Closed w0rk3r closed 10 months ago
Has progress been started on this @w0rk3r? Any status updates?
Closing this one as completed, the only task scoped which I'm postponing to a second phase is the malware score one. Once we promote the new BBR rules and have enough telemetry I'll work on it.
Summary
Explore opportunities to detect masquerading and suspicious processes on commonly used business apps such as communication apps, browsers, and Windows native applications and processes.
Goals
Resources:
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-page-impersonating-slack-website-customer-798 https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign
Task Details
Select a pool of Communication Apps to get started
Select a pool of Browsers to get started
Analyze Windows Signatures on specific paths, such as system32
Used Sigcheck to extract information about executables on System32 that comes in clean installs of Win10, Win11, Windows Server 2016, Windows Server 2019, and Windows Server 2022, then did some Python stuff to convert this output to JSON, those can be found here in their original format, and here in JSON.
PRs