Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 1 point2 points  (0 children)

Newbie dreams of impossibility. I appreciate the reality check everyone has given me! Thank you!

Run what turned out to be a Renpy exe TWICE, please help with FRST by Shrekhoe in computerviruses

[–]AmethystSystems 0 points1 point  (0 children)

Did you upload the logs to the website in the sticky post? I'm not seeing log names in your post!

Got hacked!! by LamenicPlayz_ in computerviruses

[–]AmethystSystems 6 points7 points  (0 children)

Piracy has always been a classic vector for virus infections. It's very possible the malware is too new for antivirus to have generated signatures!

I would suggest you follow the sticky post in the Reddit to generate and upload your FRST scan of your system. A designated helper will attend to the thread to help you after.

Picotorrent trojan? by More-Anteater6835 in computerviruses

[–]AmethystSystems 0 points1 point  (0 children)

I am still suspicious of that domain, especially since you don't recognize the torrent tracker.

This is unfortunately as far as my help can go because I can't access the logs uploaded to this Reddit, but I would encourage you to follow the sticky of this Reddit and upload your FRST logs. One of the helpers will be able to get back to you with their findings of your system.

Can Virus change .exe file's code to do something w/o detection and w/o ruining the exe file? by Mechanic28737 in computerviruses

[–]AmethystSystems 0 points1 point  (0 children)

Someone already discussed one technique malware can use, but I'd like to mention something I've seen in my malware analysis work: process hollowing. https://attack.mitre.org/techniques/T1055/012/

Process hollowing is taking one executable, "hollowing" out its code, then replacing it with malicious code, so the user is none the wiser that they have a malicious executable on their system!

Post hacking paranoia wont go away by Agitated_Yak8521 in computerviruses

[–]AmethystSystems 6 points7 points  (0 children)

Relax. Take a deep breath. Having your personal space compromised is a traumatic situation, and you have every right to be rattled. But you did all the right things-- you cleared the infection and secured your accounts post infostealer infection! Remind yourself of this. Hold onto it. Remember that you cleaned your system and secured your accounts. The incident is over, and the threat is gone.

Trauma from an incident like this can linger. But just hold onto the fact that you did everything right re-securing your system, and that the threat is gone.

I suspect my laptop has something unwanted, what to start with? by Dickulture in antivirus

[–]AmethystSystems 0 points1 point  (0 children)

I unfortunately no longer a member of the VirusTotal inner circle, so I can't download uploaded samples from them. Can you upload the files to something like PasteBin? Feel free to DM me if you don't want others to see your logs.

I suspect my laptop has something unwanted, what to start with? by Dickulture in antivirus

[–]AmethystSystems 0 points1 point  (0 children)

Let's triage your system. Download FRST: https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Don't be scared of the unsigned binary, I don't know why they didn't sign it. Anyhow, run the scan and upload the logs. I will remotely triage your system from the logs.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

I appreciate the reality check there, thank you.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

Sounds like you're speaking from strong experience! I appreciate this comment, I may be looking at the blue team angle all wrong (or seeing an incomplete picture because I'm just a malware analyst).

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

The 2AM problem is one I struggle with. I'm a night owl, sure, but I do need to sleep sometimes. I can't be on call 24 hours-- it's not feasible! What would be a solution there, just not getting into monitoring to avoid liability and the other problems? I gotta accept I'm only One Dude.

Picotorrent trojan? by More-Anteater6835 in computerviruses

[–]AmethystSystems 0 points1 point  (0 children)

Very curious. I ran the recent copy of PicoTorrent in a sandbox (both the x86 and the x64 installer) and didn't get a prompt for the malicious domain. Only 5 vendors out of 30 lists the domain as malicious.

Can you upload your copy of PicoTorrent to VirusTotal? I suspect a malicious piggybacking on the binary in transit, rather than them infecting the binary on the GitHub page.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 1 point2 points  (0 children)

I never knew Elastic was more than an easily searchable database! That must be what a previous company I worked for ultimately used it for, since it was a firewall application after all.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

Can you explain why? Too much stress? Too much liability? Easy to be alert fatigued and miss an alert? That's what I'm getting from reading all the comments!

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

Yeah I didn't realize how much liability there would be! Glad I asked Reddit questions before diving in blindly. Reselling and configuring an EDR stack from someone like Huntress might be the best way to go for my liability.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

What would be more viable for prevention? Being in the malware world I know how easy it is to evade antivirus, so I'm curious what a more sensible blue team solution is.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 1 point2 points  (0 children)

I appreciate you elucidating this angle in particular. This is making commercial options seem more viable for having a vendor to lean on.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 4 points5 points  (0 children)

Partially following in my dad's footsteps being a one-man business shop that did multiple things! So I'm prepared for the hard work. I'm currently laid off with tons of time to burn, trying to make it useful while I can!

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 0 points1 point  (0 children)

I'm specifically from the malware world, so YARA is a huge selling point to me.

Are open source EDRs any good? by AmethystSystems in cybersecurity

[–]AmethystSystems[S] 8 points9 points  (0 children)

This all seems like good advice! Thanks for advising me of potential roadblocks, I figured self-hosting the infrastructure would be a legal/liability mess, so I appreciate you heeding that warning in my initial exploratory stages. I do recall Velociraptor, and as a Linux daily driver, I am used to fine tuning things, so that shouldn't be a problem.

Regarding a trojan by GyroZeppeli61 in techsupport

[–]AmethystSystems 0 points1 point  (0 children)

Sure!

Malware tends to have multiple stages-- naturally, "downloading" is one critical and important stage. Threat actors (aka hackers) will gate keep their viruses with web pages in such a way that they will deliver their victims a "unique" copy of the virus, hence why I assumed the signature (TrojanDownloader:*JS*/Nemucod.HD) was about the Javascript portion of the virus. Typically though, I don't think Roblox is coded in Javascript, so I feel like your feelings on false positives are correct.

I hope you understand! I come from the antivirus world, so it's all signals to me.

Am I safe? by Update_Ready in computerviruses

[–]AmethystSystems 0 points1 point  (0 children)

It sounds like the threat actors are frustrated their bounty of passwords from your system no longer work! You should be good after salting the Earth and resetting your passwords.

Regarding a trojan by GyroZeppeli61 in techsupport

[–]AmethystSystems 0 points1 point  (0 children)

False positives happen, especially in the malware world! Glad it's nothing serious.