{"id":7060,"date":"2020-04-04T00:16:34","date_gmt":"2020-04-04T00:16:34","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=7060"},"modified":"2020-04-04T00:16:35","modified_gmt":"2020-04-04T00:16:35","slug":"blue-ink-red-ink-purple-heart","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2020\/04\/04\/blue-ink-red-ink-purple-heart\/","title":{"rendered":"Blue ink, Red ink&#8230; Purple Heart"},"content":{"rendered":"\n<p>In the past I was primarily focusing on <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/06\/30\/random-stats-from-300k-malicious-samples\/\">the<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/14\/random-stats-from-1-2m-samples-pe-section-names\/\">bad<\/a> <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/11\/26\/3m-samples-random-stats\/\">stuff<\/a>. All the malware stats I ever posted were based off a substantial corpora of malware samples that I processes both &#8216;statically&#8217; and &#8216;dynamically&#8217;&#8230; These numbers were pretty high for an individual contributor &#8230; 12M+ of samples I did static analysis on &amp; 1.5M+ of dynamic analysis reports (shared with community via the most awesome <a href=\"https:\/\/twitter.com\/VXShare\">@VXShare<\/a>)&#8230; <\/p>\n\n\n\n<p>Around 3-4 years things changed.<\/p>\n\n\n\n<p>My primary focus moved from collecting malware samples to building a repo of clean samples (not necessarily signed tho!). There are many reasons for this &#8216;change of a paradigm&#8217;, but any respectable sample hoarder can easily recognize these patterns&#8230;<\/p>\n\n\n\n<ul><li>you can&#8217;t hoard all the malware samples anymore<\/li><li>it is growing too fast ($$$ for storage, time for post processing &amp; backups), it&#8217;s also hard to classify while ROI of collection is no longer that high&#8230;<\/li><li>there are more and more boring samples (same old, same old + new fads e.g. ransomware).<\/li><li>migration in malicious techniques from a purely binary code (exe, dll, cpl) to PowerShell, C#, as well as return of Office Macros &amp; WScript\/CScript coding goodness&#8230;<\/li><\/ul>\n\n\n\n<p>The malware of today is often &#8230; an obfuscated script. Plus, many analysts don&#8217;t even bother to fully understand the internals of malware anymore as long as we can build a quick detection for it &amp; block it&#8230;<\/p>\n\n\n\n<p>Coming back to the &#8216;good samples repo&#8217; thing &#8211; there is more &#8230;<\/p>\n\n\n\n<p>I got interested in <a href=\"https:\/\/www.hexacorn.com\/blog\/category\/living-off-the-land\/\">Living off the land<\/a> and novelty <a href=\"https:\/\/www.hexacorn.com\/blog\/category\/code-injection\/\">code injection<\/a> techniques so having access to the CLEAN sampleset made a huge difference &#8211; it suddenly opened many new research opportunities that traditional malware corpora doesn&#8217;t usually offer anymore&#8230; <\/p>\n\n\n\n<p>How?<\/p>\n\n\n\n<p>Legacy code, silly ideas, copypasta from CodeProject, CodeGuru, StackOverflow&#8230; the internetz of copypasta overall&#8230; drivers, COM DLLs, funny installer executables, custom installers, broken, broken, and even more broken&#8230; then debug functions, test functions, internal environment variables that made it to production, phantom DLLs, hardcoded credentials, and many, many more&#8230;<\/p>\n\n\n\n<p>What does it mean though?<\/p>\n\n\n\n<p>I think it&#8217;s a symptom of me getting more and more interested in the offensive side of things . And I will be probably the last one to admit that&#8230; but I kinda like it. I was never a pentester and never really had an itch to scratch to &#8216;pwn things&#8217;, but I really do love novelty tricks and I hope &#8230; it shows&#8230;<\/p>\n\n\n\n<p>So&#8230; a blue teamer with the red team itch &#8230; this itch needs to be scratched.  <\/p>\n\n\n\n<p>When I realized that&#8230; I also realized that there are a lot of benefits to this &#8216;change of direction&#8217;. My defensive persona loves to know all the &#8216;new&#8217; so I always feel that when I can contribute a new trick or discovery I become (and make others who read that&#8230;) a&#8230; better defender.<\/p>\n\n\n\n<p>So&#8230; <\/p>\n\n\n\n<p>This is&#8230; at least in my eyes&#8230; the ultimate destiny of anyone on a blue side of things&#8230; You will eventually become as red as the red team, and more. Cuz they just primarily focus on the &#8216;pwn&#8217; bit (and they are right) and we, blue teamers&#8217;, need to be crimson-yearning&#8230; strong foundation of blue, lots of red desires, and defo more and more purple&#8230; Is lavender is the new black?<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the past I was primarily focusing on the bad stuff. All the malware stats I ever posted were based off a substantial corpora of malware samples that I processes both &#8216;statically&#8217; and &#8216;dynamically&#8217;&#8230; These numbers were pretty high for &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/04\/04\/blue-ink-red-ink-purple-heart\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7060"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7060"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7060\/revisions"}],"predecessor-version":[{"id":7061,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7060\/revisions\/7061"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}