2 min read

Sources & Methods Newsletter #16 - January 2024

Happy New Year! I hope your holidays were restful and you're ready to get back to it. At the risk of sounding cheesy, we know the adversaries are, so beat them to the punch.

Good luck,

Matthew Conway (@mattreduce)

πŸ“ Sources

Unprotect Project - Actively maintained knowledge base for evasion and obfuscation techniques used in malware. It includes code examples in multiple languages, something both red and blue teams can appreciate.

πŸ“° Information

John Doyle - Helping CTI Analysts Approach and Report on Emerging Technology Threats and Trends (Part 2) #writing #trending

Jamf - Jamf Threat Labs discovers new malware embedded in pirated applications #macOS #malware

Troy Hunt - Inside the Massive Naz.API Credential Stuffing List #identity #credentials #stealers

Maltego - Improving your Intelligence Analysis with Structured Analytic Techniques #tradecraft #SAT

Adam Shostack - Threat Modeling Capabilities Released #threatmodeling #maturity

Red Canary - MSIX installer malware delivery on the rise across multiple campaigns #operational #TTPs #Windows

MITRE - Enriching Threat Intelligence with Mappings #defenses #actionability

Insikt Group - Leaks and Revelations: A Web of IRGC Networks and Cyber Companies [PDF] #strategic #Iran #IRGC #longreads

Filigran - OpenCTI for disinformation #tooling #disinformation

Freddy Murstad - Foresight Analysis: The Magic Eight Ball of Intelligence Analysis #strategic #foresight

πŸ›  Tools



A very interesting use of generative AI applied to CTI. Query MITRE ATT&CK's Groups dataset like a chatbot with Retrieval Augmented Generation (RAG). Note that it requires an OpenAI API key.



Here's a brand new tool from Project Discovery called cvemap. It helps you navigate and map CVE data to proof of concept exploits, CISA Known Exploited Vulnerability data, bug bounty reports and more.



Rapid PowerUp for Vertex Synapse for checking file hashes against multiple databases of known files, including the NSRL RDS.



Use holehe to discover online accounts based on an email address.



Working with Sublime Security's Message Query Language (MQL)? Here's a Visual Studio Code extension you can use with MQL to define phishing rules for alerting and hunting.



JSON and grep: depending on your role, both are indispensable but they mix like oil and water. Unless you use gron, which makes it easy to grep for parts of JSON data line-wise and see the path to that data. It makes your task easier whether you're quickly exploring an API or a dataset.

πŸ’‘ Tip

Don't forget to spend time building your technical knowledgeβ€”or maintaining it if you've been doing this a long time. That'll help you make sound connections and impactful recommendations, and isn't that the whole point?

πŸ“† Events


πŸ“ Berlin, DE
🏒 Mercure Hotel MOA
πŸ“Š April 15-17
πŸ”— https://www.first.org/conference/firstcti24/


CFP for workshops, villages, and BoF will close on February 5, 2024

πŸ“ San Francisco, CA, US
πŸ“Š Conference May 4-5
πŸ”— CFP https://bsidessf.org/cfp


πŸ“ Arlington, VA, US
πŸ“Š Conference May 24
πŸ”— https://www.sleuthcon.com/