GhostPack: C# Offensive Framework

This is a game changer for red teaming and offensive security. The guys from SpecterOps have just published GhostPack. This represents the transition from Offensive PowerShell frameworks to C# frameworks. This was much expected as blue teams are catching up on PowerShell detection/prevention controls. Moreover, red teams need “offense in depth” having different variations of their toolset based on the engagement needs.

GhostPack is a collection various C# implementations of previous PowerShell functionality, and includes six separate toolsets being released:

Continue reading “GhostPack: C# Offensive Framework”

Advertisements

On reported APT trends

During the past years, there has been a lot of public reporting on APT activity of group with Russia and China nexus. However, it has been observed that more and more countries have developed such advanced capabilities and their activity is captured and reported by the vendors and mainstream media.

FireEye’s list of sophisticated actors and naming conventions looks like this:

Continue reading “On reported APT trends”

A Study on Threat Intelligence Platforms (TIPs)

ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of TIP users, developers, vendors and the security research community.

The study channels its efforts into identifying some of the key opportunities and limitations of existing platforms and solutions, since information exchange formats and tools remain central items on the agenda of the cybersecurity community in general, and particularly of incident responders.

Continue reading “A Study on Threat Intelligence Platforms (TIPs)”

CrySyS Lab Analysis on NSA’s Territorial Dispute

CrySyS Lab has provided a great document on its analysis on NSA’s perspective on the APT landscape. The analysis is based on Shadow Brokers leak (“Lost in Translation” leak) and most specifically on the module called “Territorial Dispute“. The purpose of this module is to detect presence of competing state intelligence services. NSA wanted to secure its operations, avoid any conflict between “Five Eyes” group as well as get intelligence on the targets of the competing state intelligence services.

See below some interesting points related to the analysis done by CrySyS Lab:

Continue reading “CrySyS Lab Analysis on NSA’s Territorial Dispute”

WMI Persistence Goes Mainstream

This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.

Continue reading “WMI Persistence Goes Mainstream”