CrimsonEDR is an open-source project engineered to identify specific malware patterns, offering a tool for honing skills in circumventing Endpoint Detection and Response (EDR). By leveraging diverse detection methods, it empowers users to deepen their understanding of security evasion tactics.
Detection | Description |
---|---|
Direct Syscall | Detects the usage of direct system calls, often employed by malware to bypass traditional API hooks. |
NTDLL Unhooking | Identifies attempts to unhook functions within the NTDLL library, a common evasion technique. |
AMSI Patch | Detects modifications to the Anti-Malware Scan Interface (AMSI) through byte-level analysis. |
ETW Patch | Detects byte-level alterations to Event Tracing for Windows (ETW), commonly manipulated by malware to evade detection. |
PE Stomping | Identifies instances of PE (Portable Executable) stomping. |
Reflective PE Loading | Detects the reflective loading of PE files, a technique employed by malware to avoid static analysis. |
Unbacked Thread Origin | Identifies threads originating from unbacked memory regions, often indicative of malicious activity. |
Unbacked Thread Start Address | Detects threads with start addresses pointing to unbacked memory, a potential sign of code injection. |
API hooking | Places a hook on the NtWriteVirtualMemory function to monitor memory modifications. |
Custom Pattern Search | Allows users to search for specific patterns provided in a JSON file, facilitating the identification of known malware signatures. |
To get started with CrimsonEDR, follow these steps:
bash sudo apt-get install gcc-mingw-w64-x86-64
bash git clone https://github.com/Helixo32/CrimsonEDR
bash cd CrimsonEDR; chmod +x compile.sh; ./compile.sh
Windows Defender and other antivirus programs may flag the DLL as malicious due to its content containing bytes used to verify if the AMSI has been patched. Please ensure to whitelist the DLL or disable your antivirus temporarily when using CrimsonEDR to avoid any interruptions.
To use CrimsonEDR, follow these steps:
ioc.json
file is placed in the current directory from which the executable being monitored is launched. For example, if you launch your executable to monitor from C:\Users\admin\
, the DLL will look for ioc.json
in C:\Users\admin\ioc.json
. Currently, ioc.json
contains patterns related to msfvenom
. You can easily add your own in the following format:{
"IOC": [
["0x03", "0x4c", "0x24", "0x08", "0x45", "0x39", "0xd1", "0x75"],
["0xf1", "0x4c", "0x03", "0x4c", "0x24", "0x08", "0x45", "0x39"],
["0x58", "0x44", "0x8b", "0x40", "0x24", "0x49", "0x01", "0xd0"],
["0x66", "0x41", "0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40"],
["0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40", "0x1c", "0x49"],
["0x01", "0xc1", "0x38", "0xe0", "0x75", "0xf1", "0x4c", "0x03"],
["0x24", "0x49", "0x01", "0xd0", "0x66", "0x41", "0x8b", "0x0c"],
["0xe8", "0xcc", "0x00", "0x00", "0x00", "0x41", "0x51", "0x41"]
]
}
Execute CrimsonEDRPanel.exe
with the following arguments:
-d <path_to_dll>
: Specifies the path to the CrimsonEDR.dll
file.
-p <process_id>
: Specifies the Process ID (PID) of the target process where you want to inject the DLL.
For example:
.\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234
Here are some useful resources that helped in the development of this project:
For questions, feedback, or support, please reach out to me via:
Banks. They screw us on interest rates, they screw us on fees and they screw us on passwords. Remember the old "bank grade security" adage? I took this saying to task almost a decade ago now but it seems that at least as far as password advice goes, they really haven't learned. This week, Commbank is telling people to use a password manager but just not for their bank password, and ANZ bank is forcing people to rotate their passwords once a year because, uh, hackers? Ah well, as I always end up lamenting, it's a great time to be in this industry! 🤣
bash git clone https://github.com/your_username/status-checker.git cd status-checker
bash pip install -r requirements.txt
python status_checker.py [-h] [-d DOMAIN] [-l LIST] [-o OUTPUT] [-v] [-update]
-d
, --domain
: Single domain/URL to check.-l
, --list
: File containing a list of domains/URLs to check.-o
, --output
: File to save the output.-v
, --version
: Display version information.-update
: Update the tool.Example:
python status_checker.py -l urls.txt -o results.txt
This project is licensed under the MIT License - see the LICENSE file for details.
Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant.…
Private equity investor Thoma Bravo has successfully completed a second acquisition attempt of UK-based cybersecurity company Darktrace in a $5.3 billion deal.…
The Cyber Security Awareness Framework (CSAF) is a structured approach aimed at enhancing Cybersecurity" title="Cybersecurity">cybersecurity awareness and understanding among individuals, organizations, and communities. It provides guidance for the development of effective Cybersecurity" title="Cybersecurity">cybersecurity awareness programs, covering key areas such as assessing awareness needs, creating educational m aterials, conducting training and simulations, implementing communication campaigns, and measuring awareness levels. By adopting this framework, organizations can foster a robust security culture, enhance their ability to detect and respond to cyber threats, and mitigate the risks associated with attacks and security breaches.
Clone the repository
git clone https://github.com/csalab-id/csaf.git
Navigate to the project directory
cd csaf
Pull the Docker images
docker-compose --profile=all pull
Generate wazuh ssl certificate
docker-compose -f generate-indexer-certs.yml run --rm generator
For security reason you should set env like this first
export ATTACK_PASS=ChangeMePlease
export DEFENSE_PASS=ChangeMePlease
export MONITOR_PASS=ChangeMePlease
export SPLUNK_PASS=ChangeMePlease
export GOPHISH_PASS=ChangeMePlease
export MAIL_PASS=ChangeMePlease
export PURPLEOPS_PASS=ChangeMePlease
Start all the containers
docker-compose --profile=all up -d
You can run specific profiles for running specific labs with the following profiles - all - attackdefenselab - phisinglab - breachlab - soclab
For example
docker-compose --profile=attackdefenselab up -d
An exposed port can be accessed using a proxy socks5 client, SSH client, or HTTP client. Choose one for the best experience.
This Docker Compose application is released under the MIT License. See the LICENSE file for details.
The UK's contentious Investigatory Powers (Amendment) Bill (IPB) 2024 has officially received the King's nod of approval and will become law.…
Sponsored Post Ever get nostalgic for the good old days of cybersecurity protection? When attacks were for the most part amateurish and infrequent, and perhaps more in the nature of an occasional nuisance rather than a daily existential threat?…
Many Chinese keyboard apps, some from major handset manufacturers, can leak keystrokes to determined snoopers, leaving perhaps three quarters of a billion people at risk according to research from the University of Toronto’s Citizen Lab.…
Baltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks.…
The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.…
It’s the romance scam story that plays out like a segment on a true crime show. It starts with a budding relationship formed on an online dating site. It ends with an ominous note and an abandoned car on a riverside boat ramp hundreds of miles away from the victim’s home.
The story that follows offers a look at how far romance scams can go. With that, we warn you that this story comes to a grim ending. We share it to show just how high the stakes can get in these scams and how cunning the scammers who run them can be.
Most importantly, it gives us an opportunity to show how you can spot and avoid romance scams in all their forms.
As recently reported across several news outlets, comes the story of Laura, a 57-year-old retired woman from Chicago who joined an online dating service in search of a relationship. She went with a known site, thinking it would be safer than some of the other options online.
Sure enough, she met “Frank Borg,” who posed as a ruggedly good-looking Swedish businessman. A relationship flourished, and within days the pair professed their love for each other.
Over time, however, the messages became increasingly transactional. Transcripts show that “Frank” started asking for money, which Laura wired to a bogus company. All to the eventual tune of $1.5 million and a mortgaged home.
Yet the scam cut yet deeper than that. “Frank” then had her open several phony dating profiles on different online dating sites, set up new bank accounts, and further spin up fake companies. In all, “Frank” appears to not only have scammed Laura, he also weaponized her — turning her into an accomplice as “Frank” sought to scam others.
As the account goes, Laura grew suspicious about a year into the scam. A gap appears in her correspondence with “Frank,” and it appears that some conversations went offline. Today, Laura’s daughter speculates that her mother knew that what she was doing was illegal and was threatened to keep at it.
The story ends two years after the romance started, with Laura going missing, only to be found drowned in the Mississippi River. Left behind, a note, found by her daughter while searching Laura’s house. It wrote of living a double life that left her broke because of “Frank.” The note also left instructions for accessing her email, which chronicled the online part of the affair in detail.
Investigations found no clear evidence of foul play, yet several questions remain. What is known is that “Frank’s” profile picture was a doctor from Chile and that the emails originated in Ghana.
While Laura’s story falls into a heartbreaking extreme, romance scams of all sorts happen often enough. According to the Federal Bureau of Investigation’s (FBI) 2023 Internet Crime Report, losses to reported cases of romance scams topped more than $650 million.i
The U.S. Federal Trade Commission (FTC) cites even higher figures for 2023, at $1.4 billion, for a median loss of $2,000 per reported case.ii That makes romance scams the highest in reported losses for any form of imposter scam according to the FTC.
Sadly, many romance scams go unreported. The reasons vary. Understandably, some victims feel ashamed. This is particularly the case when it comes to older victims. Many fear their friends and families might take it as a sign that they aren’t able to fully care for themselves anymore. Other victims might feel that the romance was real — that they weren’t scammed at all. They believe that their love interest will come back.
Practically anyone can fall victim to a romance scam. People of all ages and backgrounds have found themselves entangled in romance scams. With that, there should be no shame. These scammers have shown time and time again how sophisticated their playbooks are. They excel at slow and insidious manipulation over time.
When the scammer starts asking for money, the victim is locked in. They believe that they’re in love with someone who loves them just the same. They fork over the money without question. And that’s what makes these scams so exceptionally damaging.
Sophisticated as these scammers are, you can spot them.
Even with the arrival of AI chat tools and deepfake technology, romance scammers still rely on a set of age-old tricks. Ultimately, romance scammers play long and patient mind games to get what they want. In many cases, scammers use scripted playbooks put together by other scammers. They follow a common roadmap, one that we can trace and share so you can avoid falling victim.
Top signs include …
It seems too good to be true.
If the person seems like a perfect match right from the start, be cautious. Scammers often stake out their victims and create profiles designed to appeal to their desires and preferences. In some cases, we’ve seen instances where a scammer uses pictures and profiles similar to the deceased partners of widowers.
Love comes quickly. Too quickly.
As the case was with “Frank,” two weeks hadn’t passed before the word “love” appeared in the messages. Take that as a red flag, particularly online when you’ve had no in-person contact with them. A rush into declarations of love might indicate ulterior motives.
The story doesn’t check out.
Victims might think they’re talking to a romantic partner, yet they’re talking with a scammer. Sometimes several different scammers. As we’ve shown in our blogs before, large online crime organizations run some romance scams. With several people running the scam, inconsistencies can crop up. Look out for that.
What’s more, even individual scammers forget details they’ve previously shared or provide conflicting info about their background, job, or family. It’s possible that one romance scammer has several scams going on at once, which can lead to confusion on their part.
You feel pressured.
Romance scammers pump their victims for info. With things like addresses, phone numbers, and financial details, scammers use that info to commit further identity theft or scams. If someone online presses you for this info, keep it to yourself. It might be a scam.
Another mark of a scam — if the person asks all sorts of prying questions and doesn’t give up any such info about themselves. A romance scam is very one way in this regard.
You’re asked for money in some form or fashion.
This is the heart of the scam. With the “relationship” established, the scammer starts asking for money. They might ask for bank transfers, cryptocurrency, money orders, or gift cards. In all, they ask for funds that victims have a tough time getting refunded, if at all. Consider requests for money in any form as the reddest of red flags.
Watch out for AI.
Scammers now use AI. And that actually gives us one less tell-tale sign of a romance scam. It used to be that romance scammers refused to hop on video calls as they would reveal their true identities. The same for voice chats. (Suddenly, that Swedish businessman doesn’t sound so Swedish.) That’s not the case anymore. With AI audio and video deepfake technology so widely available, scammers can now sound and look the part they’re playing — in real time. AI mirrors every expression they make as they chat on a video call.
As things stand now, these technologies have limits. The AI can only track faces, not body movements. Scammers who use this technology must sit rather rigidly. Further, many AI tools have a hard time capturing the way light reflects or catches the eye. If something looks off, the person on the other end of the call might be using deepfake technology.
The important point is this: today’s romance scammers can make themselves appear like practically anyone. Just because you’re chatting with a “real” person on a call or video meeting, that’s no guarantee they are who they say.
Romance scammers track down their victims in several ways. Some scammers blast out direct messages and texts en masse with the hope they’ll get a few bites. Others profile their potential victims before they contact them. Likewise, they’ll research anyone who indeed gives them a bite with a response to a blast.
In all cases, locking down your privacy can make it tougher for a scammer to target you. And tougher for them to scam you if they do. Your info is their goldmine, and they use that info against you as they build a “relationship” with you.
With that in mind, you can take several steps …
Make your social media more private. Our new McAfee Social Privacy Manager personalizes your privacy based on your preferences. It does the heavy lifting by adjusting more than 100 privacy settings across your social media accounts in only a few clicks. This makes sure that your personal info is only visible to the people you want to share it with. It also keeps it out of search engines where the public can see it. Including scammers.
Watch what you post on public forums. As with social media, scammers harvest info from online forums dedicated to sports, hobbies, interests, and the like. If possible, use a screen name on these sites so that your profile doesn’t immediately identify you. Likewise, keep your personal details to yourself. When posted on a public forum, it becomes a matter of public record. Anyone, including scammers, can look it up.
Remove your info from data brokers that sell it. McAfee Personal Data Cleanup helps you remove your personal info from many of the riskiest data broker sites out there. That includes your contact info. Running it regularly can keep your name and info off these sites, even as data brokers collect and post new info. Depending on your plan, it can send requests to remove your data automatically.
Delete your old accounts. Yet another source of personal info comes from data breaches. Scammers use this info as well to complete a sharper picture of their potential victims. With that, many internet users can have over 350 online accounts, many of which they might not know are still active. McAfee Online Account Cleanup can help you delete them. It runs monthly scans to find your online accounts and shows you their risk level. From there, you can decide which to delete, protecting your personal info from data breaches and your overall privacy as a result.
We’ve always had to keep our guard up to some extent when it comes to online romance. Things today call for even more skepticism. Romance scams have become tremendously more sophisticated, largely thanks to AI tools.
Even with technology reshaping the tricks scammers can pull, recognizing that their tactics remain the same as ever can protect you from harm.
Romance scammers flatter, manipulate, and pressure their way into the lives of their victims. They play off emotions and threaten to “leave” if they don’t get what they ask for. Emotionally, none of it feels right. Any kind of emotional extortion like that is a sign to end an online relationship, hard as that might be.
The trick is that the victim might be in deep at that point. They might not act even if things feel wrong. That’s where family and friends come in. If something doesn’t feel right, share what’s happening with someone you’ve known and trusted for years. That can help clear up any clouded judgment. Sometimes it takes an extra set of eyes to spot a scammer.
If you or someone you know falls victim to a romance scam, remember that no one is alone in this. Thousands and thousands of others are victims too. It might come as some comfort, particularly as many, many victims are otherwise savvy and centered people. Anyone, anyone, can find themselves a victim.
Lastly, romance scams are crimes. If one happens to you, report it. In the U.S., you can report it to the FBI’s Internet Crime Complaint Center (IC3) and you can file a complaint with the FTC. Also, report any theft or threats to your local authorities.
In all, the word on romance online is this — take things slowly. “Love” in two weeks or less hoists a big red flag. Very much so online. Know those signs of a scam when you see them. And if they rear their head, act on them.
The post How to Avoid Romance Scams appeared first on McAfee Blog.
Two men alleged to be co-founders of cryptocurrency biz Samourai Wallet face serious charges and potentially decades in US prison over claims they owned a product that facilitated the laundering of over $100 million in criminal cash.…
You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in a taxi or lost an expensive ring down the drain. You never let your smartphone out of your sight, yet one day you notice it’s acting oddly.
Did you know that your device can fall into cybercriminals’ hands without ever leaving yours? SIM swapping is a method that allows criminals to take control of your smartphone and break into your online accounts.
Don’t worry: there are a few easy steps you can take to safeguard your smartphone from prying eyes and get back to using your devices confidently.
First off, what exactly is a SIM card? SIM stands for subscriber identity module, and it is a memory chip that makes your phone truly yours. It stores your phone plan and phone number, as well as all your photos, texts, contacts, and apps. In most cases, you can pop your SIM card out of an old phone and into a new one to transfer your photos, apps, etc.
Unlike what the name suggests, SIM swapping doesn’t require a cybercriminal to get access to your physical phone and steal your SIM card. SIM swapping can happen remotely. A hacker, with a few important details about your life in hand, can answer security questions correctly, impersonate you, and convince your mobile carrier to reassign your phone number to a new SIM card. At that point, the criminal can get access to your phone’s data and start changing your account passwords to lock you out of your online banking profile, email, and more.
SIM swapping was especially relevant right after the AT&T data leak. Cybercriminals stole millions of phone numbers and the users’ associated personal details. They could later use these details to SIM swap, allowing them to receive users’ text or email two-factor authentication codes and gain access to their personal accounts.
The most glaring sign that your phone number was reassigned to a new SIM card is that your current phone no longer connects to the cell network. That means you won’t be able to make calls, send texts, or surf the internet when you’re not connected to Wi-Fi. Since most people use their smartphones every day, you’ll likely find out quickly that your phone isn’t functioning as it should.
Additionally, when a SIM card is no longer active, the carrier will often send a notification text. If you receive one of these texts but didn’t deactivate your SIM card, use someone else’s phone or landline to contact your wireless provider.
Check out these tips to keep your device and personal information safe from SIM swapping.
With just a few simple steps, you can feel better about the security of your smartphone, cellphone number, and online accounts. If you’d like extra peace of mind, consider signing up for an identity theft protection service like McAfee+. McAfee, on average, detects suspicious activity ten months earlier than similar monitoring services. Time is of the essence in cases of SIM swapping and other identity theft schemes. An identity protection partner can restore your confidence in your online activities.
The post How to Protect Your Smartphone from SIM Swapping appeared first on McAfee Blog.