Kyle Eaton

Look, backtrack is still cooler than kali

@KyleTDavis1 You’ve always been a joy to work with, and have given me good advice related to work/cyber and anything else I’ve needed help with. I know you’ll thrive wherever you land next

I wasn't going to say anything about this on this site because I'm fine with it, but I got laid off today, and so many people have reached out with such kinds words, saying how I helped them or inspired them, offering to help, etc, I honestly just feel truly grateful.

@j2k3k Interviewers when I, literally Neo in the matrix, runs ssh on a nonstandard port

“what port does X use” who cares, google it, come up with better interview questions

Proofpoint threat researchers have designed an open-source tool—named PDF Object Hashing—to track and detect the unique characteristics of PDFs used by threat actors... similar to a digital fingerprint. 🫆 We use this tool internally to help track multiple threat actors with high confidence, improving attribution in many cases. The tool has been released in the @Proofpoint Emerging Threats public #GitHub for other defenders to leverage. Learn more about it here: brnw.ch/21wWSH0 @ET_Labs #PDF #threatdetection #cyberthreat

Another great year at @GrrCON! Big props to the staff for all the hard work they do 🫶

I’ll be presenting at @GrrCON this year about some weird pdf detection ideas I’ve been messing with. Swing by and tell me your file format

@ex_raritas It’s been really nice working with you, and good luck in your next role! 🐜

Tomorrow (Friday) will be my last day at Proofpoint after four years on the Threat Research team. Over that time, I’ve been fortunate to advance research into evolving malware, track infrastructure, uncover adversary techniques, and help shape how threats are understood and countered. I’m grateful for the opportunity, but more so the privilege of working alongside such talented and dedicated peers. I’ll share more soon about what comes next. 😊💻🧑‍💻

@MalwareUtkonos @greglesnewich Oh that’s really good, especially considering all the other offsets are based from the eocd

@0xkyle @greglesnewich Yes, that's the goal. I was getting end locators that belonged to subfiles. Another benefit that I didn't expect, but is logical is that Zip rules can find those executables that use a Zip archive as the overlay if you're using end locator rather than PK magic at offset 0

the biggest skill jump I took with yara was to think how the bytes within a file relate to one another Malware isn’t a monolith - it’s a composite of bytes, and those bytes have to work together to do their job. we can exploit those unique relations to track em

@MalwareUtkonos @greglesnewich I do really like that you’re using the filesize in part of the location check like that, I don’t know if I have any rules that use the filesize in that way.

@MalwareUtkonos @greglesnewich Am I right in assuming that’s meant to make sure you’re only reading the eocd of the actual zip file and not any of the sub files? I have some rules where I’ve done something similar, I think it went something like: uint32be(@eocd[#eocd] + whatever) == 0xdeadbeef

@greglesnewich @MalwareUtkonos Definitely have to echo how impactful learning file formats was for improving my yara rules. How highly structured the Zip format is makes rules very fun. The only sample rule I have rn is this old compression ratio one

@MalwareUtkonos These are slick and totally inspiring! 🤘 Paging @0xkyle for rules (ab)using the ZIP format

The PDF spec is where the phrase “bless this mess” originated.

On this DISCARDED episode, we uncover real-world detection wins, explore persistent threats like #TA505 and #Emotet, and dive into the importance of instincts in cybersecurity—because, as our guest puts it, sometimes good detection is all about the vibes. brnw.ch/21wQWWl

virustotal.com/gui/file/f2a6f… Also expecting to see indiandefenceforces[.]link soon

Haven’t seen PDFs yet but new domain popped up: defenceindia[.]link

departmentofdefence[.]link 🧐 Probably see PDFs using this soon

One time when I was in a government building. Me: Can I use this phone quick? Somebody: Yes, but do NOT push the buttons that say China or Russia. Me: What would happen? Somebody: Um, it would call China or Russia. Me: You mean like Zhongnanhai or the Kremlin? Somebody: Yes. Me:

7c8a483f3c745d23db9557479bedbc6e458104c77709edc6907fa108065fc63a PDF phish

ministryofdefenceindia[.]link does not pass the sniff test.