Introduction This article demonstrates reducing the Entropy score with a goal of evading the static detection by encoding characters using only dashes and dots. Inspired by the Morse Code! Primary Keywords: Binary Entropy analysis | Evading Static Analysis | Morse Code Encoder What is Morse Code? Morse Code is a communications “language” that was initially… Continue reading
Author Archives → Moath Maharmeh
Encrypted SMS Messaging using BlindCell
The problem with regular SMS The problem with regular SMS is that it does not provide any means of privacy. In the GSM, only the airway traffic between the Mobile Station (MS) and the Base Transceiver Station (BTS) is optionally encrypted with a weak and broken stream cipher (A5/1 or A5/2). There are many vulnerabilities… Continue reading
Deception & Inspection: Gathering intelligence & increasing the red team infrastructure resiliency
Introduction This article primarily targets the red teams. It demonstrates several ways of gathering intelligence about the public security scanners & analyzers and the security platforms and tools used by the target organization. Keywords: C2 Infrastructure resiliency | Cyber Intelligence | Dynamic URL & executable Analyzers | Security Defense Tooling Behavior Benchmark Objectives Whether you’re… Continue reading
File WatchTower: Leveling-up SOC Capabilities
These are abstract ideas. More research and tests will be needed to determine the effectiveness of this project. The problem? File WatchTower — The Early radar A tool continuously monitors newly created/modified and downloaded files on the OS and reports detailed logs to other security systems/tools such as SIEM. The intelligence produced by the File… Continue reading
Ransomware: Detect & Respond
Hunting for Suspicious DNS Communications
Introduction Adversaries are continuously developing techniques to reduce the detection rate of their malicious activities on an enterprise network; for example, they utilize stenography for data exfiltration, malicious software delivery, and covert C2 communications. This article provides an overview on detecting and hunting suspicious DNS connections in an enterprise network. Requirements In order to be… Continue reading
Establishing an encrypted communication channel over HTTP
Introduction In my previous article “Establishing a secure communication channel over HTTP” , I introduced a demo on how to exchange encrypted information over the HTTP protocol using RSA & AES algorithms. This article provides an introduction to how to make encrypted communications between two endpoints over HTTP. The goal is to transmit data securely… Continue reading
Establishing a secure communication channel over HTTP
Introduction This article provides an introduction to how to make encrypted communications between two endpoints over HTTP. The goal is to transmit data securely from one endpoint to another without the need for SSL/HTTPS . To establish an encrypted communication channel, we will take advantage of the RSA and AES algorithms. RSA & AES are… Continue reading
Hunting ngrok Activity
Introduction Ngrok is a genuine software and mainly used by developers to expose local web servers or any other TCP service to the internet. However, ngrok is now widely abused by threat actors and abused in multiple ways including persistence & data exfiltration purposes. ngrok exposes local services to the internet by wrapping TCP connections… Continue reading
ESS Notifier – Improving SOC Capabilities and Response
Introduction ESS Notifier is a notable security event scanner & notifier for Splunk Enterprise Security. The purpose of this tool is to send/push notifications via Email/Slack/REST API whenever a new security notable event is triggered on Splunk ESS. This tool is ideally best used by Managed Security Service Providers (MSSP) who provide SOC as a… Continue reading