Jamie 🔜 RSAsí 🌉
@jamieantisocial
Followers
5,637
Following
5,394
Media
2,172
Statuses
9,559
🤘 @mitreattack for Enterprise Lead, former ATT&CK Evals water distribution engineer (the artists known as #UNC1799 ), @DistrictHeather ♥️🍷, he/him.
District of Columbia, USA
Joined July 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 147269 Tweets
Boeing
• 126570 Tweets
Madonna
• 126523 Tweets
Nathan
• 115745 Tweets
Irak
• 66029 Tweets
Bhuvi
• 32793 Tweets
Marselino
• 24548 Tweets
Bruno Mars
• 23199 Tweets
#CHETOT
• 22128 Tweets
#الاهلي_ضمك
• 19339 Tweets
Guinea
• 18448 Tweets
زياد
• 18049 Tweets
Ange
• 16392 Tweets
Ernando
• 15728 Tweets
Canna
• 15469 Tweets
ALGS
• 13427 Tweets
Guillaume Meurice
• 12856 Tweets
Brasília
• 12345 Tweets
Sundowns
• 11032 Tweets
🆕micro emulations just dropped
- User Execution of OneNote File
-Remote Application Exploitation
-Reflective Code Loading
-Clear Windows Event Logs
-Data Exfiltration
-DLL Side-loading
Special shoutout to the dev team ♥️🤘
11
96
290
'Organizations should scan their logs for evidence related to this activity in a time window spanning the period between April 2021 and June 2023' 🔮🕰️
🔐🌩️ Storm-0558 update — Microsoft's recent findings raise new questions!
📊 New discoveries, along with actionable takeaways for proactive cloud security, are right here:
2
47
116
19
78
279
"In the context of computer security, what is trust?" 🤕
Microsoft has uncovered a supply chain attack by North Korean threat actor Diamond Sleet (ZINC) involving the modification of an installer file from software maker CyberLink. The payload calls back to attacker infrastructure for instructions. Learn more:
7
231
449
13
26
216
👀🤘
🛡️ Understanding adversary behavior is often the first step in protecting networks & data. Check out
@CISAgov
’s latest additions to the Best Practices for
@MITREattack
Mapping guide at to more proactively strengthen the security of your network!
2
83
233
5
60
194
I really appreciate the way this report clearly translates offensive tradecraft into defensive ideas
Beware of LUCR-3! 🚨 Threat actor that overlaps with Scattered Spider, Oktapus, UNC3944, & STORM-0875, they exploit IDPs for initial access & aim to steal IP for extortion. They use victims' tools and evade detection with expertise.
@permisosecurity
3
75
167
4
38
186
my Monday brain is stuck on this timeline 😵
'The threat actor acted upon the access 1️⃣1️⃣ days later..."
📅 Initial Access (Oct 2, 2023):
The Threat actors exploited WS_FTP CVE-2023-40044. They established a foothold using Sliver beacons, specifically with executable files cl.exe and sl.exe. Command and control traced back to 45[.]93[.]138[.]44:3131.
1
11
40
18
17
188
oof 🎣
Microsoft has identified highly targeted social engineering attacks by the threat actor Midnight Blizzard (previously NOBELIUM) using credential theft phishing lures sent as Microsoft Teams chats. Get detailed analysis, IOCs, and recommendations:
12
247
504
3
29
174
TIL 👀
🚨With our partners
@NSACyber
,
@FBI
,
@CyberGovAu
,
@Cybercentre_ca
,
@NCSC
, & NCSC New Zealand, we urge all organizations—especially critical infrastructure owners & operators—to read this Joint Advisory & mitigate your risk to PRC malicious cyber activity:
6
66
190
5
35
171
"it'd be like if the CIA were running our vulnerability program" 🐼🪖
6
24
166
"Chinese actors don't mind being caught, but they don't want to be named." 🐼🔨
4
15
153
holy OST 🐻
Organizations with JetBrains TeamCity software are urged to read the new advisory we published with US and Polish partners. Russian SVR cyber actors are using CVE-2023-42793 to exploit servers using this software.
11
77
169
3
33
149
2️⃣5️⃣ days of techniques🎄
1️⃣- T1480 is restricting payload exec based on matching expected traits of the victim, maybe less relevant to defend vice being insightful for CTI & annoying for RE
Seeing this more in red team tools too 🦺
4
43
149
that part.
Additional TTPs from Midnight Blizzard campaign
“Due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of…activity”
👆👆
5
49
165
8
36
137
excellent example of impactful purple team notes 💪💜☁️
Have a new blog out today looking at Purple Teaming the Azure/Entra cloud ☁️ - includes some neat queries and detection opportunities, check it out!
4
94
255
1
35
132
neat
The 2023 Microsoft Digital Defense Report highlighted over 200% increase in human-operated ransomware attacks and 12% increase in tracked ransomware as a service (RaaS) affiliates.
3
109
260
5
30
127
⚠️unsolicited⚠️ but hopefully helpful (career) advice:
take genuine (if even temporary) interest in what the people around you do, especially towards understanding how they see things 🧘
6
15
126
oh my ☁️
h/t
@wiz_io
💙🫡
💥 BOOM! Introducing "Cloud Threat Landscape": our extensive (internal) cloud security incident database is now public!
Explore 107 incidents, 96 threat actors, and 100+ attack techniques:
3
111
279
3
36
126
running micro adversary emulation plans (this one is mounting a malicious iso) using ezEmu (which also tracks child processes)
not super 🤯, but neat to play around with
4
18
118
🤘
@DennisF
love this. i wrote a thing that applies the consequence of this truism to transparency in security models (esp software transparency)
0
3
15
3
13
115
REALLY excited for this batch of 🆕 Enterprise techniques 👻🎃
thanks again to all our contributors ❤️🫡
Boo, it's an ATT&CK v14! 👻
Come grab full-sized treats from our blog post , release notes , or our detailed change log .
1
65
155
2
26
113
neat format for a red team report
Our latest cybersecurity advisory provides findings from a 2022 Red Team assessment at a large organization. Review the advisory for recommended actions and mitigations that can protect your network and systems from similar adversarial activity:
2
15
53
5
11
109
REALLY excited & honored to give this
@sansforensics
CTI Summit talk 🫡
but also 👀🤯 looking at the rest of the this agenda 🧠➕➕
10
8
110
😑
⚠️ Cloudflare disclosed a breach via creds stolen during the Okta incident, which exposed their self-hosted Atlassian server. Intrusion blamed on suspected “nation state attacker”
1
49
109
7
29
108
0
0
2
8
16
104
malware free 2023 ™️👀
Welcome to the first Huntress Threat Report 🚨🦸♀️
An in-depth review of real world intrusions @ small & mid-sized businesses. Follow
@HuntressLabs
for more.
11
84
280
5
16
101
2️⃣5️⃣ days of techniques is back ❤️🎄
1️⃣ - T1654 reminds us that there is a constant battle for ℹ️ between adversaries and defenders
Verify & harden your sources 🪵🔒
2
22
101
Today's the day!
Really excited about this topic, 1050am at the
@AdversaryVillag
Sandbox Stage (207 Moscone South)🤘
Learn from MITRE ATT&CK subject matter expert Jamie Williams as he explores various examples of using adversary emulation to identify and deliver impactful business outcomes on Thursday, April 27, 10:15-11:40 PT at
@RSAConference
.
0
0
8
6
10
98
Clustering != Attribution
"But luckily, people are typically creatures of habit"
~"Look for narrowly focused details that would be hard for anyone besides the adversary to replicate" 🔍
@MorganDemboski
#CTISummit
6
14
96
Just a little bit more detail on the MS cloud breach in this official blog post.
But a key sentence:
"They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key."
😲
5
37
118
7
31
95
@mattjay
what do you want to work on, and more importantly what from your resume/experience do you not want to do anymore?
2
1
94
♨️🙃♨️
A threat group tracked by Microsoft as DEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream, which reportedly sells a suite of exploits, malware, and infra. Read our analysis in collaboration with
@citizenlab
:
2
202
342
3
30
90
'if a detection hasn't been tested, does it work?'
'focus on high benefit/low regret response automation'
'no one (even the most senior) is above SOPs'
-Carson Zimmerman
#shmoocon
💙🐝💪
4
18
90
Amazing artwork from
@MindsEyeCCF
capturing our
@SANSInstitute
#CloudSecNextSummit
presentation
@stromcoffee
2
36
88
FWIW we track this as Stage Capabilities: SEO Poisoning () to enable Drive-by Compromise ()
If anyone has additional ideas for relevant defenses, we'd love to share that with the community 🔊💙
tl;dr Threat Actors don't need malicious documents, they just need Google ads and a stolen credit card
2
36
72
6
23
88
disabling logging/auditing, brute forcing dormant accounts then enrolling into MFA, proxying last-mile C2 from trusted IPs, certificate manipulation 🧸
Continued innovation in opsec makes APT29 one of the hardest groups to track. They seem to know more about Microsoft 365 than most and can blend their activities with standard admin actions in your org.
1
6
30
2
18
87
oof 🐙
The financially motivated threat actor tracked by Microsoft as Octo Tempest, whose evolving campaigns leverage tradecraft not seen in typical threat models, represents a growing concern for organizations. Get TTPs and protection info:
4
170
324
7
25
86
very interesting + thorough attribution breakdowns in these profiles 👀
📢New
#APT
profile: APT28
APT28 is allegedly tied to Russian military intelligence (GRU). Landmark incidents include the 2015 German Federal Parliament
#hack
and the hack of French President Macron’s 2017 electoral campaign
➡️
#cyber
#CyberSec
#CyberAttack
0
26
65
3
7
80
🚨apropos of nothing🚨
how do folks know when it's time to change jobs?
There's obviously leaving toxic people/environments, but i feel like I've always struggled with even helping friends keep up opportunities & their potential
40
3
79
my mom (born, raised, and now back in Louisiana), just shared this with me.
100% (subject to interpretation) with only a 10 minute timer, I would definitely fail.
11
13
79
What an amazing honor and reminder of how lucky I am to be a part of the
@MITREattack
family. This is 1000% a recognition of MANY passionate + dedicated individuals (no list sorry, but you know who you are😉), so on behalf of everyone thank you!
8
6
76
❤️
Congratulations to
@jamieantisocial
, named a Modern Day Technology Leader at
#BEYA2022
. (4/8)
1
1
7
18
1
78
this has come up A LOT recently:
sometimes mapping to ATT&CK techniques is especially hard because we don't have enough context provided by inputs ℹ️
3
25
74
Really excited to release this one 💜
Focus was on easy to develop + execute + learn from adversary emulation plans that target specific defensive challenges 🎯
Micro Emulation Plans accelerate improvement in defensive posture. They offer a focused, intel-driven approach to validating defense based on critical threats.
0
8
35
3
22
72
🚨 ATT&CKcon 4.0 CFP closes 27 June 🚨
There's good guidance highlighting examples of what we are looking for on the site (), but also check out talks from previous years ()
Looking forward to seeing y'all, & thanks in advance!!! 🎃
2
30
71
super neat read, gotta love real threat data 🥰
the key idea that stands out to me is that they're seeing the same TTPs, but {informed/enhanced/aided/supported/assisted/...} by AI 🤖
Microsoft, in collaboration with OpenAI, is publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors Forest Blizzard, Emerald Sleet, Crimson Sandstorm, and others. Learn more:
4
130
332
3
13
71
helping folks map to ATT&CK never gets old 🥰
mostly because instead of ATT&CK itself, we end up focusing on data analysis leading to storytelling 🔍📜
learn ATT&CK as you go, don't try to 💯% memorize everything 😅
3
11
67
my self control disappears when it comes to:
no ragrets 🫡
13
1
67
DO ITTTT 🫡❤️
ATT&CK is looking for our next CTI lead! You'd be in charge of our Groups/Campaigns/Software, ATT&CK's CTI strategy, which reports we add, the team who adds/updates CTI in ATT&CK, and final review of procedures. You can check out the posting and apply at:
5
43
110
2
16
67
🚨 Exciting news, my first blog under
@redcanary
is out! 📢 Suspected exploitation of the latest Confluence CVE-2023-22518 exploit leading to Cerber ransomware.
Pleasure working with
@ForensicITGuy
and others at Red Canary on this. Give it a read!
2
30
73
3
10
66
"you can really find tranquility in the oddest places."
-me reviewing mappings and stuffz, Thursday 🧘♀️
4
1
64
MFW the report actually has novel TTPs
2
2
65
n̶o̶t̶ b̶e̶i̶n̶g̶ a̶b̶l̶e̶ t̶o̶ s̶l̶e̶e̶p̶ l̶a̶t̶e̶ getting up before everyone else 🥰☕
5
0
64
that's a 🆕 one for me.
6
16
63
😅
Why don’t attackers just delete all the security employees? Are they stupid?
14
13
366
4
5
61
we need more graphics like this
2
5
60
friends don't let friends just sling around TIDs 🚷
"Focus Threat Intel Capabilities at Detection Engineering (Part 4)" <- our series on detection engineering (DE) continue with Part 4 that looks at the intel flows from CTI/TI to DE.
0
32
97
4
19
60
stupid idea: conference CFP that is ONLY an image upload for a single meme.
21
3
59
haven't done a security cert in awhile, forgot how exciting these are 🍾
3
0
60
adversaries apparently want 100% technique coverage too 💉
#ElasticSecurityLabs
is tracking a threat targeting Vietnamese Agriculture and Financial industries. We’ll share their TTPs with emphasis on newly-discovered
#Malware
, and tell you who we think is behind it. Check out the latest here:
0
41
87
1
4
60
🐚😮💨
2
5
56
👀💙
Just released by the Center for Thread-Informed Defense - Sensor Mappings to ATT&CK is a methodology and mapping to connect conceptual data sources represented in MITRE ATT&CK to concrete sensors and events that collect security-relevant information.
1
13
28
3
11
57
We can't expect to detect everything, but it's SOOOOO important to understand:
-what you detect ✔️
-what you don't detect 🚫
and (for each) why? 💙🧘
Yesterday, I presented
@jsecurity101
and my Malware Morphology workshop at
@NorthSec_io
. Thanks to the organizers and everyone who attended.
If you missed it, you’re in luck the recording is available!
📼 Video:
🗒️ GitHub:
4
105
278
2
15
55
👀🌻
0
13
55
sooooo much wisdom 🧘💙
This is something I have wanted to do for a very long time.
Happy to share this new resource:
The Zen of Security Rules
🎉🎉
Thanks to
@rw_access
for the review and invaluable suggestions!
#DetectionEngineering
#SIEM
#EDR
#SecurityRules
1
62
250
3
7
55
🆕 tactic just dropped
That dwell time
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
0
7
30
1
10
54
neat 🔥🔍
The very awesome people from Microsoft DART have put together a collection of one-page Windows forensics guides to help you understand various artefacts you can use during your investigations. Check them out -
5
192
558
1
6
53
neat read, especially thinking about how technology can combat known social engineering patterns 🛡️
Microsoft has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, & Storm-1674, misusing the ms-appinstaller URI scheme (App Installer) to distribute malware. Get TTPs and protection info:
11
176
386
1
10
52
🎃🥳
Evolving content, improved coverage, and a date for ATT&CKcon 4.0 🎉
We've just released our 2023 Roadmap where
@supremrobertson
highlights 2022 changes as well as our plans for the current year!
Check it out at !
1
50
112
2
10
52
search, save, then export your ATT&CK mappings 👀👀👀
Deciding which technique to map got you down? Today
@CISAgov
released an open-source tool to guide you through mapping to ATT&CK. We were happy to provide help and advice in coordination with
@MITREcorp
's
#HSSEDI
.
📰
🔧
4
120
269
1
7
50
telemetry transparency 💙🤘
Great work
@Kostastsale
&
@ateixei
🥂
Today, me and
@ateixei
are releasing the EDR Telemetry project. This project aims to compare and evaluate the telemetry of various EDR products.
✅Introductory blog post:
✅GitHub Repo:
✅Comparison Table:
42
336
815
3
10
50
so much great work in these reports -- thanks
@TheDFIRReport
!!!
but the operator errors are definitely my favorite section 🍿🔡
Malicious ISO File Leads to Domain Wide Ransomware
➡️Initial Access: IcedID ISO
➡️Credentials: DCsync
➡️PrivEsc: ZeroLogon
➡️Lateral: RDP, SMB/Remote Service, WMI
➡️C2: IcedID, Cobalt Strike, Anydesk
➡️Exfil: Rclone to Mega
➡️Impact: Quantum Ransomware
10
180
381
4
11
50
SUPER neat opportunity to really touch the reporting we 💙
Thanks
@TheDFIRReport
🫡🥂
🚀 Exciting News Coming Soon! 🌟
🔍 We're launching an innovative platform to help boost your DFIR skills!
🙏 Thanks to our beta testers - your feedback was invaluable!
✨ Curious for a sneak peek? Head to our site to see what's coming!
2
22
144
2
7
49
admittedly late, but I think I'm finally tracking today's vibe
6
1
48