Thomas Strömberg
Thomas Strömberg
https://github.com/kubo/injector mentioned in https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/
https://github.com/ldpreload/Medusa Mentioned here: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/
seen with teleport 16.0.3 - https://github.com/wolfi-dev/os/pull/22915 ``` usr/local/bin/teleport [🚨 CRITICAL] ----------------------------------------------------------------------------------------------------------------------------------------------- RISK KEY DESCRIPTION EVIDENCE ----------------------------------------------------------------------------------------------------------------------------------------------- HIGH combo/dropper/shell fetches content and pipes it to a shell curl -s -L %s|...
``` HIGH combo/backdoor/net_term pseudoterminal and tunnel support HIGH combo/degrader/selinux_firewall selinux firewall HIGH combo/exploit/breakout probable container escape HIGH evasion/xor/commands commands obfuscated using xor HIGH procfs/pid/fd accesses file descriptors of other processes...
Seen at https://github.com/wolfi-dev/os/pull/22990 ``` $ bincapz --min-risk=4 app app/superset/static/assets/de4c3f61ea16e0647411.chunk.js [🚨 CRITICAL] ---------------------------------------------------------------------------- RISK KEY DESCRIPTION EVIDENCE ---------------------------------------------------------------------------- CRIT 3P/elceef/html/smuggling Generic detection for HTML "click" smuggling (T1027.006), by "download" [email protected] "msSave...
``` cies/org/apache/derby/derbyclient/10.15.2.1/derbyclient-10.15.2.1.jar ∴ org/apache/derby/client/am/ClientPreparedStatement.class [🚨 CRITICAL] ------------------------------------------------------------------------------------------------ RISK KEY DESCRIPTION EVIDENCE ------------------------------------------------------------------------------------------------ CRIT 3P/elastic/creddump/ Detects Macos Creddump Keychainaccess chainBreaker keychainaccess (Macos.Creddump.KeychainAccess), by Elastic Security ------------------------------------------------------------------------------------------------ /home/t/packages/x86_64/logstash-integration-jdbc-5.4/usr/share/jruby/lib/ruby/gems/shared/gems/logstash-integration-jdbc-5.4.10/vendor/jar-dependen cies/org/apache/derby/derbyclient/10.15.2.1/derbyclient-10.15.2.1.jar ∴ org/apache/derby/client/am/ClientStatement.class [🚨...
``` /home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-fentry.o [🚨 CRITICAL] ----------------------------------------------------------------------------------- RISK KEY DESCRIPTION EVIDENCE ----------------------------------------------------------------------------------- CRIT evasion/fake/process/name Pretends to be a kworker kernel thread kworker ----------------------------------------------------------------------------------- /home/t/packages/x86_64/datadog-agent-oci-compat-7.54/opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-syscall-wrapper.o [🚨 CRIT ICAL] ----------------------------------------------------------------------------------- RISK KEY DESCRIPTION EVIDENCE...
These 3 samples should be sufficient: * https://github.com/jm33-m0/emp3r0r * https://github.com/onhexgroup/Malware-Sample/blob/main/aclocal.m4_caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c.zip * https://github.com/MalwareSamples/Linux-Malware-Samples/blob/main/1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b
GitHub /files/ links include comment attachments, meaning that anyone can upload a file that looks like it's official to a particular repository. Due to the opaqueness of who uploaded what,...
**Description** I'm sure I'm holding this tool incorrectly, but I tried to guess how to use `wolfictl advisory create` in lieu of more elaborate documentation. Here's what I ran: `wolfictl...