Thursday, September 30, 2021

IDA Pro Keyboard Shortcuts

 Ascii strings

"highlight the string", press 'a'


Unicode strings

highlight the ascii string, press 'Alt-a', choose unicode


Rename variable

highlight variable, press 'n'


Cross References

highlight the variable, press 'x'


Step

into f7

over f8

run until return ctrl-f7

continue f9


Breakpoint

f2


jump to address

press 'g', enter address


Strings

Shift-f12


comment a line

press ';', enter the comment

Posted by at 9 comments:
Labels: ,

Friday, September 10, 2021

Threat Hunt - Proxy Phishing from HTML attachment

 proxy #threathunt idea:

where urlpath = '/next.php' and method = 'POST' and referrer is null cred #phishing 9/10/21 Sharepoint Theme sbj: notification 1 new FAX from: mout.kundenserver[.de 212.227.126.134 HTML attachment posts stolen creds to gms4372.nelrg[.com/gfkn/next.php
Posted by at 7 comments:
Labels: ,

Threat Hunt - Proxy C2 IP with PHP

potential proxy #threathunt idea

post or put to urls that contain ip address and php

where
domain matches '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
and
method in ('POST', 'PUT')
and
urlpath endswith '.php'

https://app.any.run/tasks/7f60bc17-b518-4a4a-8455-14b893b53104/
Posted by at 6 comments:
Labels: ,

Siem Rule - IP Lookup Service

 Malware IP lookup service #siem detection rule idea


dns request in:

 - canireachthe.net

 - ipv4.icanhazip.com

 - ip.anysrc.net

 - edns.ip-api.com

 - wtfismyip.com

 - checkip.dyndns.org

 - api.2ip.ua

 - icanhazip.com

 - api.ipify.org

 - ip-api.com

 - checkip.amazonaws.com

 - ipecho.net

 - ipinfo.io

 - ipv4bot.whatismyipaddress.com

 - freegeoip.app

 

imagename not in 

 - brave.exe

 - iexplore.exe

 - opera.exe

 - firefox.exe

 - msedge.exe

 - chrome.exe

 - vivaldi.exe


Posted by at 4 comments:
Labels: ,
Subscribe to: Posts (Atom)