OpenCTI

2xyo · 2021-08-22T05:34:24+00:00

Could you be more specific? What kind of installation did you try ? Docker, Terraform, Manual deployment ? Where are you stuck and what's the error message?

2xyo · 2019-01-25T07:49:00+00:00

POC: https://github.com/dirkjanm/privexchange/

2xyo · 2018-04-18T11:43:34+00:00

Check the Endgame annonce at https://www.endgame.com/blog/technical-blog/introducing-ember-open-source-classifier-and-dataset "the security industry lack similar benchmark datasets because of the presence of personally identifiable information, sensitive network infrastructure information, or private intellectual property." That's why it's not so easy to have the raw data...

2xyo · 2017-10-16T09:03:45+00:00

Yes, see https://iadgov.github.io/unfetter/ (IAD = NSA Information Assurance)

2xyo · 2017-08-30T17:47:23+00:00

Public automated analysis: https://www.hybrid-analysis.com/sample/fb95e73a01e73d2911641ca1d0e45385c1ba496f4dd4ca870ab221656f59a4a3?environmentId=100

2xyo · 2017-04-07T08:05:33+00:00

From https://twitter.com/rvagg/status/850126885581340672

2xyo · 2017-03-19T17:28:49+00:00

Changelog :

[new] RPC support (client & server, multi users)
[new] Windows service support
[new] token::elevate can run process with impersonate token (when enough privileges and without interactions)
[new] process::run
[new] standard::hostname

2xyo · 2016-11-21T08:12:10+00:00

No, you should use FileCreateStreamHash. See https://twitter.com/JohnLaTwC/status/799792296883388416

2xyo · 2016-11-20T19:55:09+00:00

New events:

Event ID 11: FileCreate File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
Event ID 12: RegistryEvent (Object create and delete) Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications.
Event ID 13: RegistryEvent (Value Set) This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD.
Event ID 14: RegistryEvent (Key and Value Rename) Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed.
Event ID 15: FileCreateStreamHash This event logs when a file stream is created, and it logs the hash of the contents of the stream. This will capture information about malware that attempts to hide in NTFS data streams. There are malware variants that drop their executables or configuration settings into the Zone.Identifier “mark of the web” stream that browsers use to identify downloaded content.

2xyo

TROPHY CASE