Top Tweets for #SwearEngine
Reference to Kaspersky blog that I gave an example rule based on: https://t.co/6xsIZwuZB8
Link to Steve's thoughts on #SwearEngine: https://t.co/TKFWfBsxq5
(the swear engine does make me laugh, while simultaneously being a great idea for finding new samples!)
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
@stvemillertime Looks like #mustangpanda is trying to evade #SwearEngine lol https://t.co/WErywjSzN2 (third debug string)
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
Lastly, it should go without saying all my greatest expertise and insights from all my cyber experience manifested in the most genius detection of all time, #SwearEngine, a YARA rule designed to detect files with at least one single "fuck".
https://t.co/XTCi9XBV3A
Question for threat intel folks: what are your favorite YARA rules?
Can be one you wrote which led to a cool discovery, or one someone else wrote which helped uncover a significant or important APT campaign.
Turns out, this rule was good at finding Meterpreter and Meterpreter stagers. But what about those 3 uncategorized samples? Looks like more Meterpreter to me! I did the first two for you, see if you can spot the C2 in the third screenshot. 🤣 #SwearEngine
You might also want to exclude "sonyguysfuckpipe", which shows up in this Google Brotli dictionary https://t.co/xptMIXUYsw https://t.co/B1xkaK0YTv cc my thanks to @mikko @Hexacorn #SwearEngine(TM)
@sepinwall McShane as Swearengen recounting his horrific upbringing while being “serviced” by one of his employees (Season 1, end of Ep 11, I believe) is arguably as great a piece of acting as any of us will ever see. #Deadwood #SwearEngine (intentional play on words by David Milch?)
Gettin’ political 🤣 #SwearEngine
#AsyncRAT SHA256: 3794538f0e3b4c499c8f5edf04fa2ee3bbf61cf51c9185ee60184d1473db6c58 C2: mrtx[.]duckdns[.]org:6606,
Here is your new #SwearEngine #dailyyara rule, very basic. Malware developers use the word shellcode in their development, to help them organize their malicious code. You can look for it in PEs and Non-PEs.
https://t.co/fO31COV7ZE
Add in some #SwearEngine for a mashup
$pcre = /\x00\x00\x00[a-zA-Z]:\\[\x00-\xFF]{0,500}(backdoor|fuck)[\x00-\xFF]{0,500}\.hpp\x00/ ascii nocase wide
Perhaps akin to #SwearEngine, but from a totally different angle. These Bad Words are a fun place to start looking for critical areas of code functionality. Sweet blog, thank you @willbtlr.
I wrote a post about finding vulnerabilities in code using concentrations of "bad words":
https://t.co/9ViEi8LH7D
Which words should we add to this list?
Someone's been busy improving their implant this summer!? search for the nice pdb if you want some more.
https://t.co/6TFYOGnpwB
...
Malware author can be caught via @stvemillertime's #SwearEngine 🤬 in the beacon loader string ops:
- "fuckingpieceofshitfuck"
- "bobisanassholebbfuck"
C2 Involved:
http://116.85.25[.]159:12358
http://39.101.207[.]158:12358
(2/2)
![bryceabdo's tweet photo. ...
Malware author can be caught via @stvemillertime's #SwearEngine 🤬 in the beacon loader string ops:
- "fuckingpieceofshitfuck"
- "bobisanassholebbfuck"
C2 Involved:
http://116.85.25[.]159:12358
http://39.101.207[.]158:12358
(2/2) https://t.co/U2QEjbFuZL](https://pbs.twimg.com/media/EfzPzJIWsAAps8T.png)
![bryceabdo's tweet photo. ...
Malware author can be caught via @stvemillertime's #SwearEngine 🤬 in the beacon loader string ops:
- "fuckingpieceofshitfuck"
- "bobisanassholebbfuck"
C2 Involved:
http://116.85.25[.]159:12358
http://39.101.207[.]158:12358
(2/2) https://t.co/U2QEjbFuZL](https://pbs.twimg.com/media/EfzOxTnX0AEjNr8.png)
Whenever I see an actor manually select variable names in obfuscated loaders instead of using automated/randomized names, I'm inevitably reminded of @stvemillertime and #SwearEngine. 🤣
@HackingLZ @securitydoggo @vysecurity @domchell @a_tweeter_user @awscloud @tucows @sec_consult @bry_campbell That’s just 20 vendors that should license @stvemillertime’s #SwearEngine
Last Seen Hashtags on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers