It's that time of year. We are pleased to bring you HackNWA Conference 2025: Sock Puppet Tycoon - Disposable Machine, Network, Server, Client and Identity;Make frens and influence ppl Great speakers, activities, panelists, and afterparty concert in Bentonville Get your tickets!

👏 Congratulations. I know being on the Blue side can be stressful! Had a fun time thinking Red team thoughts :)

Woot! @OrOneEqualsOne speaking at @Sp4rkCon !!

Great talk by @kaoticfen at @Sp4rkCon !!!!

Gonna be in Bentonville on April 15th attending #Sp4rkCon and then performing at a separate party later. About to take over this whole midwest con party scene 😤

I'm teaching my PowerShell For InfoSec course live online for the first time on 3/2/23 and 3/3/23. It is a 2 day class for $575 from @Antisy_Training. Have you already taken the On-Demand (pre-recorded) version? What did you think? Check it out here:

The next run of PowerShell for InfoSec:What You Need to Know! w/ @OrOneEqualsOne, that be during our summit, we're honored to be supporting @cybher_dsu w/ 10% of our revenue from this class! Class registration: https://t.co/dkMO4Dt8ku Support this project:

Just learned about this cool lots-project by @mrd0x. Here is a MDE KQL #threathunting query that looks for lolbins talking to lots-project domains.

Thinking of different ways of #threathunting lolbins, especially ones that don’t normally communicate over the network. This is a good base query to get started in Microsoft Defender for Endpoint. #kql

Microsoft has been tracking Iranian actor PHOSPHORUS’ ransomware sub-group known as DEV-0270, aka Nemesis Kitten. The group is responsible for multiple attacks typically using high-severity vulnerabilities to gain access. TTPs and more in our latest blog: https://t.co/DEi64NWRJE

Microsoft MDE kql queries based on IP/Hashes from [redacted]'s report on Bian Lian https://t.co/57bOpHqzko #ThreatIntel

When I switched from offensive security (Red Team) to defensive security (Blue Team) I promised to share my thoughts about my experience and here they are - finally. 😀

~Free STUFF~ We still have 10 unclaimed copies of "Hacking API" book. So if you want to win one of those, simply Like & RT. This month we give away 50 books, 5 Burp & 5 Pentester Academy licenses. Follow @traceableai and @InonShkedy for more giveaways 🥳🥳

Really highlights the importance of enabling Diagnostic logs for KeyVaults.

1\ How to detect file timestomping 👀 APT28, APT29, APT32, APT38 have all used this defence evasion technique to modify malicious file creation times. 😈 Did you also know it's possible to timestomp $FN time? 👇👇 BLOG & TL;DR BELOW 👇👇 https://t.co/B2oUtA5owF

@briankrebs Stop. Putting. Critical. Comms. On. Your. Network. You know its bad when even Microsoft is telling you to not use Microsoft.

Azure #threathunting query. Find who in your environment is performing password resets on VMs. This catches ssh key, ssh password and windows password resets.

When Cloud threat hunting I like to keep an eye on who is trying to deploy new resources where the action is denied. Nested groups are the enemy of a well implemented RBAC solution. Azure query here ->

Azure hunt query, looking for new resources they being deployed but was denied. Not a common as you might think. Got any cloud hunting queries to share?

AzureActivity| where TimeGenerated > ago(1d) | where ActivitySubstatusValue == 'BadRequest' | where OperationNameValue == 'MICROSOFT.RESOURCES/DEPLOYMENTS/VALIDATE/ACTION' | extend resource_ = tostring(parse_json(Properties).resource) #ThreatHunting