Introduction to Malwares by Abdessabour Arous - tunCERT
Presented at:
- INIT 2014
- ESPRIT Cryptoparty event 2013
- University of Jendouba 2013
Malware samples and source codes for the demos: https://github.com/AbMaster/IntroductionToMalwareTalk
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
LCP is a password cracking tool that can extract administrator passwords remotely. In this lab, LCP was used to crack the administrator password of a Windows Server 2012 system with IP address WIN-039MR5HL9E4. It retrieved the usernames and passwords of various accounts, including the administrator account. NTFS streams allow files to be hidden by associating them with the main file or directory as an alternate data stream. This lab demonstrates how to hide the calc.exe file in the C:\magic folder using NTFS streams so it is not visible normally.
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
LCP is a password cracking tool that can extract administrator passwords remotely. In this lab, LCP was used to crack the administrator password of a Windows Server 2012 system with IP address WIN-039MR5HL9E4. It retrieved the usernames and passwords of various accounts, including the administrator account. NTFS streams allow files to be hidden by associating them with the main file or directory as an alternate data stream. This lab demonstrates how to hide the calc.exe file in the C:\magic folder using NTFS streams so it is not visible normally.
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
FinFisher is cyber espionage software sold by Gamma Group to law enforcement and intelligence agencies. It can infect Windows, iOS, Android, Blackberry, Symbian, and other mobile devices to monitor users. The malware disguises itself using various techniques and communicates with command and control servers located around the world. It has extensive surveillance capabilities including recording calls, intercepting messages, and tracking locations.
Vulnerability scanning evaluates an organization's systems and network to identify vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. The document discusses using the Advanced IP Scanner tool to perform a network scan on a target Windows Server 2008 system from a Windows 8 attacker system to check for live systems, open ports, and gather information about computers on the local network. It provides instructions on launching Advanced IP Scanner, entering an IP address range to scan, and viewing the scan results.
The document discusses techniques used by malware to detect virtual machines and strategies to prevent such detection. It outlines several techniques malware uses to detect virtual machines, including hardware fingerprinting, registry checks, process/file checks, memory checks, timing analysis, and communication channel checks. It then discusses approaches used by popular virtual machines like VMware, VirtualBox, and VirtualPC. The document proposes developing a tool called VMDetectGuard that would monitor for calls and instructions used in detection and mask the virtual machine's identity by providing false information to tricks malware.
Indicators of compromise: From malware analysis to eradicationMichael Boman
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Malware analysis - What to learn from your invadersTazdrumm3r
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Living off the land tactics involve attackers using only pre-installed software and tools on a system to carry out an attack without installing additional binaries. This allows attacks to be harder to detect and trace since it does not involve new files being placed on a system. Attackers make use of techniques like memory-only attacks, scripts hidden in locations like the registry rather than files, and abusing legitimate dual-use tools to blend in and carry out lateral movement, credential theft, and other objectives. Defending against these tactics requires advanced detection methods that can analyze behaviors rather than just files to identify potentially malicious activity and abuse of system tools.
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
This document provides an overview of basic static malware analysis techniques. It discusses using antivirus scanners, hashing files, and analyzing strings to identify malware without executing it. It also covers examining the Portable Executable (PE) file format used in Windows executables, including analyzing the PE header, imported and exported functions, linked libraries, and important sections like .text and .rsrc. Detecting packed files and analyzing the PE dynamically at runtime is also mentioned. The goal is to gain an initial understanding of unknown files through static inspection before dynamic analysis.
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...Hamad Al Katheri
HOME LAND alert for a probable attack
"A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence."
A walk through Windows firewall and Netsh commandsRhydham Joshi
Presentation slides explores various options of windows firewall and Netsh command line utility.
It explains about enabling logging feature for allowed/blocked logs, understanding different options for inbound and outbound connection and interpretation of logs for detecting anomalies in Windows O.S.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Атаки на платформу Java Card с использованием вредоносных апплетовPositive Hack Days
Докладчик расскажет об атаках на защищенные контейнеры смарт-карт на базе Java, позволяющих злоумышленнику украсть криптографические ключи и PIN-коды других установленных на карте апплетов.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported and contributed to the training. It states that the presentation is part of an advanced malware analysis training program currently only delivered locally for free. It introduces the speaker, Swapnil Pathak, and provides an outline of the topics to be covered, including anti-reversing techniques, anti-debugging, anti-VM, and anti-anti-reversing, followed by a question and answer section.
This document summarizes the top 10 latest viruses as of November 2013, including Exploit.CVE-2011-3402.Gen, Trojan.Ransom.IcePol, Trojan.Flame.A, Trojan.OlympicGames, Trojan.Startpage.AABI, Trojan.FakeAV, Rootkit.MBR.TDSS, Rootkit.Sirefef.Gen, PDF:Exploit.CVE-2013-5065.A, and Exploit.CVE-2013-5065.A. Each virus is briefly described, and its spreading ability and potential damage are rated.
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
ENISA is the EU's cybersecurity agency that works with EU members, private sector, and citizens to develop cybersecurity best practices. It assists EU members in implementing legislation and improving critical infrastructure resilience. ENISA seeks to enhance member state expertise by supporting cross-border cybersecurity communities throughout Europe.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
The document summarizes a seminar on the Stuxnet cyber attack. It discusses Stuxnet as a sophisticated cyber weapon targeting Iranian nuclear facilities. It provides an overview of Stuxnet's architecture and propagation methods, describing how it exploited Windows vulnerabilities to infect industrial control systems and spread via removable drives. The document analyzes Stuxnet's command-and-control infrastructure and rootkit functionality used to hide its files and remain undetected on systems.
The document discusses techniques used by malware to detect virtual machines and strategies to prevent such detection. It outlines several techniques malware uses to detect virtual machines, including hardware fingerprinting, registry checks, process/file checks, memory checks, timing analysis, and communication channel checks. It then discusses approaches used by popular virtual machines like VMware, VirtualBox, and VirtualPC. The document proposes developing a tool called VMDetectGuard that would monitor for calls and instructions used in detection and mask the virtual machine's identity by providing false information to tricks malware.
Indicators of compromise: From malware analysis to eradicationMichael Boman
This document discusses detecting and analyzing indicators of compromise from a malware infection. It describes collecting data from firewalls, IDS/IPS, proxies, DNS logs, and system logs to detect suspicious activity. Once a potential malware sample is acquired, static and dynamic analysis techniques are used to analyze its behavior and identify indicators that can be used to detect infected machines, like created files, registry keys, and network traffic. These indicators are expressed using tools like Yara rules and Snort signatures to enable detection of the compromise across an environment.
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Malware analysis - What to learn from your invadersTazdrumm3r
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
The document discusses various methods attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes techniques like copying files over SMB, using WMI, WinRM, PowerShell remoting, scheduled tasks, and others. For each technique, it outlines the required network access and system privileges, and provides the most relevant event log entries that could be used for detection. The goal is to help analysts understand lateral movement techniques and know what to look for when hunting for suspicious remote executions in Windows logs and environments.
Living off the land tactics involve attackers using only pre-installed software and tools on a system to carry out an attack without installing additional binaries. This allows attacks to be harder to detect and trace since it does not involve new files being placed on a system. Attackers make use of techniques like memory-only attacks, scripts hidden in locations like the registry rather than files, and abusing legitimate dual-use tools to blend in and carry out lateral movement, credential theft, and other objectives. Defending against these tactics requires advanced detection methods that can analyze behaviors rather than just files to identify potentially malicious activity and abuse of system tools.
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
This document provides an overview of basic static malware analysis techniques. It discusses using antivirus scanners, hashing files, and analyzing strings to identify malware without executing it. It also covers examining the Portable Executable (PE) file format used in Windows executables, including analyzing the PE header, imported and exported functions, linked libraries, and important sections like .text and .rsrc. Detecting packed files and analyzing the PE dynamically at runtime is also mentioned. The goal is to gain an initial understanding of unknown files through static inspection before dynamic analysis.
Ir alert-med-17-093-01 c-intrusions-affecting_multiple_victims_across_multipl...Hamad Al Katheri
HOME LAND alert for a probable attack
"A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence."
A walk through Windows firewall and Netsh commandsRhydham Joshi
Presentation slides explores various options of windows firewall and Netsh command line utility.
It explains about enabling logging feature for allowed/blocked logs, understanding different options for inbound and outbound connection and interpretation of logs for detecting anomalies in Windows O.S.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Атаки на платформу Java Card с использованием вредоносных апплетовPositive Hack Days
Докладчик расскажет об атаках на защищенные контейнеры смарт-карт на базе Java, позволяющих злоумышленнику украсть криптографические ключи и PIN-коды других установленных на карте апплетов.
Язык докладаРусскийЗанимается «бумажной» и практической информационной безопасностью более 6 лет. Аналитик SOC в «Лаборатории Касперского». В прошлом руководитель подразделения ИБ на одном из промышленных предприятий. Закончил специалитет и магистратуру СибГАУ им. академика М. Ф. Решетнева (в котором в дальнейшем читал курсы по ИБ). Участник ряда CTF. Выступал на ZeroNights.Теймур Хеирхабаров Теймур Хеирхабаров Управление рисками: как перестать верить в иллюзииFast Track
The document provides information about an advanced malware analysis training program. It begins with disclaimers about the content being provided as-is without warranty. It then acknowledges those who supported and contributed to the training. It states that the presentation is part of an advanced malware analysis training program currently only delivered locally for free. It introduces the speaker, Swapnil Pathak, and provides an outline of the topics to be covered, including anti-reversing techniques, anti-debugging, anti-VM, and anti-anti-reversing, followed by a question and answer section.
This document summarizes the top 10 latest viruses as of November 2013, including Exploit.CVE-2011-3402.Gen, Trojan.Ransom.IcePol, Trojan.Flame.A, Trojan.OlympicGames, Trojan.Startpage.AABI, Trojan.FakeAV, Rootkit.MBR.TDSS, Rootkit.Sirefef.Gen, PDF:Exploit.CVE-2013-5065.A, and Exploit.CVE-2013-5065.A. Each virus is briefly described, and its spreading ability and potential damage are rated.
This document discusses techniques that malware authors use to frustrate malware analysts, including inserting breakpoints, manipulating timing functions, exploiting Windows internals like debug flags and objects, anti-dumping methods, VM detection, and debugger-specific tricks. The author also announces a public malware repository and API called VXCage for sharing samples.
ENISA is the EU's cybersecurity agency that works with EU members, private sector, and citizens to develop cybersecurity best practices. It assists EU members in implementing legislation and improving critical infrastructure resilience. ENISA seeks to enhance member state expertise by supporting cross-border cybersecurity communities throughout Europe.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
Stuxnet is analyzed in detail, including its architecture, functionality, and propagation methods. It is described as a highly advanced persistent threat that targeted Iran's nuclear facilities. The document outlines how Stuxnet used zero-day exploits and a digital certificate to inject code into industrial control systems and spread via removable drives and network shares. Stuxnet's command and control infrastructure and ability to infect project files for industrial software are also summarized.
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
The document summarizes a seminar on the Stuxnet cyber attack. It discusses Stuxnet as a sophisticated cyber weapon targeting Iranian nuclear facilities. It provides an overview of Stuxnet's architecture and propagation methods, describing how it exploited Windows vulnerabilities to infect industrial control systems and spread via removable drives. The document analyzes Stuxnet's command-and-control infrastructure and rootkit functionality used to hide its files and remain undetected on systems.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Solve the colocation conundrum: Performance and density at scale with KubernetesNiklas Quarfot Nielsen
As we move from monolithic applications to microservices, the ability to colocate workloads offers a tremendous opportunity to realize greater development velocity, robustness, and resource utilization. But workload colocation can also introduce performance variability and affect service levels. Google describes the problem as the “tail at scale”—the amplification of negative results observed at the tail of the latency curve when many systems are involved.
With its latest tooling capabilities, Intel has an experiments framework to calculate the trade-offs between low latency and higher density. Niklas Nielsen discusses the challenges and complexities of workload colocation, why solving these challenges matters to your business no matter the size, and how Intel intends to help smarter resource allocations with its latest tooling capabilities and Kubernetes.
The document provides steps for crafting payloads to hack traffic light systems for physical attacks with catastrophic consequences. It introduces the authors and their backgrounds in embedded security and cyber-physical exploitation. It then outlines the stages of control, access, discovery, control and damage when attacking a traffic light system, and provides demonstrations of exploiting the CybatiWorks traffic light kit to force light states, conduct stale data attacks, modify timers to speed up lights, and modify control logic. It stresses the need for cleanup to blind operators of the real system state using man-in-the-middle techniques.
This document provides an overview of assessing cybersecurity in Estonia's modern digital era. It discusses CERT-EE's role in responding to cyber incidents, inventorying systems and objects under their purview. It also covers philosophies around balancing technical monitoring with freedom of information and partnerships between CERT, law enforcement, and other organizations. Key considerations discussed include distinguishing between technical and content controls as well as protecting private data like IP addresses.
The document summarizes hacking techniques used by hackers:
1) Hackers perform reconnaissance like scanning public information, networks, and systems to find vulnerabilities.
2) This allows them to gain initial access, often by exploiting configuration or software errors.
3) They then use this initial access to get further system privileges or access additional machines.
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
Work-in-Progress!
IoT Cyber+Physical+Social Security
An encyclopedic compendium of tools, techniques, and practices to defend systems that sit at the intersection of the cyber and physical domains; chiefly building automation systems and the Internet of Things.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)sequi_inc
Presentation for Industrial Control Systems Joint Working Group (ICSJWG).
This presentation will lend insight to IEEE 1711-2010, a standard for securing substation serial-based SCADA assets, and its applicability across industry sectors: electric, oil, gas, water, and chemical. Also addressed are the benefits of its implementation on legacy retrofits, SCADA link management, and integrating legacy systems and Ethernet IP SCADA networks.
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
The document summarizes distributed denial of service (DDoS) attacks and defenses against them. It provides an overview of DDoS attacks, describes several common DDoS tools (Trinoo, TFN, TFN2K, Stacheldraht), and discusses challenges in defending against them. It also presents a case study of a DDoS attack against the website GRC.com and the difficulties they faced in getting help stopping the attacks. The document advocates for coordinated technical solutions and consistent incentive structures to defend against DDoS attacks.
A client-side vulnerability under the microscope!Nelson Brito
Understanding reverse engineer using MS08-078. This presentation is an updated version of a previous series of presentations, which shows a practical methodology to perform a reverse engineering... The approach can be broader applied to any/most of the vulnerabilities targeting client-side applications.
For further details and informations, please, refer to:
- http://www.vimeo.com/nbrito
- https://www.slideshare.net/nbrito01/inception-support-slides
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
The document discusses the Stuxnet malware attack and its implications. It analyzes how Stuxnet used multiple zero-day vulnerabilities to target Siemens industrial control systems. While initially semi-targeted, its promiscuous spreading demonstrated how infrastructure attacks could be conceived on a massive scale. The attack highlighted vulnerabilities in critical systems and their connections to other networks. It established a template for sophisticated cyberattacks against infrastructure that governments and security professionals must address.
Contiki introduction II-from what to howDingxin Xu
The document discusses the Contiki operating system framework, including how it uses processes and events for scheduling work, inter-process communication using event posting, and how modules like Rime and the TDMA MAC layer separate protocol logic from header construction and buffer management for flexible networking implementations. Key data structures include a process list and event queue that the kernel uses to schedule work across asynchronous processes.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
LO-PHI: Low-Observable Physical Host Instrumentation for Malware AnalysisPietro De Nicolao
Presentation of paper "LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis" for the course of Advanced Topics in Computer Security of prof. Stefano Zanero.
Source and further information: https://github.com/pietrodn/lo-phi
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
8. Prime ministerwebsite:
http://www.pm.gov.tn
Central Bank:
http://www.bct.gov.tn
Justice minister:
http://www.e-justice.tn
193.X.X.X
196.X.X.X
Domain Name System: DNS
Mailing:SMTP and POP/IMAP
20. 0x004FF3FE
Original PE
PE afterinfection
Injectedcode
_IMAGE_OPTIONAL_HEADER
0x0040A0FE
0x0040A0FE
0x004FF3FE
_main
_main
_IMAGE_NT_HEADERS
AddressOfEntryPoint
EntryPoint
EntryPoint
PE Header
21. .textsection
Section Table
NT Header
DOS Header
othersections
.data section
.relocsection
.relocsection
UnmappedData
.textsection
Section Table
NT Header
DOS Header
.data section
Othersections
HigherOffets
HigherOffets
PE File
In memory
57. Call ReadFile(…,…, …)
Call NtReadFile(…,…, ...)
Return to the caller
int2E or SYSENTER or SYSCALL
Call NtReadFile(…, …, ...)
Dismiss interrupt
Execute the operation
Return to the caller
58.
59.
60.
61.
62.
63.
64.
65. Estonia
Russia
* From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Scott J. Shackelford
66. GeorgiaRussia
* From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Scott J. Shackelford
67. United States of America
Iran
* From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Scott J. Shackelford
68.
69.
70.
71.
72.
73. S7otbxdx.dll
M117: L LW0
L 164
<=
SPBN M101
M117: L LW0
L 164
Injected STEP
7 Code
Original
Instructions
New DLL