Head of R&D @nextronsystems #DFIR #YARA #Sigma | Detection Engineer | Creator of @thor_scanner, Aurora, Sigma, LOKI, yarGen, Raccine

Frankfurt, Germany
Joined June 2013
I’m back from my one-week vacation in Mallorca, tweeps. (had my last vacation during the Follina clusterduck a year ago) Next vacation: 1 week in Switzerland 🇨🇭 in July #OffTopic tweeter.jakobs.systems/i/web/status/166…
1
2
Replying to @cyb3rops
Am I missing something obvious or was that video actually recorded on 10+ years old OS? If that tool really does what it claims shouldn't it be tested against latest OS version? and hardened Defender?
5
8
39
We constantly get requests for our THOR legacy version that runs on Windows Xp and Windows 2003 and requests for - Windows 2000 Server - RHEL 4 - SuSE Linux 10.4 - Solaris 10
1
2
6
Florian Roth retweeted
That’s how it works
5
1
24
GIF
Show this thread
The Mr. Robot effect
2
1
17
TA sells tool to kill AV/EDRs for $1500 OffSec’s take: it would be better if they gave it away for free because: when you publish it and give it away for free, it won’t be a problem anymore Benjamin Delpy:
3
9
71
That’s how it works
5
1
24
GIF
So, a TA offers a tool that kills all EDRs/AVs and all we got is a short video clip All we know is it uses the HxD icon & is named "terminator" Let's write a YARA rule to detect it (& other malware using the HxD icon) Report linkedin.com/feed/update/urn… YARA github.com/Neo23x0/signature… tweeter.jakobs.systems/i/web/status/166…
3
32
104
dope
SectorC: a C Compiler written in x86-16 assembly that fits within the 512 byte boot sector of an x86 machine. In a base64 encoding, it looks like this: xorvoid.com/sectorc.html
4
11
2
41
This „infection“ and „backdoor“ is as inventive as adding a command to .bashrc
THC RELEASE: 🔐SSH public keys can be infected 💉and backdoored.🚪 blog.thc.org/infecting-ssh-p… #lulz #ssh #hacking
3
3
16
Florian Roth retweeted
🚨 1/ Ongoing campaign primarily targeting security researchers here on Twitter. Possibly they are trying to exploit some vulnerability in Internet Explorer and database tools like Navicat. I haven't been able to get the malicious payload yet, but something fishy is going on 🤔
7
159
8
350
Show this thread
Florian Roth retweeted
Somebody lamented to me that the addition of RAR and 7-Zip support to Windows will open up more attacks. I think those formats are covered pretty well by security products. VHD(X), OTOH, is a much bigger blind spot that I blogged about 4 years ago. Nothing is parsing these still.
4
9
1
59
Florian Roth retweeted
I can't believe I've just fine-tuned a 33B-parameter LLM on Google Colab in a few hours.😱 Insane announcement for any of you using open-source LLMs on normal GPUs! 🤯 A new paper has been released, QLoRA, which is nothing short of game-changing for the ability to train and… tweeter.jakobs.systems/i/web/status/166…
115
970
104
4,995
Show this thread
Florian Roth retweeted
A TOX 1.17.6 (current version) RCE 0day is for sale. It would give nerds the ability to pwn literally every ransomware group, and major Threat Actor, on the planet. All it requests is sending a friend request, and the other person accepting it. It is being sold for $500,000
39
164
26
806
Show this thread