Malvidin

@jfslowik This Python script decodes each line, and provides a summary by GUID. The output is more verbose and more complete than the @netresec decoder. github.com/malvidin/SunBu…

Reminder that I posted a CSV of all my pDNS data for avsvmcloud here if anyone wants to play: pastebin.com/T0SRGkWq

Continuing analysis and observations from the #SolarWindsHack #SUNBURST incident: domaintools.com/resources/blog…

@fabio_viggiani You can get additional and more complete "Decoded Internal Names" using this decoder, forked from @RedDrip7 github.com/malvidin/SunBu…

Who were the real targets of the Solarwinds attack? We give some perspective and names here: twitter.com/Truesec/status…

@RedDrip7 @intel @Cisco Updated to decode encoded data across multiple DNS queries. Thanks to @netresec for the CreateSecureString info. Also decodes CCB19334A6D32DAA and CDCC93B50477F52F (@netresec decoder does not yet)

@RedDrip7 @intel @Cisco Refactored for readability and Python2/3 compatibility: github.com/malvidin/SunBu…

By decoding the #DGA domain names, we discovered nearly a hundred domains suspected to be attacked by #UNC2452 #SolarWinds, including universities, governments and high tech companies such as @Intel and @Cisco. Visit our github project to get the script. github.com/RedDrip7/SunBu…

@stvemillertime @wxs @cyb3rops If you are running YARA 3.12.0/4.0.0, you can use more spices

@wxs @cyb3rops Now we're cookin'

Short thread on analyst life: I kept seeing this same partial string in a bunch of Tonto Team malware "wkko%00" I'm looking at tons of bins a day, rather than diving into it, I kinda *guessed* it was a common start to a key or password of some sort. Wrote a Yara rule, moved on.

New blog post: Proofpoint is forcing their customers to pay for Email Fraud Defense to get aggregate DMARC data from their own gateways buff.ly/2WCX7KY

Verifying myself: I am malvidin on Keybase.io. w9VoLC6j6XdpM1DeM7Cjzhx5Hqt6h8tZKwIk / keybase.io/malvidin/sigs/…