2 min read

Sources & Methods Newsletter #13 - October 2023

📁 Sources

Living off the Foreign Land Cmdlets and Binaries - In the style of LOLBins, a collection of trusted Microsoft code that can be used against remote systems through compromised hosts, not on them—away from EDR visibility. The first in a series of articles explaining their use is under Information this month.

📰 Information

Amitai Cohen - Thrunting Grounds: When are IOCs not IOCs? Join me on a pedantic adventure #indicators #observables #hunting

SentinelOne - macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques #macOS #malware #trends

BITSADMIN - Living Off the Foreign Land - Part 1/3: Setup Linux VM for SOCKS routing #Windows #tradecraft

Mandiant - Assessed Cyber Structure and Alignments of North Korea in 2023 #strategic #analysis #DPRK

Chris Bronk, Nathan Jones - Cyber Cases: The PICCA Framework for Documenting Geopolitically Relevant Cyber Action #analysis #frameworks #papers

Akamai - How Account Opening Abuse Affects 6 Industries #abuse #impact

UK NCSC - Ransomware, extortion and the cyber crime ecosystem #strategic #analysis #extortion #ecosystems

Randolph H. Pherson - The Five Habits of the Master Thinker #analysis #tradecraft #papers

tl;dr sec - An Overview of Software Supply Chain Security #supplychain #explainer

🛠 Tools



TEx ("Telegram Explorer") is a background agent-based system for collecting data, media, and metadata from Telegram.

SaaS Attack Matrix


MITRE ATT&CK-esque matrix of software-as-a-service (SaaS) attack patterns that, unlike ATT&CK, includes techniques that may not have been observed in the wild or cited in reports.



CLI- and web-based tool that'll guess a CPE name from keywords, which you can then use to search for CVEs.



Open source RSS feed aggregator and reader, also compatible with native desktop and mobile applications.

Name Variant Search Tool


Open source web-based tool for generating plausible variations on a person's name along with quick links to search by those variations. For example, from "John Michael Smith," the tool generates alternate names like "Jon M Smith" and "Johnny Smith."



Vertex Synapse Power-Up that integrates with IOCParser to extract atomic IOCs from text like so:

ex.iocparser.text "example.com"

...or even content located at a URL:

[inet:url=https://pylos.co/2022/11/23/detailing-daily-domain-hunting/] | ex.iocparser.url --yield

📆 Events

ATT&CKcon 4.0

📍 McLean, VA, US & Virtual
📊 Conference Oct 24-25
🏢 MITRE campus
🔗 https://www.mitre.org/events/attckcon-40


📍 Arlington, VA, US
📊 Conference Nov 9
🏢 Hyatt Regency Crystal City
🔗 https://www.cyberwarcon.com/