Kyle Eaton
@0xkyle
Followers
1K
Following
5K
Media
248
Statuses
621
Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. We use this tool internally to help track multiple threat actors with
0
45
164
Starlink Mini offers fast, reliable internet on the go—great for traveling, camping, exploring, boating, RVing, and more. Stay connected without dead zones or slow speeds. Order online in under 2 minutes.
648
2K
12K
the biggest skill jump I took with yara was to think how the bytes within a file relate to one another Malware isn’t a monolith - it’s a composite of bytes, and those bytes have to work together to do their job. we can exploit those unique relations to track em
1
0
2
On this DISCARDED episode, we uncover real-world detection wins, explore persistent threats like #TA505 and #Emotet, and dive into the importance of instincts in cybersecurity—because, as our guest puts it, sometimes good detection is all about the vibes. https://t.co/stWpG8ubo7
0
5
12
https://t.co/Tl8mp0dd9A Also expecting to see indiandefenceforces[.]link soon
Haven’t seen PDFs yet but new domain popped up: defenceindia[.]link
0
0
3
Haven’t seen PDFs yet but new domain popped up: defenceindia[.]link
0
0
1
Write up on an interesting detection problem (and solutions!) with zip files. #yara included
Threat actors have been using zip file concatenation to attempt evading detection by security tools ( https://t.co/QdSYO5Tmb0). These concatenated or nested zip files can pose a unique detection challenge.
0
1
7
So, if we want to detect these concatenated zips, we should focus on the last EOCD, and make sure that the bytes at the PKCD offset are not the PKCD header. Yara: https://t.co/jwkmYRujaU.
github.com
Proofpoint - Emerging Threats - Threat Research tools + publicly shared intel and documentation - EmergingThreats/threatresearch
0
5
7
My new blogged dropped!!
proofpoint.com
Key takeaways Proofpoint has observed an increase in cryptocurrency fraud that impersonates various organizations to target users with fake job lures. Researchers assess
⚠️ Cybercriminals are impersonating well-known companies using job-themed lures. ⚠️ Proofpoint assesses w/ high confidence that these scams are linked to threat actors conducting "Pig Butchering," a type of #cryptocurrency investment #fraud. Learn more: https://t.co/h7nBpz09DM
0
5
12
The iconic and legendary @pmelson on the Microsoft threat intel podcast 👀 https://t.co/Z8fTlyJBX3
podcasts.apple.com
Podcast Episode · Microsoft Threat Intelligence Podcast · 04/24/2024 · 43m
1
0
8
#100DaysOfYara Still on PDFs, here we have a quick rule to ID the pdf version, not pretty because it's the hex value, but you can eyeball it (0x30 -> 0, etc.) And chain this with some grep/sort and you get nice output over the break down of PDFs.
1
3
6
I think the new version should work better, most pdfs I've seen without comments jump right into object 1 (they don't have to though...) Quickly checking for overlaps in pdf comment values with this one:
1
1
3
#100DaysOfYara Okay way behind, but what I'm thinking is each rule will just be something I'm thinking about. Today that's PDF files and their comment fields. I previously thought that checking byte 8 for a 0x0d would suffice, but that's not working. Testing a new version:
1
3
8