@qutluch.bsky.social
When these frail shadows we inhabit now have quit the stage, we'll meet and raise a glass again together in Valhalla.
This entire thread is head shot nerd sniping, Greg. I'll brb. Need more time to reply. Keep UNCs. Keep APTs or named actors. There's valid uses but I have strong feelings for how they're used & how people merge groups and/or attribute into a group to say it's them rather than admit it's similar.
May 22, 2025 at 4:23 AM
This entire thread is head shot nerd sniping, Greg. I'll brb. Need more time to reply. Keep UNCs. Keep APTs or named actors. There's valid uses but I have strong feelings for how they're used & how people merge groups and/or attribute into a group to say it's them rather than admit it's similar.
We're guilty of it too. It happens. Keeping up to date with the code families &automating the plugin extraction is a full time job. The automation is important but lowering the bar & time required to do the RE to identity plugins & capability is great. Nino's work helped crush that analysis time.
January 29, 2025 at 2:28 PM
We're guilty of it too. It happens. Keeping up to date with the code families &automating the plugin extraction is a full time job. The automation is important but lowering the bar & time required to do the RE to identity plugins & capability is great. Nino's work helped crush that analysis time.
It's always bothered me when I read a report saying "It was <pluggable code family PLUGDOOR>" but not always listing the minimum set of plugins (features) a sample was shipped with. Even if it supports loading further modules, clients should be informed of the minimum a threat actor had to hand.
January 29, 2025 at 1:55 PM
It's always bothered me when I read a report saying "It was <pluggable code family PLUGDOOR>" but not always listing the minimum set of plugins (features) a sample was shipped with. Even if it supports loading further modules, clients should be informed of the minimum a threat actor had to hand.
Thanks. I've spent a lot of time working on pluggable code families like this & SOGU (PlugX). Ultimately the obfuscation defeated me. Nino did such an amazing job. I spent last year working a lot on making sure we can easily identify or at least extract and analyse plugins shipped with pplug.
January 29, 2025 at 1:49 PM
Thanks. I've spent a lot of time working on pluggable code families like this & SOGU (PlugX). Ultimately the obfuscation defeated me. Nino did such an amazing job. I spent last year working a lot on making sure we can easily identify or at least extract and analyse plugins shipped with pplug.
@github.com With regards actions could you please review this issue regarding #FreeBSD support. Maybe now that @netflix.com is reporting an impact to them you'll take it seriously. github.com/actions/runn...
FreeBSD support · Issue #385 · actions/runner
Describe the enhancement Support building the runner on FreeBSD Additional information I think FreeBSD has all the libraries that the runner needs. And while the dotnet-sdk isn't availble from Micr...
github.com
January 23, 2025 at 1:35 PM
@github.com With regards actions could you please review this issue regarding #FreeBSD support. Maybe now that @netflix.com is reporting an impact to them you'll take it seriously. github.com/actions/runn...
I'm on the same page though. That's why I have tried a few options and always come back to an rcs. I've even worked on deduplication methods but it's not worth it. I have what works for me but experimenting is worth while and fun.
January 1, 2025 at 6:59 PM
I'm on the same page though. That's why I have tried a few options and always come back to an rcs. I've even worked on deduplication methods but it's not worth it. I have what works for me but experimenting is worth while and fun.
Here she is during Christmas after a hard night drinking imperial stout & reviewing yara rules.
January 1, 2025 at 6:46 PM
Here she is during Christmas after a hard night drinking imperial stout & reviewing yara rules.