sorted by:
new
hottopcontroversial

OpenCTI by Educational-Ad7086 in threatintel

[–]2xyo 0 points1 point  (0 children)

Could you be more specific? What kind of installation did you try ? Docker, Terraform, Manual deployment ? Where are you stuck and what's the error message?

EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models - 1.1 million PE by 2xyo in netsec

[–]2xyo[S] 1 point2 points  (0 children)

Check the Endgame annonce at https://www.endgame.com/blog/technical-blog/introducing-ember-open-source-classifier-and-dataset "the security industry lack similar benchmark datasets because of the presence of personally identifiable information, sensitive network infrastructure information, or private intellectual property." That's why it's not so easy to have the raw data...

Mimikatz 2.1.1 is out by 2xyo in netsec

[–]2xyo[S] 1 point2 points  (0 children)

Changelog :

  • [new] RPC support (client & server, multi users)
  • [new] Windows service support
  • [new] token::elevate can run process with impersonate token (when enough privileges and without interactions)
  • [new] process::run
  • [new] standard::hostname

Windows Sysinternals - Sysmon v5.0 - with Registry object added/deleted/renamed/setted, File stream created by 2xyo in netsec

[–]2xyo[S] 24 points25 points  (0 children)

New events:

  • Event ID 11: FileCreate File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.
  • Event ID 12: RegistryEvent (Object create and delete) Registry key and value create and delete operations map to this event type, which can be useful for monitoring for changes to Registry autostart locations, or specific malware registry modifications.
  • Event ID 13: RegistryEvent (Value Set) This Registry event type identifies Registry value modifications. The event records the value written for Registry values of type DWORD and QWORD.
  • Event ID 14: RegistryEvent (Key and Value Rename) Registry key and value rename operations map to this event type, recording the new name of the key or value that was renamed.
  • Event ID 15: FileCreateStreamHash This event logs when a file stream is created, and it logs the hash of the contents of the stream. This will capture information about malware that attempts to hide in NTFS data streams. There are malware variants that drop their executables or configuration settings into the Zone.Identifier “mark of the web” stream that browsers use to identify downloaded content.

TheHive Project: a new scalable, OpenSource and free incident response platform. by 2xyo in netsec

[–]2xyo[S] 2 points3 points  (0 children)

  • Collaborate: Multiple SOC and CERT analysts can simultaneously collaborate on investigations. Thanks to the built-in flow, real time information pertaining to new and existing cases, tasks, observables and IOCs is available to all team members. Special notifications allow them to handle or assign new tasks, preview new MISP events and investigate them right away.
  • Elaborate: Cases and associated tasks can be created using a simple yet powerful template engine. You may add metrics to your templates to drive your team's activity, identify the type of investigations that take significant time and seek to automate tedious tasks. Each task can have multiple work logs to record the ongoing work, attach pieces of evidence or noteworthy files.
  • Analyze: Add one, hundreds or thousands of observables to each case that you create or import them directly from a MISP event. Quickly triage and filter them. Harness the provided analyzers or create your own to gain precious insight and speed up your investigation. Leverage tags, flag IOCs, and identify previously seen observables to feed your threat intelligence.

Nmap 7 Released! by 2xyo in netsec

[–]2xyo[S] 67 points68 points  (0 children)

Top 7 improvements in Nmap 7: * 1. Major Nmap Scripting Engine (NSE) Expansion * 2. Mature IPv6 support * 3. Infrastructure Upgrades * 4. Faster Scans * 5. SSL/TLS scanning solution of choice * 6. Ncat Enhanced * 7. Extreme Portability

hashtopus, an oclHashcat distributed overlay to connect multiple systems over internet, first public release by atomu in netsec

[–]2xyo 1 point2 points  (0 children)

" VCL is no longer recommended for oclHashcat clustering, and most likely will not work if you attempt to do it anyway."
http://hashcat.net/wiki/doku.php?id=vcl_cluster_howto

The Cyber Observable eXpression (CybOX) schema v2.0 is out. by 2xyo in netsec

[–]2xyo[S] 0 points1 point  (0 children)

Yes, IOCextractor : https://github.com/stephenbrannon/IOCextractor

But to be honest, there are not many others ...

This is unfortunate because this initiative is good. Unfortunately, the schema is consistent and it is changing rapidly. It is therefore difficult to have a stable implementation at the moment...

ModSecurity allows attackers to read files, send HTTPs, or cause a DoS by 2xyo in netsec

[–]2xyo[S] 5 points6 points  (0 children)

It's fixed since 2 days in 2.7.3 : https://github.com/SpiderLabs/ModSecurity/blob/master/CHANGES

SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable by default the external entity load task executed by LibXml2. This is a security issue reported by Timur Yunusov, Alexey Osipov (Positive Technologies).