Top Tweets for #AdversaryMethods
🔥This team is doing great work impacting not just @Mandiant Intelligence, but also @Google products. If you live that YARA life and want to throw down on a dedicated detection engineering role, we want to hear from you!🔥 #adversarymethods #100daysofyara #yara #cybersecurityjobs
I'm excited to announce that I'm hiring two Detection Engineers for the Mandiant Detection Engineering Team! Come build detections at a global scale for cutting edge threats on an amazing team.
Apply here https://t.co/ZPcLU982kP
#DetectionEngineering #Mandiant #Detection
I love to see the fantastic contributions from the @Mandiant Intelligence #AdversaryMethods Research & Discovery team! Identifying and classifying attacker methodologies at scale! 🔥🔥
capa v6 released with 26 new rules, including: shellcode techniques, mailslot interaction, service manipulation, exchange plug-ins, and AMSI & ETW patching.
https://t.co/FtEmEdU6tW
🔥New research technique!🔥 Pivot and cluster on malicious Chrome extensions and Android apps based on their requested permissions. Jared did great work here - give the blog a read and start using Permhash on @virustotal❗️ @mandiant #adversarymethods
🔥Permhash is a repeatable and scalable method to cluster, hunt for, and pivot between browser extensions, APKs, and other files that declare a set of permissions.
📝 https://t.co/m14GdJeOLx
🌐 https://t.co/xq10PRtqDB
🐍 https://t.co/VmZx8Hdwyi
6/8 This is all tied to @reesespcres findings, who found some of our first live PEs related to this cluster https://t.co/2BFns7wWb4
I've also been coming across it for the last six months because this GODLUA stuff employs so many fun #adversarymethods: https://t.co/7YMxuf8Nbo
Fun find of the day that uses several #adversarymethods: da83ba146c77d3d947fc564d8aecf499
1) DoH to https://t.co/kuQrqRw438
2) Downloads shellcode (?) from fullmeshnet\.eu
3) Masquerading as MingW-W64
4) User agent Mozilla/5.0 (i686-iamsatan-mingw32)
Real pe arch is i666 :D :D

THREAD: new GODLUA compiled Oct/Nov 2019. Appears to be evolution of mal fam with new capas and #adversarymethods.
🆕 DNS over HTTPS (DoH) to *seven* different DoH services
🆕Support for KCP ("A Fast and Reliable ARQ Protocol")
🆕NEW! Root CA shenanigans?
1/8
One thing that passive backdoors sometimes do that active backdoors do not is respond to scans or requests to their open ports. You'll sometimes see PEs with hard-coded strings to mimic web server 404 responses to requests that dont include the magic/secret key. #AdversaryMethods
In surveying #adversarymethods I often run across funny samples, such as this totally over the top #BLUEBOT (?)
C2 at attack\.s2lol\.com
PDB path of L:\Source\Botnet\obj\Release\svchosts.pdb
How often is a PE with an array of 30 User-Agents not a piece of malware or a scanner?

Fun find of the day that uses several #adversarymethods: da83ba146c77d3d947fc564d8aecf499
1) DoH to https://t.co/kuQrqRw438
2) Downloads shellcode (?) from fullmeshnet\.eu
3) Masquerading as MingW-W64
4) User agent Mozilla/5.0 (i686-iamsatan-mingw32)
Real pe arch is i666 :D :D

@stvemillertime I'm finding PDB paths with the UNC path
\\vmware-host\Shared Folders\
also have a high threat density!
#AdversaryMethods
\users\user (nocase) is one of those great #adversarymethods that transcends malware families and threat groups because very few "legit" programs are compiled on such an account or contain such a directory path in their PDB.
@andrewshead Great Q. Because it is only 4 characters, nocase will add a lot of noise. I often find fucks of various casings that appear randomly in base64 such as fUCk and FuCK. The best signal-to-noise ratio is actually around the main three fucks: "fuck" "FUCK" and "Fuck" #adversarymethods
This isn't the best example but here we see some Go path of the developed project and associated libraries. Save these paths as indexed toolmarks linked to a file object and let the clustering and tracking begin. #threathunting #adversarymethods

And now our #AdversaryMethods team is full of them: @FuzzySec @BakedSec @danielhbohannon etc. https://t.co/35Ga6sMGlG
You'd possibly mistake us for a red team... until you saw someone like me fumbling around in Kali 😁
@FuzzySec @FireEye To stay ahead of targeted attackers, we have to anticipate their next move. We are busy watching them all day, but what post-exploitation adversary methods are we missing?
Who better than @FuzzySec to help us set traps to discover & pursue the groups and techniques that matter?
Where does all this fall into @MITREattack? Is it Standard Cryptographic Protocol/T1032? Is it Remote Desktop Protocol/T1076? Is it Commonly Used Port/T1043? Is it Connection Proxy/T1090? Some #adversarymethods are multi-layered combos bringing granular TTPs together.
@shotgunner101 @avman1995 @Ledtech3 @voodoodahl1 @virustotal @360TIC @dvk01uk @James_inthe_box @JAMESWT_MHT @VK_Intel @securitydoggo @malware_traffic @cyb3rops @JayTHL @malwrhunterteam @WifiRumHam @xme @HybridAnalysis #AdversaryMethods has you covered: https://t.co/iu8AocvhsY
We love plaintext C2 beacons because:
1️⃣ They are easy to write signatures for (e.g., host/OS info)
2️⃣ Easy to immediately know infected host from a single alert/packet
👇
🆓 10+ @stvemillertime network signatures to get you started: https://t.co/RKXz03NP3y #trashtics #dailypcap
Now you can better secure your email from evasive #AdversaryMethods we've seen in-the-wild:
1⃣ Malicious archive passwords within images 🔥
2⃣ Guardrailing / environmental keying
Serious detection engineering + data science: https://t.co/vyeitv3Cy4
BRING ON THE TELEMETRY!

@cyb3rops @BarryV Loving the 3rd rule type and have found similar value.
We don't always #yara, but when we do, these #AdversaryMethods are what we work on!
Great stuff as always.

While this report is about Linux, its worth noting that OpenSSH-based backdoors are both more common and more difficult to detect than you might think in the Windows world. #adversarymethods
Really cool write-up from @ESET on OpenSSH backdoors. I particularly like how they found new malware samples based on signatures the malware operators used to detect other OpenSSH backdoors. https://t.co/5eNdExz8Zk
You may think to yourself "that is so, so dumb, I'd never do that." I think the same thing...but I also think "that is so, so dumb, and some moron is almost certainly going to do that in some horrid backdoor." And thus, methodology detections are born. #adversarymethods
Last Seen Hashtags on Sotwe
Trends for you
Most Popular Users

Elon Musk 
@elonmusk
240.7M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
111M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.7M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.9M followers

Taylor Swift 
@taylorswift13
81.7M followers

Lady Gaga 
@ladygaga
73.2M followers

Virat Kohli 
@imvkohli
70.2M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
63M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
60.9M followers

X 
@x
60.8M followers







