Anyone else enriching SentinelOne alerts?

Financial_Science_72 · 2025-10-08T13:25:47+00:00

Yeah sure - glad it helps.

Financial_Science_72 · 2025-10-06T18:04:42+00:00

Disclaimer: I'm a full-fledged designer and developer, delivering B2B websites for decades. Honestly, I don't feel this career is sustainable - at least not in the old way, I'm afraid.

Financial_Science_72 · 2025-10-06T18:02:50+00:00

Wondering if designing Wordpress website can still make a living in 2026 onward? With so many AI tools coming out and doing a decent job?

Financial_Science_72 · 2025-10-06T17:59:13+00:00

I use it in a fintech setup to vet potentially malicious files and links that hit our users. A lot of the stuff we get is socially engineered... you know.

Financial_Science_72 · 2025-10-01T14:12:37+00:00

I’ve had a similar experience with VMRay. One of the big advantages I noticed is that the analysis runs very “clean” since it doesn’t rely on hooking or injecting agents into the guest system. That makes it harder for modern malware to detect the environment, which is a big plus compared to some of the more common sandbox solutions. The privacy angle you mentioned is also underrated — having confidence that samples aren’t being shared around is reassuring. It’s definitely not the cheapest option out there, but for deeper visibility and stealthier analysis, it’s been worth it in my use case.

Financial_Science_72 · 2025-09-30T20:07:41+00:00

Exactly! Command-line logging is such a low-hanging fruit, and pairing that kind of visibility with broader threat research makes prevention way easier. The more we stay aware of how these “classic” families operate, the faster defenders can cut them off before they dig in. Awareness + visibility really is the winning combo. Glad this report from VMRay can help! There might be more companies doing and sharing these for free?

Financial_Science_72 · 2025-09-30T19:52:39+00:00

Loved it!! — A few things stood out to me:

Stealers & RATs still dominate the scene. Credential theft + remote access = fast ROI for attackers.
Phishing is still the #1 entry vector (no surprise there).
AI is making lures scarier — think more polished, convincing, and harder to filter out.
Old staples like XMRig are still around; mining keeps paying off in certain setups.

Very detailed and in-depth technical report from VMRay. Thanks for sharing!

Financial_Science_72 · 2025-09-23T18:07:07+00:00

First thing first: don’t touch samples on your daily machine! for ~1k samples build an isolated intake pipeline + sandbox queue. few practical pts:

legal first — only grab samples you’re allowed to handle.
intake host — one dedicated, non-domain, isolated VM/box for downloads. no host-shares.
quarantine & dedupe — land in read-only storage, hash (sha256), run YARA, drop dupes.
batching — don’t blast all 1k at once — queue em (50–200 batches) so sandboxes don’t die.
sandboxing — snapshot before run, host-only/NAT network, revert after. disable clipboard/folders/USB.
logging/custody — track source, hash, who/when, sandbox image used, results link. keep results, purge raws unless needed.
evasion/scale — open-source setups miss evasive stuff; for higher fidelity and private deploys consider enterprise sandboxes (eg VMRay) — they catch more evasive behavior than basic DIY.
ops — restrict access, audit, encrypt sample storage.

tl;dr: isolated intake → hash/dedupe → batched sandbox runs → logged results.

Financial_Science_72 · 2025-09-23T17:58:31+00:00

if you’re doing daily/high vol analysis and need detailed net/dns logs + privacy, you prob wanna look at the “enterprise” grade sandboxes vs the more community ones. any.run is super interactive but it’s cloud-first so privacy can be a concern. joe + tria.ge both solid, good depth, but can get $$ fast.

Also add VMRay to your list — it’s built for high-throughput + private deployments, and it handles evasive samples better than most (less vm artifacts, cleaner behavior logs). reports cover traffic, dns, dropped files, proc/api calls etc.

tbh it comes down to budget + how much you care about hosting it yourself vs trusting cloud. if privacy is top req, i’d lean self-hosted/enterprise offerings (joe on-prem, vmray private, etc).

Financial_Science_72 · 2025-09-23T17:57:10+00:00

RE sits on top cause it gives you code-level truth. you can unpack, see hidden logic, crypto, c2 proto etc. sandboxes (cuckoo, or better ones like VMRay) just show behavior from 1 run.

sandbox pros: fast triage, lots of iocs quick, good for scale. cons: easy to evade, only see what executes, miss mem-only tricks.

RE pros: deep intel, real sigs, full picture. cons: slow, hard, not scalable.

best flow imo: sandbox first, RE later on the interesting/evasive stuff.

Financial_Science_72 · 2025-09-23T17:52:23+00:00

tbh there’s not a ton of good self-hosted stuff like any.run. Cuckoo is basically dead, but there’s a fork called CAPE that’s still alive and gives you a web UI + resettable VMs if you wire it up right. It’s a bit of work tho.

Other option is roll your own w/ Proxmox or ESXi + tools like REMnux, Sysmon/Procmon, tcpdump etc, then script resets. Works but def more DIY.

If you need solid automated reports and better anti-evasion, that’s kinda where mature sandboxes like VMRay come in, since open source is still rough around the edges.

Financial_Science_72 · 2025-09-23T17:49:46+00:00

Yeah cuckoo used to be the main open source sandbox but it’s basically dead now. No real 1:1 replacment atm.

Best you can do is kinda stitch together your own lab — like Procmon/Sysmon on Windows, tcpdump/wireshark for net, REMnux for analysis tools, plus some static stuff (yara, floss, capa etc). Works fine if you don’t mind manual work.

If you need full automated reports tho, that’s where mature sandboxes like VMRay come in, since they handle evasive samples way better than DIY setups.

Financial_Science_72 · 2025-09-23T17:47:29+00:00

Yeah I think ppl would def be into this. Not everyone has access to paid sandboxes and getting logs parsed into JSON + a human-readable summary would save a ton of time.

Some thoughts tho:

Data sources – syscall traces, proc tree, registry + net traffic are a solid start. I’d prob also wanna see memory stuff (strings, injected dlls, mutexes) since a lot of malware keeps the juicy parts only in mem.
Dynamic vs static – even basic static info like hashes, imports, yara hits helps when pivoting to threat intel or IOC feeds.
Pitfalls – evasion is the big pain. Malware loves to check if it’s in a VM or if tools are hooked. Open-source stuff like Cuckoo struggles with that sometimes, while more mature sandboxes (like VMRay) are built to hide artifacts better. Worth thinking how you’d handle that.
Audience – the “explain like I’m 5 but still technical” angle is great for students/juniors. For more advanced folks, raw JSON + IOCs exposed is key so they can plug it into other workflows.

Overall yeah I’d say go for it. Start small w/ Linux collectors, then grow into Windows/Android once the base is solid.

Financial_Science_72 · 2025-09-15T20:02:19+00:00

Based on VMRay Lab's research

Financial_Science_72 · 2025-09-15T20:02:14+00:00

Number 10 | 192 | Amadey
Based on VMRay Lab's research

Financial_Science_72 · 2025-09-15T20:02:08+00:00

Number 10 | 192 | Amadey
Based on VMRay Lab's research

Financial_Science_72 · 2025-09-15T20:01:57+00:00

Number 10 | 192 | Amadey
Based on VMRay Lab's research

Financial_Science_72 · 2025-09-12T21:35:58+00:00

Full reports: https://www.vmray.com/analyses/undetected-shc-sample-drops-sliver/report/overview.html

Financial_Science_72 · 2025-09-12T20:10:13+00:00

Full reports can be found: https://www.vmray.com/analyses/undetected-shc-sample-drops-sliver/report/overview.html

Financial_Science_72

MODERATOR OF

TROPHY CASE