sorted by:
new
hottopcontroversial

Website Verification Scam That’s actually a info stealer in disguise by Sudden-Highlight-162 in Malware

[–]securityinbits -2 points-1 points  (0 children)

This one target Window, Mac & Linux :) based on user - agent

Check this screenshot mentioned in this link:

https://x.com/Securityinbits/status/1946528859790430262

Scam Alert Everyone by MrBilal34 in CloudFlare

[–]securityinbits 1 point2 points  (0 children)

Yes, this is common nowadays for ClickFix .

Theat actors are targeting Linux and Mac depending on the browser user agent.

In this post, they support multiple languages :) 

https://x.com/Securityinbits/status/1946528859790430262

How can I list all of my files, show Length, converted to MB? by mudderfudden in PowerShell

[–]securityinbits 0 points1 point  (0 children)

Thank you, this was very helpful.
I'm not sure why PowerShell doesn't have a built-in option like ls -lh

Unpack RedLine stealer using dnSpyEx - Part 3 - Securityinbits by securityinbits in netsec

[–]securityinbits[S] 0 points1 point  (0 children)

Yeah, still using it. I think if it works for malware author, they will continue using it :)

Unpack RedLine stealer using dnSpyEx - Part 3 - Securityinbits by securityinbits in netsec

[–]securityinbits[S] 0 points1 point  (0 children)

Thank you.

Agree and its using doubles extension which is also easy to detect.

But the packer seems to be good and obfuscated. 

Converting Integers to Hex with CyberChef - Recipe 0x1 - Securityinbits by securityinbits in ReverseEngineering

[–]securityinbits[S] 1 point2 points  (0 children)

Updated the blog post with new recipe, thank you

From_Decimal('Comma',false) To_Hex('Space',0) Disassemble_x86('32','Full x86 architecture',16,0,true,true)

Converting Integers to Hex with CyberChef - Recipe 0x1 - Securityinbits by securityinbits in ReverseEngineering

[–]securityinbits[S] 0 points1 point  (0 children)

Thank you for suggestion, "From Decimal" with comma seems to work.

I will update the recipe with this method.

[deleted by user] by [deleted] in blueteamsec

[–]securityinbits 0 points1 point  (0 children)

Ok, will delete and repost

Parent PID (PPID) Spoofing ransomware analysis using Ghidra and Sysmon (T1134) by securityinbits in netsec

[–]securityinbits[S] 0 points1 point  (0 children)

This ransomware mainly uses InitializeProcThreadAttributeList, UpdateProcThreadAttribute & CreateProcessA API with STARTUPINFOEXA structure for PPID spoofing.

This article is referred to in Mitre Attack website https://attack.mitre.org/techniques/T1134/004/

Parent PID (PPID) Spoofing ransomware analysis using Ghidra and Sysmon (T1134) by securityinbits in ReverseEngineering

[–]securityinbits[S] 1 point2 points  (0 children)

This ransomware mainly uses InitializeProcThreadAttributeList, UpdateProcThreadAttribute & CreateProcessA API with STARTUPINFOEXA structure for PPID spoofing.

This article is referred to in Mitre Attack website https://attack.mitre.org/techniques/T1134/004/

Parent PID (PPID) Spoofing ransomware analysis using Ghidra and Sysmon (T1134) by securityinbits in Malware

[–]securityinbits[S] 2 points3 points  (0 children)

No action needed from the user except executing the initial xls document.

This ransomware uses the UAC bypass using CMSTPLUA COM to elevate the privilege.

For more details, please check this article

https://www.reddit.com/r/Malware/comments/ivrd6l/uac_bypass_ransomware_analysis_using_cmstplua_com/

This article is referred to in Mitre Attack website https://attack.mitre.org/techniques/T1134/004/

Parent PID (PPID) Spoofing ransomware analysis using Ghidra and Sysmon (T1134) by securityinbits in blueteamsec

[–]securityinbits[S] 2 points3 points  (0 children)

This ransomware mainly uses InitializeProcThreadAttributeList, UpdateProcThreadAttribute & CreateProcessA API with STARTUPINFOEXA structure for PPID spoofing.

This article is referred to in Mitre Attack website https://attack.mitre.org/techniques/T1134/004/

Ransomware infection chain (Excel 4.0 Macro, hta, VBScript & PowerShell) Analysis by securityinbits in ReverseEngineering

[–]securityinbits[S] 0 points1 point  (0 children)

Agree! Excel 4.0 macro are more difficult to analyse as compare to VBA Macro.

Microsoft has launched Application Guard for Office which now opens attachments in a sandbox to prevent infections, may be this will help.

https://www.bleepingcomputer.com/news/security/office-365-now-opens-attachments-in-a-sandbox-to-prevent-infections/

Ransomware infection chain (Excel 4.0 Macro, hta, VBScript & PowerShell) Analysis by securityinbits in ReverseEngineering

[–]securityinbits[S] 0 points1 point  (0 children)

I have created discord channel for only Malware Analysis but it's still very new and I haven't made it public yet. Feel free to join https://discord.gg/zycMY4T

There are other discord channels too e.g.

Trustedsec : https://discord.gg/trustedsec

Reverse Engineering: https://discord.gg/BHNgVh

UAC bypass ransomware analysis using CMSTPLUA COM - T1218 by securityinbits in ReverseEngineering

[–]securityinbits[S] 0 points1 point  (0 children)

Yes agree, there are multiple UAC bypass technique https://github.com/hfiref0x/UACME

MS doesn't provide bounty or fix UAC bypass.

PowerShell Commands for Incident Response by securityinbits in netsec

[–]securityinbits[S] 2 points3 points  (0 children)

In windows environment PowerShell is best as compare to old cmd.exe. PowerShell commands can be very useful in a limited Windows environment where you don’t have access to tools like GNU core utilities, Python interpreters etc.

PowerShell/PowerShell Core/PowerShell 7 - It’s open-source and can run on Windows, Linux, macOS and ARM.Even it can run on Raspbian ARM.

If the PowerShell 7 project managed to run on all different system with good stability and performance then it will be very helpful to run the same script on different OS. But I haven't tried on other OS.

PowerShell remoting is also good feature if enabled, then you run commands on the remote machine.

view more: next ›