20 Common Tools & Techniques Used by macOS Threat Actors & Malware
Threat hunting on macOS? These are the tools malware most often leverages, with ITW examples, MITRE behavioral indicators and links to further research.
Read More
CVE-2021-24092: 12 Years in Hiding – A Privilege Escalation Vulnerability in Windows Defender
Windows Defender has contained an elevation of privilege vulnerability since at least 2009. Learn more about SentinelOne’s discovery, CVE-2021-24092, here.
Read More
FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts
We show how to statically reverse run-only AppleScripts for the first time, and in the process reveal new IoCs of a long-running macOS Cryptominer campaign.
Read More
Building a Custom Malware Analysis Lab Environment
Building the right malware analysis environment is the first step for every researcher. We show how it’s done and offer some free custom tools for your use.
Read More
Introducing SentinelOne’s Ghidra Plugin for VirusTotal
Ghidra users can now enjoy the same (and more!) benefits available in IDA Pro from VirusTotal’s VTGrep plugin with this open source plugin from SentinelLabs.
Read More
Resourceful macOS Malware Hides in Named Fork
Threat actors targeting macOS are deploying a new trick to hide payloads and avoid detection thanks to an old technology: the named resource fork.
Read More
Moving From Dynamic Emulation of UEFI Modules To Coverage-Guided Fuzzing of UEFI Firmware
In Part 3 of our series on emulating, debugging and fuzzing UEFI modules, we provide a step-by-step guide to making a coverage-guided fuzzer for UEFI code.
Read More
Misusing msvsmon and the Windows Remote Debugger
The ability to remotely debug an application is a useful feature, but msvsmon.exe has security implications that organizations need to be aware of.
Read More
The Total Economic Impact™ Of SentinelOne Cybersecurity Platform
Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique
Abusing LD_PRELOAD to intercept library calls on Linux is a known threat actor technique, but it’s possible to load libaries even before that. Meet LD_AUDIT
Read More
