These items can be used to visualize the activities of the trojan, which are mapped to a MITRE ATT&CK chart, get specific IOCs, and create custom YARA rules for additional threat hunting.Trellix IVX is natively
Threat hunting can be used as a powerful tool not only to detect malicious behavior missed by other security measures but also drive a deeper understanding of how malicious software, actor tools, and behaviors work and how to proactively detect or prevent them. ...
Detecting this type of malicious activity can be done relatively easily usingendpoint telemetrylogs from Windows hosts. The most reliable (and free!) method would be the use of Sysinternals:Sysmon which contains a few event IDs that we can use to monitor this type of behavior. Method...
Then, we started our quest of malware hunting in memory. We did this by benchmarking both memory captures against each other and by applying the intelligence gained during the dynamic analysis. On the second part we went deeper into the fascinating world of memory forensics. We manage to find...
Using SysInternalsStrings, I extracted various strings from the binary and found the following indicators: “Connecting to {0}:{1}..” “/create /f /tn “{0}” /xml “{1}”” “schtasks.exe” “CreateScheduledTask” “/run /tn “{0}”” ...
In this post I won’t bother you with the details about the Action Script code. Nonetheless, one thing to mention about the code is that if you follow the sitemalware.dontneedcoffee.comand the amazing work done byKaffeineon hunting down, analyzing and documenting Exploit Kits you might have...