Steve YARA Synapse Miller
@stvemillertime.bsky.social
threat intelligence @google
writing & sharing on adversary tradecraft, malware, threat detection, ics/ot + cyber physical intel, and of course all things #yara
writing & sharing on adversary tradecraft, malware, threat detection, ics/ot + cyber physical intel, and of course all things #yara
If you need me I'll be in the Andromeda Galaxy
October 18, 2025 at 3:39 PM
If you need me I'll be in the Andromeda Galaxy
Imo the security product market is almost always a decade behind needs, but over time ends up being pulled to meet the adversary where they are operating. In the 2010s the market came late to the endpoint, in the 2020s late to the cloud, in the 2030s it'll be back to the network.
July 3, 2025 at 9:54 PM
Imo the security product market is almost always a decade behind needs, but over time ends up being pulled to meet the adversary where they are operating. In the 2010s the market came late to the endpoint, in the 2020s late to the cloud, in the 2030s it'll be back to the network.
Summer of George
June 19, 2025 at 8:57 PM
Summer of George
My top 5 movies about ~hacking probably say more about my age than anything else, but still:
#1 - Hackers (1995)
#2 - War Games (1983)
#3 - Johnny Mnemonic (1995)
#4 - Ghost in the Shell (1995)
#5 - Office Space (1999) <- surprisingly full of hacks
#1 - Hackers (1995)
#2 - War Games (1983)
#3 - Johnny Mnemonic (1995)
#4 - Ghost in the Shell (1995)
#5 - Office Space (1999) <- surprisingly full of hacks
May 28, 2025 at 2:35 PM
My top 5 movies about ~hacking probably say more about my age than anything else, but still:
#1 - Hackers (1995)
#2 - War Games (1983)
#3 - Johnny Mnemonic (1995)
#4 - Ghost in the Shell (1995)
#5 - Office Space (1999) <- surprisingly full of hacks
#1 - Hackers (1995)
#2 - War Games (1983)
#3 - Johnny Mnemonic (1995)
#4 - Ghost in the Shell (1995)
#5 - Office Space (1999) <- surprisingly full of hacks
The Wire, but a cybercrime version of it
May 9, 2025 at 9:50 PM
The Wire, but a cybercrime version of it
imo, great defenders think like attackers
and great attackers think like defenders
and great security folks think like both
and great intelligence folks think like neither
beep boop
computers
and great attackers think like defenders
and great security folks think like both
and great intelligence folks think like neither
beep boop
computers
May 8, 2025 at 3:53 PM
imo, great defenders think like attackers
and great attackers think like defenders
and great security folks think like both
and great intelligence folks think like neither
beep boop
computers
and great attackers think like defenders
and great security folks think like both
and great intelligence folks think like neither
beep boop
computers
I used to secretly judge folks that don't *love* music. But I learned that not everyone has the same ability to _detect_ musical features (pitch, rhythm, harmony etc). This happens not in the ear but in the brain. W/ diff neuro wiring & genes, folks don't always hear what I hear.
April 27, 2025 at 5:30 PM
I used to secretly judge folks that don't *love* music. But I learned that not everyone has the same ability to _detect_ musical features (pitch, rhythm, harmony etc). This happens not in the ear but in the brain. W/ diff neuro wiring & genes, folks don't always hear what I hear.
"The game is out there, and it's either play or get played." - Omar
April 12, 2025 at 7:25 PM
"The game is out there, and it's either play or get played." - Omar
Which of the Warhammer 40K races and factions should I get into? Sisters of Battle? Space Wolves? Henry Cavill?
April 11, 2025 at 9:37 PM
Which of the Warhammer 40K races and factions should I get into? Sisters of Battle? Space Wolves? Henry Cavill?
Really neat exposé on RDP tradecraft to include signed .rdp configs, resource redirection, RemoteApps and probably PyRDP.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
cloud.google.com
April 7, 2025 at 4:02 PM
Really neat exposé on RDP tradecraft to include signed .rdp configs, resource redirection, RemoteApps and probably PyRDP.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by Steve YARA Synapse Miller
Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
cloud.google.com
April 7, 2025 at 3:06 PM
Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)
Reposted by Steve YARA Synapse Miller
Windows Remote Desktop Protocol: Remote to Rogue
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
A novel phishing campaign by Russia-nexus espionage actors targeting European government and military organizations.
cloud.google.com
April 7, 2025 at 3:18 PM
Windows Remote Desktop Protocol: Remote to Rogue
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by Steve YARA Synapse Miller
Introducing MalChela. A YARA and Malware Analysis utility written in Rust. #DFIR #MalwareAnalysis #YARA #Hashing
MalChela – A YARA and Malware Analysis Toolkit written in Rust
Saturday was for Python. Sunday was for Rust. After my success with the Python + YARA + Hashing, I decided to take things to the next level. Over the past few years I've created a number of Python and PowerShell scripts related to YARA and Malware Analysis. What if I combined them into a single utility? While we're at it, let's rewrite them all from scratch in Rust.
bakerstreetforensics.com
March 3, 2025 at 8:10 PM
Introducing MalChela. A YARA and Malware Analysis utility written in Rust. #DFIR #MalwareAnalysis #YARA #Hashing
Reposted by Steve YARA Synapse Miller
March 2, 2025 at 1:01 AM
Reposted by Steve YARA Synapse Miller
Creating custom hash sets with YARA and Python
I don't like to brag, he said, but you should see the size of my malware library. For a recent project, I wanted to produce a hash set for all the malware files in my repository. Included in the library are malware samples for Windows and other…
I don't like to brag, he said, but you should see the size of my malware library. For a recent project, I wanted to produce a hash set for all the malware files in my repository. Included in the library are malware samples for Windows and other…
Creating custom hash sets with YARA and Python
I don't like to brag, he said, but you should see the size of my malware library. For a recent project, I wanted to produce a hash set for all the malware files in my repository. Included in the library are malware samples for Windows and other platforms. Within the library there are also a lot of pdf's with write ups corresponding to different samples.
bakerstreetforensics.com
March 1, 2025 at 6:13 PM
Creating custom hash sets with YARA and Python
I don't like to brag, he said, but you should see the size of my malware library. For a recent project, I wanted to produce a hash set for all the malware files in my repository. Included in the library are malware samples for Windows and other…
I don't like to brag, he said, but you should see the size of my malware library. For a recent project, I wanted to produce a hash set for all the malware files in my repository. Included in the library are malware samples for Windows and other…
Do not despair, my friends, the only way out is through;
And the climate will probably kill us all pretty soon anyway
And the climate will probably kill us all pretty soon anyway
March 1, 2025 at 3:17 PM
Do not despair, my friends, the only way out is through;
And the climate will probably kill us all pretty soon anyway
And the climate will probably kill us all pretty soon anyway
One rule's FP is another rule's FN.
February 25, 2025 at 2:52 PM
One rule's FP is another rule's FN.
SSH is the cyber blood magick of both the world's most stalwart orgs and the world's toughest adversaries.
February 21, 2025 at 2:42 PM
SSH is the cyber blood magick of both the world's most stalwart orgs and the world's toughest adversaries.
Reposted by Steve YARA Synapse Miller
You’re an MSS or SVR cyber targeter who’s spent years trying to find an access vector into SPS/PAM; then suddenly a pack of high-profile, right-wing, edgelord zoomers — who will definitely click on any link they think will get them laid — just get admin access. Prepositioning acquisition speedrun.
February 5, 2025 at 12:18 AM
You’re an MSS or SVR cyber targeter who’s spent years trying to find an access vector into SPS/PAM; then suddenly a pack of high-profile, right-wing, edgelord zoomers — who will definitely click on any link they think will get them laid — just get admin access. Prepositioning acquisition speedrun.
Years of mediocre gen AI commodities will birth a generation of neo-luddites who refuse to delegate the joys of art, music, writing & human connection to machines. They'll sketch, read human-gen pBooks, buy vinyls at concerts, share hand-written original pre-trend non-memes.
January 10, 2025 at 8:19 PM
Years of mediocre gen AI commodities will birth a generation of neo-luddites who refuse to delegate the joys of art, music, writing & human connection to machines. They'll sketch, read human-gen pBooks, buy vinyls at concerts, share hand-written original pre-trend non-memes.
Reposted by Steve YARA Synapse Miller
If you want to test out my YARA rule linting work use this PR: github.com/VirusTotal/y...
If you want to get the basic gist of it, this config file change has documentation on it: github.com/VirusTotal/y...
Just set it in your config file and use "yr check" for now.
Happy #100DaysOfYARA. ;)
If you want to get the basic gist of it, this config file change has documentation on it: github.com/VirusTotal/y...
Just set it in your config file and use "yr check" for now.
Happy #100DaysOfYARA. ;)
January 9, 2025 at 2:58 PM
If you want to test out my YARA rule linting work use this PR: github.com/VirusTotal/y...
If you want to get the basic gist of it, this config file change has documentation on it: github.com/VirusTotal/y...
Just set it in your config file and use "yr check" for now.
Happy #100DaysOfYARA. ;)
If you want to get the basic gist of it, this config file change has documentation on it: github.com/VirusTotal/y...
Just set it in your config file and use "yr check" for now.
Happy #100DaysOfYARA. ;)
Which subscription news services do you pay for? I want premium, non content farm, mostly human-written science, tech, security news. I'm considering things like The Information, 404 media, MIT Tech Review, etc, but looking for recommendations. (I get NYT, AP, Reuters already)
December 31, 2024 at 4:43 AM
Which subscription news services do you pay for? I want premium, non content farm, mostly human-written science, tech, security news. I'm considering things like The Information, 404 media, MIT Tech Review, etc, but looking for recommendations. (I get NYT, AP, Reuters already)
A unique finding, a novel artifact, a hidden curio, a piece of something yet unknown to the world. With each discovery comes a bewitching temptation to believe you alone know a secret, and own it.
December 15, 2024 at 3:55 PM
A unique finding, a novel artifact, a hidden curio, a piece of something yet unknown to the world. With each discovery comes a bewitching temptation to believe you alone know a secret, and own it.
In your opinion, what are the differences between cyber security journalism and cyber threat intelligence?
December 13, 2024 at 9:23 PM
In your opinion, what are the differences between cyber security journalism and cyber threat intelligence?
Reposted by Steve YARA Synapse Miller
come to think of it, it's actually pretty easy; probably can be simplified but I wanted 4 chars as anchors at the front
December 8, 2024 at 3:19 PM
come to think of it, it's actually pretty easy; probably can be simplified but I wanted 4 chars as anchors at the front