemillertime

Jared Wilson

@JWilsonSecurity

11 months

@greglesnewich @NetworkDefense @chrissanders88 I'd love to see more yara sample hunting equities that are prevalent in passive backdoors, especially those targeting networking devices.

1

0

8

17

6

42

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA today another longer blurb on another 🇰🇵 DPRK 🍏 Mac Malware 🍎, MATA aka Dacls! This family has been thoroughly analyzed by the community and wanted to add on a bit of how one might signature some unique strings + functions in the family!

1

13

42

Greg Lesnewich

@greglesnewich

9 months

#100DaysofYARA Day 07 - another condition only rule this time looking for the HTTPSnoop and PipeSnoop families found by Talos a little avant garde, but both store config info in the .data section, XOR'd with a 1 byte key following the same structure

3

16

40

Greg Lesnewich

@greglesnewich

1 year

this is (as usual) GREAT work from the Elastic team! love finding a fun code-signing technique for this DPRK MacOS tools to find more evil 🤌 and love the halloween theme!

Elastic Security Labs

@elasticseclabs

1 year

The DPRK was so excited about Halloween, they got a head start on passing out candy. Check out REF7001, AKA KANDYKORN – a malware distributed in cryptocurrency servers on Discord: #malware #threatdiscovery #cryptocurrency #discord #ElasticSecurityLabs

0

34

88

2

9

43

Greg Lesnewich

@greglesnewich

2 years

Nothing like blowing away your whole Python install on a Friday night because of one small error

6

1

41

Greg Lesnewich

@greglesnewich

1 year

Do you have any thoughts of you own on the subject or were you just gonna plagiarize some of the less popular SANS threat intel summit videos for me?

6

2

38

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA version 4.3 includes parsing for delayed imports for PE's! What are delayed imports? They encompass a separate data directory in the file format but the PE author may not choose to delay the import; @notareverser told me its just the linker deciding 🤯

3

6

42

Greg Lesnewich

@greglesnewich

10 months

#100DaysofYARA Day 6 sometimes our pals in TA404/Zinc/Temp.HERMIT/Diamond Sleet reuse export names and add a dubya ("W") to the end of the second name. lets create a loose rule looking for duplicates like that! Examples in the second pic thanks to Ronnie Coleman

3

12

42

Greg Lesnewich

@greglesnewich

1 year

And you’ll believe that until next month when you read Sandworm and get convinced that tracking adversaries is simple and their intentions are straightforward to understand

2

1

37

Greg Lesnewich

@greglesnewich

11 months

listen, I knew @invisig0th @whippit_ and the whole gang @vtxproject were geniuses. I didn't realize the extent to their brilliance until the folks @KC7cyber provided a training on it today my head is spinning with the possibilities and power of Storm & Optic

1

7

39

Greg Lesnewich

@greglesnewich

11 months

Okay so you all might notice a family rename happening here shortly The TA406/Konni cluster uses a pretty distinct infection chain, but we’ve been lax as an industry by calling the backdoor the same name as the actor Trying to end that today - we will be calling it UpDog ⬆️🐶

ET Labs

@ET_Labs

11 months

19 new OPEN, 24 new PRO (19 + 5) Updog Backdoor, SysJoker, RogueRaticate Thanks @_cpresearch_ , @intezerlabs

0

2

7

3

5

40

Greg Lesnewich

@greglesnewich

1 year

Quick update - adding an entitlement hash - shouts to @matthewdunwoody for the idea and @JWilsonSecurity 's PermHash for inspiration! There are a few common ones, but a few that might be good pivots or anchors!

Greg Lesnewich

@greglesnewich

1 year

Friday drop - a lil POC for trying to find similarity across Macho files! tl;dr two scripts to get: 🔧 dylib hash (dependencies) 🏗️ export hash 🛂 import hash 👷‍♂️ certificate name hoping we can use this to a our quick pivots across Mac malware !

4

38

84

3

8

39

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA starting a little theme of Mac malware thanks to @shellcromancer , a post by @_xpn_ and of course @patrickwardle Today starting off easy by looking for files that reference dydl APIs like NSLinkModule or NSCreateObjectFileImageFromMemory for payload injection!

4

15

40

Greg Lesnewich

@greglesnewich

3 years

Forgot to tweet on the weekened - Days 8-10 chunk of backlogged #100DaysofYARA rules! Looking for single byte XOR encoded PE's! The first batch of rules was inspired by @huettenhain and Binary Refinery using the byte from 0x3 as a XOR key to decode exes

1

11

39

Greg Lesnewich

@greglesnewich

8 months

I had the pleasure of taking this course earlier this month - its awesome. If you're in the threat research or actor-tracking space and looking to git gud at rolling up threat actor infrastructure with mostly FREE tooling, you HAVE to take this course

Michael Koczwara

@MichalKoczwara

8 months

In February, we'll release modules/lessons on👇 A comprehensive guide about tracking Sliver C2 🔥 Hunting Cobalt Strike redirectors ⚡️ (APT29 style) Using the Diamond Model of Intrusion Analysis 💎 Hunting APT38 and APT43 part 2 🇰🇵 Magecart 🧙‍♂️ Tips for open directories 🕵️ and

6

33

178

1

3

39

Greg Lesnewich

@greglesnewich

3 years

A quick #dailyyara crossover episode with #dailypcap now before you say anything, I acknowledge I am a @stvemillertime wanna-be :D now to the fun

1

10

38

Greg Lesnewich

@greglesnewich

11 months

@ConnorSecurity

0

2

38

Greg Lesnewich

@greglesnewich

9 months

#100DaysofYARA Day 12: more info sigs for Macho's, this time checking for LOOBins (living off the orchard ayyy) as found in the project from the legend @infosecb check out the project at Rules up in here:

2

10

34

Greg Lesnewich

@greglesnewich

1 year

did TA452 rizz up IcedID?? will IcedID replace Emotet as the eCrime Drip King? find out from @selenalarson @Myrtus0x0 @joewise34 and Crista on the new DISCARDED episode! 🍎: 🟢: art via @0xkyle

4

11

37

Greg Lesnewich

@greglesnewich

1 year

That view of a static-unchanging adversary will last until your second year when you’ll be on here regurgitating Timo’s book and Juan’s paper about the complexities of how an APT is actually composed

2

1

35

Greg Lesnewich

@greglesnewich

9 months

#100DaysofYARA Day 9 - some fav APT crews use Lua to supplement their operations - lets look for executables that show traces of Lua! basic rule but might be a good starting place for finding fun old malware <3 Lua stans @juanandres_gs @jacoblatonis @M_haggis @HackingLZ

3

10

36

Greg Lesnewich

@greglesnewich

3 years

Day 78 #100DaysofYARA - fun with the dotnet module looking for user strings (typically wide strings) that imply command execution. Why look in this way vs just as strings? Well this rule tells us immediately that the file is a dotnet executable

2

4

36

Greg Lesnewich

@greglesnewich

3 years

Day 18 of #100DaysofYARA is inspired by this Tweet from @notareverser My reaction was - can YARA help verify some of the knowledge of the config structure? Answer: yes-ish!

French

@notareverser

3 years

A configuration dumper is the proof that you understand some part of the malware behavior A YARA signature is the proof that you understand some part of the malware identity There is a tension between the two that isn't simple to tease out

0

1

12

3

9

38

Greg Lesnewich

@greglesnewich

1 year

My wife is too hot for me to know more than one programming language Happy birthday beloved @racheleadam

2

0

38

Greg Lesnewich

@greglesnewich

2 years

Anyone else need something like a #infosec bookclub but for all of the video trainings and books they’ve bought over the years and have only gotten part of the way through each of them?

2

36

Greg Lesnewich

@greglesnewich

1 year

Reflecting on how time can really favor the defender space today. My current view of the DPRK cryptocurrency focused clusters is heavily based on public reporting from the collective - even sharing small slivers can help really advance what we all understand about an adversary

1

8

36

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA another long form post in the creation of a rule for TigerRAT/TigerLoader! Some great work was done on this family by KRCERT, ThreatRay, MalwareBytes, and Kaspersky that highlighted how the next stage was stored - can we sig that pattern?

0

9

34

Greg Lesnewich

@greglesnewich

3 years

#dailyyara for PE's that contain Win commandline utils for host recon rule SUSP_PE_Host_Recon { strings: $ = "ipconfig" ascii wide $ = "whoami" ascii wide $ = "net user" ascii wide $ = "netsh" ascii wide $ = "systeminfo" ascii wide //continued

1

7

34

Greg Lesnewich

@greglesnewich

9 months

#100DaysofYARA Day 8 - fun with the scriptlets dropped by APT28/TA422/FancyBear we call it EchoLaunch, @XForceGlobal calls this HeadLace - check out their excellent work: this script is smol, does a lot, and has 2 newlines after exit statement 👀

2

10

32

Greg Lesnewich

@greglesnewich

1 year

lots of important work in CTI on 🇰🇵 DPRK crypto-ops 🪙 going on at the moment! I wanted to highlight a few talks that were very helpful for me in understanding how we got here! 1st, Katie Blankenship gave an excellent overview of DPRK cyber evolution

2

3

34

Greg Lesnewich

@greglesnewich

2 years

#100DaysofYARA More MacOS! Today adding info and suspicious rules for various plist parameters! those that can aide persistence get flagged as SUSP, while any b64 obfuscation or xor-ing also gets flagged as Suspicious!

1

14

34

Greg Lesnewich

@greglesnewich

9 months

late nights (evenings) in the lab (on the couch) working on something big (a mad decent YARA rule) and just grinding (watching basketball and eating ice cream, v cozy) its a mindset (I'll get bored and go to bed soon)

2

0

33

Greg Lesnewich

@greglesnewich

10 months

#100DaysofYARA day 5 - looking for LNK files that might create scheduled tasks! we've kept it basic using YARA's built in XOR and base64 modifiers, but we could also use @stvemillertime 's Cerebro tool to create myriad variations of those strings!

1

5

34

Greg Lesnewich

@greglesnewich

8 months

Big finding here - Emerald Sleet (TA427, APT43, THALLIUM, Velvet Chollima) using LLMs for a lot of things. RIP to all of the RFIs asking about this for the last year 😫💀😭

Microsoft Threat Intelligence

@MsftSecIntel

8 months

Microsoft, in collaboration with OpenAI, is publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others. Learn more:

4

126

324

2

4

33

Greg Lesnewich

@greglesnewich

1 year

@ex_raritas @KennethS_1028 we avoided the # years of experience because, in the intel/threat-tracking space, 2 years of rapid tempo or high quality work can out weigh 6 years of a more lax or passive effort. looking for folks who’ve tracked groups in similar data I'd always say apply anyway :)

3

2

32

Greg Lesnewich

@greglesnewich

1 year

fun update from TA444 we saw this week Observed a campaign spoofing GMail senders via SendinBlue using the subject line: 'Item shared with you: Crypto-assets and their risks for financial stability' w/ links to SendInBlue that redirect to TA444 infra

1

10

33

Greg Lesnewich

@greglesnewich

9 months

#100DaysofYARA one of the easiest ways to get bogged down with writing rules is the scaffolding - use a plug-in from your favorite text editor to ensure you get proper metadata, most syntax highlighting and some auto-completion! Sublime:

3

9

33

Greg Lesnewich

@greglesnewich

1 year

Those code-based YARA rules 🤩🤤

Recorded Future

@RecordedFuture

1 year

Recorded Future's Insikt Group has observed Russian state actors increasing efforts to conceal command-and-control network traffic via legitimate internet services (LIS), and diversifying the services being misused in this effort.

2

24

41

0

1

33

Greg Lesnewich

@greglesnewich

9 months

big time #100DaysofYARA collab after triaging the BlackWood samples that ESET found, @stvemillertime shared some rules that hit, including a loose hunt for VirtualAlloc making RWX allocs @captainGeech42 came over the top and added the tasty func.rva to make it extra precise

geech 👽👾

@captainGeech42

9 months

#100DaysOfYARA Days 22/23: Wrote a couple of rules based on an idea I stole from @stvemillertime on looking for RWX memory allocations with VirtualAlloc by examining the argument setups before the call instructions

0

4

14

3

5

32

Greg Lesnewich

@greglesnewich

7 months

@sherrod_im @ImposeCost call it ImposeGoth, LLC.

0

31

Greg Lesnewich

@greglesnewich

3 years

non-YARA related tweet 🚨 Our team at RF / Insikt have published our annual infrastructure observations. Report link below 👇 I'll do my best to summarize without butchering the work!

1

10

31

Greg Lesnewich

@greglesnewich

2 years

There will be “professional” updates at some point. But first, a couple of weeks off, a couple islands to hit with the wifey @racheleadam , a drink or two, and a Twitter hiatus ✌️❤️

8

0

32

Greg Lesnewich

@greglesnewich

3 years

Day 61 #100DaysofYARA - lets talk UNCs and DOS! No, not Mandiant UNCs or Denial of Service, we're talmbout file paths baby I, in my endless naïveté, originally thought that any string similar to a named pipe (\\.\pipe\) was also a named pipe!

1

3

31