Diaphora – The Most Advanced Free And Open Source Program Diffing Tool

Diaphora (διαφορά, Greek for ‘difference’) is a program diffing plugin for IDA, similar to Zynamics Bindiff or other FOSS counterparts like YaDiff, DarunGrim, TurboDiff, etc… It was released during SyScan 2015.It works with IDA 6.9 to 7.3. Support for Ghidra is in development. Support for Binary Ninja is also planned but will come after Ghidra’s port. If you are looking for Radare2 support you can check this very old fork.For more details, please check the tutorial in the “doc" directory.NOTE: If you’re looking for a tool for diffing or matching functions between binaries and source codes, you might want to take a look to Pigaios.Getting help and asking for featuresYou can join the mailing list https://groups.google.com/forum/?hl=es#!forum/diaphora to ask for help, new features, report issues, etc… For reporting bugs, however, I recommend using the issues tracker: https://github.com/joxeankoret/diaphora/issuesPlease note that only the last 3 versions of IDA are officially supported. As of today, it means that only IDA 7.1, 7.2 and 7.3 are supported. Versions 6.8, 6.9, 6.95 and 7.0 do work (with all the last patches that were supplied to customers), but no official support is offered for them. However, if you run into any problem with these versions, ping me and I will do my best.DocumentationYou can check the tutorial https://github.com/joxeankoret/diaphora/blob/master/doc/diaphora_help.pdfScreenshotsThis is a screenshot of Diaphora diffing the PEGASUS iOS kernel Vulnerability fixed in iOS 9.3.5:And this is an old screenshot of Diaphora diffing the Microsoft bulletin MS15-034:These are some screenshots of Diaphora diffing the Microsoft bulletin MS15-050, extracted from the blog post Analyzing MS15-050 With Diaphora from Alex Ionescu.Here is a screenshot of Diaphora diffing iBoot from iOS 10.3.3 against iOS 11.0:Download Diaphora

Link: http://www.kitploit.com/2019/08/diaphora-most-advanced-free-and-open.html

ThreatHunting – A Splunk App Mapped To MITRE ATT&CK To Guide Your Threat Hunts

This is a Splunk application containing several dashboards and over 120 reports that will facilitate initial hunting indicators to investigate.You obviously need to be ingesting Sysmon data into Splunk, a good configuration can be found hereNote: This application is not a magic bullet, it will require tuning and real investigative work to be truly effective in your environment. Try to become best friends with your system administrators. They will be able to explain a lot of the initially discovered indicators.Big credit goes out to MITRE for creating the ATT&CK framework!Pull requests / issue tickets and new additions will be greatly appreciated!Mitre ATT&CKI strive to map all searches to the ATT&CK framework. A current ATT&CK navigator export of all linked configurations is found here and can be viewed here App PrerequisitesInstall the following apps to your SearchHead:Add-on for Microsoft SysmonPunchcard VisualizationForce Directed VisualizationSankey Diagram VisualizationLookup File EditorRequired actions after deploymentMake sure the threathunting index is present on your indexersEdit the macro’s to suit your environment > https://YOURSPLUNK/en-US/manager/ThreatHunting/admin/macros (make sure the sourcetype is correct)The app is shipped without whitelist lookup files, you’ll need to create them yourself. This is so you won’t accidentally overwrite them on an upgrade of the app.Install the lookup csv’s or create them yourself, empty csv’s are hereA step by step guide kindly written by Kirtar Oza can be found hereUsageA more detailed explanation of all functions can be found here or in this blog postDownload ThreatHunting

Link: http://feedproxy.google.com/~r/PentestTools/~3/HUEVPwgh5aA/threathunting-splunk-app-mapped-to.html

AbsoluteZero – Python APT Backdoor

This project is a Python APT backdoor, optimized for Red Team Post Exploitation Tool, it can generate binary payload or pure python source. The final stub uses polymorphic encryption to give a first obfuscation layer to itself.DeploymentAbsoluteZero is a complete software written in Python 2.7 and works both on Windows and Linux platforms, in order to make it working you need to have Python 2.7 installed and then using ‘pip’ install the requirements.txt file. Remember that to compile binaries for Windows you have to run the entire software a Microsoft platform seen that pyinstaller doesn’t allow cross-platform compiling without using vine.Make sure that Python installation folder is set on ‘C:/Python27’ to avoid binary compiling troubles.Download AbsoluteZero

Link: http://feedproxy.google.com/~r/PentestTools/~3/4A8E633X560/absolutezero-python-apt-backdoor.html