Kostas
@Kostastsale
Followers
15,915
Following
364
Media
813
Statuses
4,623
@TheDFIRReport member | Tweeting and following mostly #ThreatIntel , #malware , #IR & #Threat_Hunting . Opinions are mine only! 🇬🇷🇨🇦
Joined February 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 134797 Tweets
Madonna
• 126157 Tweets
Boeing
• 119118 Tweets
Nathan
• 92350 Tweets
Irak
• 64008 Tweets
عدنان البرش
• 41958 Tweets
#SRHvRR
• 35919 Tweets
Olimpiade
• 28951 Tweets
Bhuvi
• 22955 Tweets
KPLC
• 19730 Tweets
Bruno Mars
• 19651 Tweets
Marselino
• 19279 Tweets
زياد
• 17375 Tweets
Ernando
• 14499 Tweets
Canna
• 14176 Tweets
ALGS
• 12294 Tweets
Guinea
• 12169 Tweets
Hubner
• 12081 Tweets
Pinned Tweet
Today, me and
@ateixei
are releasing the EDR Telemetry project. This project aims to compare and evaluate the telemetry of various EDR products.
✅Introductory blog post:
✅GitHub Repo:
✅Comparison Table:
42
336
815
I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational 😅
If you're in
#infosec
and you feel a little down this week, this video is for you💙
169
1K
3K
.
@CrowdStrike
placed an ad in the Super Bowl.
We're not up to date with the current Threat Actor lore with them, but it appears as if one of the individuals in the commercial is the infamous Scattered Spider (the tall one with the curly blonde hair)
35
45
505
4
261
1K
This is a pretty nice graphic explaining how Kerberos Auth takes place.
Useful to have as a reference when you have to explain and visualize attacks such as Pass The Ticket, Kerberoasting and AS-REP Roasting.
Credit:
@0xNarek
🙏🙏
8
409
2K
I updated the EDR telemetry project with corrected telemetry and new additions! See below the changes and upcoming EDRs:
✅ Corrected Trend Micro Telemetry
✅ Corrected ESET Telemetry
🌟 Added Qualys EDR
🎯New Additions Coming Up:
🔜 Sophos EDR
🔜 Cortex EDR
Vendors are
38
421
1K
Internal security teams watching the SysAdmins implementing all of their security hardening recommendations…
26
151
897
I created a
#CyberChef
recipe to ease the extraction of URLs from the word document (.doc & .docm) which download
#Emotet
. It is not completely foolproof, but it worked 99% of the time for me.
14
275
803
Regarding the xz backdoored binary, see the one-liner below to check the version you have installed.
**I wouldn’t suggest folks running the malicious binary with -v option🫠🫣
for xz_p in $(type -a xz | awk '{print $NF}' | uniq); do strings "$xz_p" | grep "xz (XZ Utils)" ||
A quick note about xz-utils backdoor:
1 - luckily, this was caught early.
2 - most run xz-utils 5.2/5.4. 5.6 is bad.
3 - quick check: `xz -V`
4 - Thanks to people who paid attention
23
203
546
12
198
796
Last week,
@TheDFIRReport
received a MS-themed phishing email with an HTML attachment. The email made a significant effort to appear legitimate.
When we open the file, the code renders into what appears to be an HTML page mirroring the official MS account login page.
1/🧵
18
182
682
🚨Threat Actors are currently using PSMapexec. You should get familiar with it!
The screenshot below is from a VERY recent intrusion that started from a WS_FTP server exploitation. They used PSMapexec A LOT during this intrusion. Full details on a future report...
PsMapExec
A
#PowerShell
tool that takes strong inspiration from CrackMapExec.
Supported Methods
• PsExec
• RDP
• SMB Signing
• WinRM
• WMI
#cybersecurity
#infosec
#pentesting
#redteam
1
162
545
1
157
554
A SOC analyst and an incident response analyst dealing with a malware outbreak on a typical workday...
26
78
502
This is likely my last
#CyberChef
recipe of the year. I created it to de-obfuscate the VBS that is dropped by the new
#dridex
xls initial payloads with the option to extract the URLs straight away.
🎉Happy holidays 🎉
11
103
488
🚀Major Update: EDR Telemetry Project🚀
I updated the EDR Telemetry Project to make the table accessible for color vision deficiencies, map all sub-categories to Mitre ATT&CK and more. (Read below👇)
Many thanks to all who contributed to this major update! Here are some…
11
169
483
New post in the threat hunting series, this time focusing on threat emulation for
#threat_hunting
.
✅ Setting goals
✅ Steps of the threat emulation
✅ Finding unique indicators
✅ Building queries for threat hunting
✅ Eliminate False Positives
& more...
8
176
473
I started a
#Threat_hunting
series. In this first post, I cover the basics, including:
✅ What is threat hunting
✅ Demystifying common misconceptions
✅ What are some of the goals & metrics
✅ What are some basic attributes that make up a threat hunter
14
119
456
Fortinet did it again. Do they hire 2 year olds to code their software? I don’t get it… The gift that keeps on giving.
CVE-2024-21762
Workaround : disable SSL VPN 🤦♂️
20
129
438
As a defender, I read reports to stay up to date with recent threats reported by others in the industry. It also helps me generate ideas for future research, threat hunting, detection, or a deeper dive into TA's infra.
This is what I am looking for when I read them🧵
1/11
10
105
438
New post in the threat hunting series, this time comparing
#threat_hunting
to
#detection_engineering
.
‣ Detection Engineering VS Threat Hunting
✅Differences and similarities
✅Contributions to the security program
✅Multiple examples
& more...
4
166
431
#BruteRatel
is difficult to detect without having access to WinAPI, NTAPI, and Syscalls as everything is done in memory. This hurts our efforts to hunt across behaviors upon executing the BRC4 payload.
Although all hope is not lost,there are some good indicators in the wires🧵👇
6
129
414
🎉Happy New Year, everyone!🎉
Hope you have less moments like the fellas in this video when responding to threats this year 😂👇
24
104
385
I observed an interesting technique from the operators behind an
#IcedID
infection the other day. They opened a file explorer window using the cmd:
➡️explorer.exe shell:mycomputerfolder
They then captured a screenshot of the infected host. It looked like this👇
1/
7
103
373
🚨I'm starting a new initiative where I share DFIR-related artifacts along with a short blog for context. My goal is to help ppl, especially newcomers, learn from real attacks.
More info in the resources below:
Repo:
First blog:
12
109
375
If you’ve tried imaging even a fraction of that, then you know how hilarious this is 🤣
11
54
368
Want to hunt for
#QakBot
C2 and you only have network telemetry and not a tool to detect malicious traffic? No worries, look for:
Connections to high ports with urls that end in “/t5”. This indicator has been stable for a long time.
➡️Regex - (http|https).*\:[0-9]{2,5}\/t5
4
90
364
When you spend hours tracking a suspicious activity that turns out to be an active pentest...
15
40
355
The never-dying
#Emotet
is back, and aside from our report on it, I feel like there needs to be a further explanation on the undergoing efforts of stopping it. Enjoy the video and our new report 🙃
Dead or Alive? An Emotet Story
➡️Initial Access: Emotet XLS
➡️Persistence: RegRunKeys, Atera
➡️Discovery: LOLbins, AdFind, ShareFinder
➡️Credentials: LSASS access, Kerberoast
➡️Lateral: SMB, Remote Services
➡️C2: Emotet, CobaltStrike
➡️Exfil: Rclone/Mega
5
124
301
7
99
358
The third post in the threat hunting series is out!
‣ The Threat Hunting Process
✅ The two threat hunting models
✅ Six step threat hunting process
✅ Examples that explain the process
✅ Diagrams & images for illustration
Feedback is welcome 🙂
8
131
355
🎯Detecting/Hunting PsMapExec Default Values (Two of the most commonly seen methods)
1️⃣SMB Method: Service Creation
- EIDs 7045(System) and 4697(Security)
- Service name regex: 'Service_[a-z]{16}'
- Service File name: PowerShell command execution
The PowerShell script that will…
🚨Threat Actors are currently using PSMapexec. You should get familiar with it!
The screenshot below is from a VERY recent intrusion that started from a WS_FTP server exploitation. They used PSMapexec A LOT during this intrusion. Full details on a future report...
1
157
554
2
96
348
Malicious Onenote files have been doing the rounds for more than a couple of weeks now, and it just occurred to me that I never shared my hunting rule.
Here is a sigma rule I created that could turn into a detection rule with very few or no FPs.
10
76
331
🔍Behind the Scenes: The Daily Grind of Threat Hunter
I turned a Twitter thread into a blog post on the topic of threat hunting.
This is a real-world example of how I approach threat hunting step-by-step 🕵️♂️
#ThreatHunting
👉 Blogpost here:
3
91
317
I created a
@TheDFIRReport
Assistant GPT that answers questions related to our reports. It will also tailor the responses based on the user’s expertise level!
Let me know if any issues or if you want to see anything specific and I’ll train it further 🙂
7
89
313
The recent EDR debates are silly.
EDRs have to satisfy thousands of customers with their rulesets and sometimes they might miss things from being too conservative with an event that comes close to normal sys admin activity.
EDRs are no end game. Makes sure you find one that:
17
55
310
In case anyone’s wondering why most TAs are still using Cobalt Strike:
🚨 The new version of Cobalt Strike (v4.9) is now cracked and doing the rounds.
20
59
295
See below query If you want to hunt/detect MFA Fatigue attempts:
AADSignInEventsBeta
| where Timestamp > ago(1h)
//Error Code : 50088 : Limit on telecom MFA calls reached
//Error Code : 50074 : Strong Authentication is required.
//Error Code : 50058 : User is authenticated but…
1
47
291
🌟Incredible first week for the EDR-Telemetry project()! Blown away by the contributions & support!🙌
➡️Multiple EDR vendors in the pipeline (Cybereason,Trellix &more)
➡️Introducing Telemetry-Generation Tool(
@nasbench
🙏)-
🧵⤵️
7
81
289
Fresh changes! What is happening at
#Microsoft
, did the beast wake up and bump security up the priority list for this month? 😅
ASR rule will be in "configured" state by default to block credential stealing from LSASS! 😲🥳
6
91
286
Before we further gather the data sources and telemetry for each EDR product, would people find something like this useful? (poll on thread below 👇)
**This is an example table with some of the most useful data sources. It's for demo purposes. They can be expanded later on.
I think it's time to get to the bottom of each EDR's telemetry. This is one way to push them to improve their products based on what security teams need!
Watch this space; this is happening...👇🔜
7
10
75
25
65
281
One of the takeaways from the
#ContiLeaks
is that TAs monitor everything
#infosec
related things. They then adapt and improve their ops accordingly.
We always thought this was the case, but now we have proof. Their chats are full of related mentions…
They watch us too...👀
13
56
279
I’m aiming to work on EDR Telemetry project this weekend. Sorry to folks that’ve been waiting for updates on PRs etc. it’s been a busy year already.
What’s coming 🔜:
➡️ Cortex EDR
➡️ Symantec SES
➡️ Sophos EDR
➡️HarfangLab EDR
5
66
275
New blog: Understanding Red to Be Better at Blue: Navigating New CrackMapExec Updates
✅Keeping up with the red team
✅Breaking down CME’s new key features
✅From code to behavioural hunting & detections
✅Illustrations with examples
5
111
271
The countless of hours spent researching, digging through logs, analyzing malware and writing reports are all worth it when you see comments like this (screenshots👇). Thank you all!
We’re all keeping humble and planning for 2022 with more APTs and actionable reports 😊
8
25
264
Newly discovered
#ProxyNotShell
exploitation method that bypasses current mitigations.
POC is already leaked. Might cause some trouble this holiday season 😕
1
115
261
CVE-2023-4966 Citrix Bleed exploit:
headers = {"Host": "a"*24576}
I had more difficult web apps to exploit on OSCP 😂 😂
3
62
256
We keep developing the EDR Telemetry project to make it more accurate and add more features with the help of the community.
Project Page:
EDR Telemetry Table:
Some notable updates:
1⃣Introduced a new value (🎚️Via…
3
76
251
I created
#TeleTracker
, a repo to help researchers track Telegram-based C2 comms used by malware authors🚨
🔗 Check it out:
✨Features:
- Send messages to the channel 😈
- Delete all messages from the channel 🤭
- Collect info from bot channels and the…
9
77
248
I don’t even know where to start… Fireeye endpoint terminated using Process Explorer, Bing search looking for Mimikatz, the two month response time? Oh boy, so many things to unravel here 😂 Very nice thread and juicy info 👇
New documents for the Okta breach: I have obtained copies of the Mandiant report detailing the embarrassing Sitel/SYKES breach timeline and the methodology of the LAPSUS$ group. 1/N
76
947
3K
11
46
247
Second post in the threat hunting series.
‣ What Makes a Good Threat Hunter
✅ What does a threat hunter do
✅ Core competencies of a threat hunter
✅ Can threat hunting be automated
✅ Plenty of resources to get you started
Hope this helps people 😊
7
81
244
And this is the actual image from your 24/7 SOC Analyst doing a solo shift with high alerts firing in the middle of the night…
2
44
244
This article is a great overview of what
#ThreatHunting
is and what it is NOT. It goes through a good example of a successful threat hunt and has lots of tips on what you'll need to be successful.
It's a must-read if you're interested in threat hunting👇
4
72
238
I love Sigma; it's amazing for sharing detection rules. Although, I thought that it could also be used to share
#ThreatHunting
query logic.
I've created a section in my GitHub repo to start sharing TH-focused sigma rules. They may have a wider scope as opposed to DE rules...👇
11
43
242
Want to find the use of SharpHound/BloodHound in your environment? Look for file creation & deletion (via cmdline) that follows the below naming schema:
yyyyMMddhhmmss_<name>.zip
➡️ FileName regex - 202[0-9]{11}\_.*\.zip
➡️ File deletion regex - .*del/s+202[0-9]{11}\_.*\.zip.*
4
48
238
So funny how
#BumbleBee
is back and is using some fancy execution for the first stage, but then it's like, screw it, let's name the next stage payload 0.exe and have it beacon out every minute to the below sus .life domains(see at the bottom👇)...
TTPs observed:
1️⃣ Initial
5
69
238
Malware sometimes copies Windows binaries out of System32(See recent
#DarkGate
copying curl.exe & renaming)
🎯You can hunt or detect this by using the below regex
➡️(copy|copy-item|cp)\s+c:\\windows\\system32\\[a-zA-Z0-9_\-]{1,50}\.exe\s+(c:\\.*\\)?[a-zA-Z0-9_\-]{1,50}\.exe
11
54
234
This is such a nice illustration explaining what threat hunting is from the
@HuntressLabs
team!
I've written blogs about threat hunting trying to describe what that is, and how to do it, but it all comes down to these simple explanations. Well done! 👏
3
75
232
This is a very interesting technique! I created two sigma rules to hunt/detect this activity. The registry rule might be more future-proof.
- Process Creation Sigma 🔗
- Registry Set Rule Sigma🔗
- MS documentation here 🔗…
By-design AV bypass with "dev drive" 😅
I really like this feature!
Update your detection rules if you want to spot this...
16
256
948
2
75
230
🚨Our DFIR labs are here! Investigate real intrusions by shifting through an abundant of logs. Follow through our public reports or challenge yourself with our private intrusion cases!
You can use these labs to improve your skills in:
✅Detection Engineering
✅Threat Hunting
🎉 Announcing DFIR Labs! 🎉
Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help.
1/2
1
133
501
8
44
228
Well, the clip was unexpectedly well received. So happy that this made people's day. I think the message is clear: people want more of this, and people should get more of this 😄
Thanks to everyone for the nice words! Y'all have a great sense of humour! Until the next one...
I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational 😅
If you're in
#infosec
and you feel a little down this week, this video is for you💙
169
1K
3K
7
30
227
IcedID using OneNote payloads are on🔥this week. Here is a peek at what comes after the initial access based on these campaigns…
➡️Beacon loaded using PSH
💡Screenshot 1
➡️RDP via Cobalt Strike reverse proxy
💡Found & exfiled files
➡Attempted Invoke-Nightmare
💡Screenshot 2
4
91
215
Many security teams scrutinize inbound connections, but they tend to overlook traffic leaving the network. Here are a couple of things I consider when
#Threat_hunting
for ExMatter or similar tools: 🧵👇
1⃣Create your baseline:
It is difficult to find anomalous activity if...
2
45
204
🎯Some additional info on
#DarkGate
initial infection:
1️⃣ LNK Execution
- Initial entry point via LNK file
2️⃣ Download Phase
- Uses a renamed Curl to fetch AutoIT.exe & .au3 script and then executes the .au3 script.
🌐 From: 5.188.87.58:2351
🤖 User-agent: curl
0
63
199
I am not one to chase after certs, especially at this point of my career, especially when there are so many cheap or free resources to learn from nowadays.
Having said that, these are the TOP 3 certs I found most valuable:
🥇OSCP
🥈CCNA
🥉Comptia Sec+
What's yours?
37
18
190
Ever wondered how threat actors build and test their malware⁉️ What are some of their struggles with modern AV while testing⁉️
📸Here are some screenshots that peek behind the curtain and answer some of these burning questions 😂
Context - Threat actor infected themselves with…
5
38
196
I don't care what the haters say; I managed to create some good detections and hunts for the activity reported by
@BlackBerrySpark
. See the Sigma detection rule below. This is just one of many:
14
29
198
- "Security is easy" they said, "just disable that legacy thing" they said. What could possibly go wrong?
A day in the life of a security engineer...😂
3
65
194
New blog post based on a recent intrusion I observed with
#Ursnif
as the initial infection!
Topics include:
✅ Detection opportunities
✅ TAs clipboard data
✅ Post-exploitation
and more!
The artifacts for this case:
The blog:
5
77
195
To all researchers out there, this is how NOT to disclose a vulnerability 🧵
I’m talking about
#CVE_2022_29072
. The author wanted all, fame and money (selling for a fee as per discussion with the dev).
15
47
191
SOAPHound is already advertised on some notorious TG channels. 🔔This technique is currently not detected by most EDR vendors!🚨
Huge thanks to
@falconforceteam
for uncovering this method and for providing us with detailed ways of detecting the technique. I created two SIGMA
SOAPHound is out for walkies!
SOAPHound is a
#BloodHound
collector to enumerate AD over SOAP instead of LDAP directly.
Proud of Nikos for all his hard work!
Blog:
Tool repo:
Detections:
15
235
550
1
56
192
1/x
For the past couple of weeks,
#IcedID
has been hitting hard, with post-exploitation activities beginning within ~1 hour from the initial infection.
Here are some TTPs and IOCs from these post-exploitation activities that will keep defenders ready.
🧵👇
2
66
194
Related to the 3CX supply chain compromise, here is some preliminary information:
➡️Downloading the MSI installer from the official website serves you with the malicious, weaponized version of the application
💡If you have the application installed,
2
64
191
I can't stress enough how important LDAP signing is, and hopefully, this tool will push many orgs to implement it.
🛡 Detection 🛡 :
I've put together a Sigma rule to detect suspicious activity attributed to the use of this tool.
1
45
185
With every report, we aim to provide many details to help defenders detect & hunt for the techniques that TAs use. We try to highlight the TTPs and not just the tool.
Let's take a look at our latest report and break down some of these opportunities:🧵👇
4
51
182
A major reason threat hunters feel pressure to perform is due to poor metrics imposed by management. From my experience, this often leads to a loss of motivation and drains one's creativity.
Focusing on the right metrics can set proper expectations. I'm working on a write-up
Threat hunting & detection engineering are wonderful & can be really rewarding. Don’t lose motivation if you’re not always finding bad!
Identifying visibility gaps, creating or tuning detection logic, & working to close these gaps are great TH goals (& can be just as fun!)
5
18
118
11
37
181
Second report on
#CobaltStrike
is out after months of research, emulation and detailed writing.
Focusing on network traffic, the aim was to help ppl understand these attacks and give them some FREE tools to battle against some of the most evasive techniques.
Hope you like it!
Cobalt Strike, a Defender's Guide - Part 2
➡️In this report we talk about domain fronting, SOCKS proxy, C2 traffic, Sigma rules, JARM, JA3/S, RITA & more.
Big shout-out to
@Kostastsale
for helping put this together!
6
357
775
4
55
176
Very interesting responses from folks. The common sentiment was that this is at least sus and needs further investigation. A lot of folks also went straight to describing it as malicious.
🎯Here is some more info and the steps I took to investigate this:
1️⃣Retrieving
Calling all whoami experts, do you think the below command is part of a malicious execution? Non-whoami experts are welcome to vote too btw 😅
"cmd.exe" /d /c "C:\Users\<user>\AppData\Roaming\cmk.exe /d /c whoami"
➡️Context:
- cmk.exe is a renamed cmd.exe binary
28
15
84
13
43
172
A ton of
#IcedID
recently. I wanted to share a few "easy" wins and investigation tips for it. 🧵
➡️Execution/Discovery
I shared this in the past, but it's worth sharing again. Looking for commands like net, nltest, systeminfo, ipconfig within seconds of each other should be a🚩
#IcedID
- url > .zip > .iso > .lnk > .bat > .dll
rundll32 pup\tempting.dll,
#1
.dll via
https://moxisoma.]com/r021/
c2
http://lionafuyesas.]com/
IOC's
3
32
75
3
57
172
@Ledtech3
@DanielGallagher
1) Threats go undetected when you don’t know where to look
2) Threats can blend into the environment and you won’t see them if you haven’t established a baseline of what’s normal
3) You gotta turn on the lights first to stand a chance on finding the threats(logs)...
So many...😀
1
18
168
You gotta love threat actors helping us identify their malware... 🙏
6
10
167
Here are some initial TTPs from a
#GuLoader
infection I observed:
1⃣Downloads .bin encrypted payload(2nd stage) from google drive 👀
🚨hxxps[://]drive[.]google[.]com/uc?export=download&id=165dR-jkeWwH1QAK3MesE3SkyuL9notjN
2⃣Attempts to move the malware under C:\Program Files…
3
61
168
I added a new sigma rule for detecting LAPS credential dumping. The detection is based on EIDs 4662 and 4624.
Thanks to
@mega_spl0it
that wrote a great article on that topic .
2
48
171
Here we go again... Another vulnerability that will keep us busy for quite some time.
I put together a
#sigma
rule that yields great results in detecting the execution via msdt that is spawned by office apps.
➡️ Office app
➡️➡️ msdt.exe - cmdline...
2
55
168
This report on Cobalt Strike should serve as a guide to help defenders protect their networks. We have gathered all techniques & relevant detections in one writeup with some additional information to help our community.
This is only a start with many more to come.
#CobaltStrike
Cobalt Strike, a Defender's Guide
Thanks to
@Kostastsale
for helping put this together!
Shout outs to:
@MalwareRE
,
@FSecureLabs
,
@Paulsec4
,
@redcanary
,
@CrowdStrike
,
@MichalKoczwara
,
@WLesicki
,
@bh4b3sh
,
@jpcert_en
,
@DidierStevens
, and
@ForensicITGuy
.
3
374
737
3
52
165
This is just so useful! When I see this cheat sheet, I wonder how many of these attacks I can:
🦄 Emulate to test current defences
🎯 Create threat hunts from the generated telemetry
🔍 Create detections
🔂 Repeat
Active Directory Penetration Cheat Sheet
Credit:
#infosec
#cybersecurity
#pentesting
#oscp
#informationsecurity
#hacking
#DataSecurity
#CyberSec
#Hackers
#tools
#bugbountytips
#Linux
#websecurity
#Network
#NetworkSecurity
#cybersecurityawareness
4
184
451
4
39
164
Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:
👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host
6
59
162
3CX CEO be like:
@cyb3rops
@BleepinComputer
"Unfortunately this happened because of an upstream library we use became infected."
👀
4
9
52
6
25
162
Cmd obfuscation is not easy to combat. Although, we can look at the parent child process relationship.
In this case, the process tree should raise some flags…
🚨Explorer.exe -> PowerShell.exe -> Mshta.exe
🎯If you don’t have detection for that, you can create a hunt for it.
1/ Zip file contain the LNK
LNK uses PowerShell to execute mshta.exe.
It execute the hta from the URL present inside LNK file
💡Using this \W*\\\2\\\msh*e instead of mentioning mshta.exe, to evade detection
2
10
44
2
43
153
The responses from this poll show how much people want a telemetry comparison like this one.
@ateixei
and I got to work and are close to releasing version 1 of this project.
The project will be available on GitHub. Below is what people should expect at this early stage of the…
Before we further gather the data sources and telemetry for each EDR product, would people find something like this useful? (poll on thread below 👇)
**This is an example table with some of the most useful data sources. It's for demo purposes. They can be expanded later on.
25
65
281
13
35
154
Looking for suspicious execution of binaries or scripts via "Alternate Data Streams"? I use the below regex against the command line to search for this activity in process execution events:
▪️REGEX
➡️\.[a-z]{2,5}:[a-z0-9\-_]{1,8}\.[a-z]{1,5}(\s+|$)
#Threat_Hunting
2
40
148
Many people think detection engineering is easy before they are introduced to millions of hosts and thousands of different environments 🙂
4
16
147
I have created the first
#Sigma
#ThreatHunting
focused rule. It has a different approach to DE rules with an added hypothesis field.
I explain the approach to the hunt in detail so everyone can use or modify it.
Execution of scripts inside archives:
I love Sigma; it's amazing for sharing detection rules. Although, I thought that it could also be used to share
#ThreatHunting
query logic.
I've created a section in my GitHub repo to start sharing TH-focused sigma rules. They may have a wider scope as opposed to DE rules...👇
11
43
242
7
33
145
🎯 New blog post out - "Threat Hunting Metrics: The Good, The Bad and The Ugly"
Metrics that...
✅ You should be using(& examples)
✅ You should avoid
❌ Can kill your team's spirit
Special thanks to
@onfvp
for assisting with the review of this post!🙏
2
51
143
🔔Yearly reminder‼️
Gartner receives part of their funding from participating vendors. Apart from that corrupted approach, Gartner is not transparent about their research methodology, they would never show their data to backup any of their claims, and they have perceived biases
10
26
145
This is likely the first Sigma rule for this new Python in Excel feature 😅
Sigma Rule:
Reference:
Quick, everyone do this for python in Excel to be prepared:
reg add HKCU\software\policies\microsoft\office\16.0\excel\security /v PythonFunctionWarnings /t REG_DWORD /d 0 /f
😈
4
12
118
1
48
143
Detecting CVE-2021-40444:(invocation via control.exe)
➡️Parent Process: “*\control.exe”
⏩Parent command line: “*.inf *”
➡️➡️New Process name: “*\rundll32.exe”
⏩⏩Command line: “*.inf *”
1
48
143
As a blue teamer, I just love reading red team blogs like this one. Getting detection ideas and picking up new methods.
This particular one, has proposed detections at the end 💙 🙏
This is one of the reasons I like reading and listening to
@7MinSec
🔥
1
37
143