Thomas Roccia 🤘
@fr0gger_ • 34,796 subscribers
AI Security x Threat Intel · Threat Researcher · Creator of #Unprotect & #NOVA · Malware Warlock · Python 🧡 · Prev @Microsoft @McAfee_Labs
Shorts
Videos
🤓 I recently came across a nice post published on Feedly by Ondra Rojčík, who talks about the process of profiling threat actors using 5W1H and the Diamond Model. I loved it. I wanted to incorporate it into my pipeline. So I created an Agent Skill but not to generate another lengthy report that I will never read. It actually creates a nice visual in no time using Claude custom visuals. Check out what you can do with it. 👇
Thomas Roccia 🤘12,023 görüntüleme • 2 ay önce
I’ve built the Perplexity of the DarkWeb! Let me explain 👇 First, if you've been living in a cave, Perplexity is a search engine powered by LLMs. So what if we could do the same for the darkweb? Compared to the clear web, browsing the darkweb requires a few things: - A Tor connection (easy) ✅ - A search engine you can query (for the demo, I’m using Ahmia) ✅ - A list of curated onion websites (especially useful for threat intel or sites not indexed by Ahmia) ✅ Now here are the limitations: - Many underground forums and websites require login access, or captcha. - Ahmia works, but it's limited, you can combine it with other search engines. - Be careful when scraping, sometimes you get more than what you search for. This is one of the cool projects you will learn in my training at the upcoming Blackhat USA and /ˈziːf-kɒn/ 👇 ➡️ ➡️
Thomas Roccia 🤘42,420 görüntüleme • 1 yıl önce
🤓 I've built the ultimate threat actor attribution tool!! Okay, okay… not quite ultimate, but still pretty useful. 😅 Let me explain. 👇 When you investigate an attack, sometimes you know what you are looking at—maybe you are an experienced analyst or have tracked a threat actor long enough to recognize their patterns. But sometimes, you don’t! Or maybe your biases are too strong. 🫠 So, I wanted a system where I could describe an attack, add IOCs, TTPs, or a target sector, and get an automatic threat actor suggestion with confidence level and justification, based on my data and public knowledge. I used the following metric: direct evidence (IOCs matching, tools/malware ID, TTP correlation), confidence scoring (0-100%), attribution factors (target, geography, infrastructure, timeline, tools, code patterns), and validation through public sources like ORKL. I threw everything into an AI model with some similarity calculation, prevalidation and evaluation, and tada!
Thomas Roccia 🤘21,542 görüntüleme • 1 yıl önce
🤓 I just published my notebook on the BlackBasta chat log leak! It’s a dynamic marimo notebook you can run in your browser—no setup needed. Be patient, though—it takes a few seconds to load as the notebook is heavy. Here is what I did 👇 ➡️ Generated diagrams to vizualise the data and extracted some stats. ➡️ I added a dynamic table with all extracted IOCs (not curated) so you can browse and filter them directly from your browser. ➡️ Then I built a hybrid RAG using FAISS (semantic search) + BM25 (keyword search) + ensemble retriever. ➡️ The retrieved data is shown with the LLM’s response for verification. ➡️ I also included context relevancy checks to reduce hallucinations. Everything is documented in the notebook! No API key needed—I provided mine (it will be disabled once the limit is reached). ✨ I used GPT-4o Mini as it is less expensive, but I got much better results with o1, so you may want to use the code locally with your own api key. 👉 Note: This is a personal work and it is not affiliated with my employer. If you like it, share it & let me know what you think! 😊 👉 Notebook:
Thomas Roccia 🤘15,791 görüntüleme • 1 yıl önce
🤓 I have built an MCP for YARA rule creation and it works pretty great! With DocYara MCP, you can: – Generate YARA rules – Validate and optimize them – Deploy your rule directly to VirusTotal Livehunt I did a full walkthrough on YouTube in the second tweet 👇
Thomas Roccia 🤘12,075 görüntüleme • 1 yıl önce
Daha fazla içerik yok.