I want to briefly explain the cycle we use for the Hunter module to ingest offensive tradecraft. Step(1): Signatures are distilled by extracting features from already ingested tradecraft that the engine deems relevant. Features include text processing features, API calls and system binaries. Step(2): These features are refined and given to the Hunter module which searches for matching signatures, across a vast amount of social platforms. Step(3): When like tradecraft is found, it is distilled in the same fashion and the cycle repeats. Example tradecraft in this post can be found below and emphasizes our last post regarding an ongoing, widespread adoption of direct syscall use.
gitjdm/dumper2020: Yet another LSASS dumper (github.com)
Syscalls & Cobalt Strike:
Implementing Syscalls In The Cobaltstrike Artifact Kit – bs – no bs (br-sn.github.io)
#cyberthreatintelligence #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam