InQuest Labs has been mapping our signature base against the MITRE ATT&CK™ Framework to categorize adversary behavior during cyberattacks and adversary emulation.

ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies.

The flexibility to pivot on signatures that map to the ATT&CK™ Framework has provided a robust threat hunting platform in conjunction with threat and data-loss monitoring.

Solutions overview

Field Notes: Multistage Maldoc Delivers Executable Masked as JPG

Our "Field Notes" blog series provides interested readers with a quick analysis of exciting samples that the InQuest Labs team encounters in-the-wild or harvested via the InQuest Labs Platform. Readers are encouraged to utilize this open data portal for the discovery of unique samples that are available for search and download.

Read more

Holiday Blog: Tis the Season

The holidays are here! The heavy rotation of holiday music fills our cars with songs like Feliz Navidad and Frosty the Snowman. YES, it is time for some stoplight karaoke with friends, and family (pets). Since this time of year is both fun and a bit stressful, we wanted to briefly go over some commonly observed threats that folks will encounter this holiday season and beyond.

Read more

cyberduck

Cyberduck is a libre FTP, SFTP, WebDAV, Amazon S3, Backblaze B2, Azure, OneDrive, and OpenStack Swift file transfer client for Mac and Windows.

Read more

QBAnalyzer

An open-source threat intelligence framework that automates extracting artifacts and IOCs from Windows, Linux, Android, Blackberry, macOS binaries and more.

Read more

malcom

Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources.

Read more

We Don’t Want White Font: Office Macros, Evasion, and Malicious Self-Reference

Rapid7 identified the increased use of a type of malicious document that leverages malformed document headers, white fonts to hide obfuscated JScript code, and embedded VBA macros that execute the document’s contents using WScript.

Read more

Wireshark Tutorial: Examining Trickbot Infections

This tutorial offers tips on how to identify Trickbot, an information stealer, and banking malware that has been infecting victims since 2016. Trickbot is distributed through malicious spam (malspam), and it is also distributed by other malware such as Emotet, IcedID, or Ursnif.

Read more

Hunting for LoLBins

Attackers' trends tend to come and go. But one popular technique we see at this time is the use of living-off-the-land binaries — or "LoLBins." LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve the chances of staying undetected within an organization, usually during post-exploitation attack phases.

Read more