@therealwlambert @anton_chuvakin 💯 enhance, enable, help, uplift, expedite, alleviate, move forward, etc. any other words that are absolutes are a red flag. only a snake oil vendor deals in absolutes

RT @yarden_shafir: Quick blog post on a new ETW event to monitor "valid" KASLR bypasses through system calls: https….

RT @WLaForest: Check out the #opensource #Kafka #sigma interpreter @mpeacock1964 and I built: Load sigma rules in a….

RT @cyb3rops: .@_humpalum from my team created a @sigma_hq extension for VS Code . It's in an early stage but already pretty useful and we'….

RT @BlackMatter23: Considering current situation when my country is running down I see no longer future in Russia for me and my family. I o….

RT @nas_bench: In the last couple of weeks, we've been working @3CORESec on a little project we're calling MAL-CL. It aims to collect and d….

RT @Cyb3rWard0g: 🚨 Sharing how to deploy a lab environment w/ #AzureSentinel , a few Linux 🐧 VMs and Microsoft Audit Collection Tool (AUOMS….

RT @cyb3rops: Sigma rule by @Cyb3rWard0g to detect possible #OMIGOD exploitation attempts in auditd logs. https://t….

RT @snfernandez: While this has been used forever to create exploits. It's a very creative way of makng a JIT for architectures that don' a….

RT @Cyb3rWard0g: 🚨 A few detection opportunities while interacting with local AD hybrid health agent registry keys & Azure AD connect healt….

Should cover the rest of PrintNightmare RPCalls for remote print driver install.

in short, some of the RPC methods of #PrintNightmare were within @sigma_hq since early 2020.

The main reason I added Zeek to @sigma_hq & thus w/ it logic of things like @MITREattack BZAR (slides above) was the historical/retro hunting you could do. Data is already being collected & sitting in a DB. zeek scripts for the future, sigma for the past & those without scripts.

so 2 years before #PrintNightmare I am pretty sure @MITREattack w/ @Zeekurity was on to something ;) .

RT @Cyb3rSn0rlax: Pull request created. Here is the Jupyter notebook under the forked repo : Examples:.- Top tactic….

60TBs of zeek logs, only 11 hits - pretty rare and pretty damn easy to weed out. Zeek still remains one of my favorite sources for East/West (lateral) movement detections. .

Detection for #PetitPotam RPC calls in @sigma_hq via Zeek dce_rpc.log (@Zeekurity). This includes many of the other EFS RPC methods, as there were discussions about detections lack of coverage of only 1 RPC call. thanks to @Antonlovesdnb for the assist.

research from 2007 that mentions RPC calls used within PetitPotam as potential attack surface "Vista Network Attack Surface Analysis". if there is one there is more.

RT @jberggren: Sigma integration in Timesketch. Today we merged a feature to show Sigma rules in the UI. You also have the ability to searc….

RT @cyb3rops: From MISP to ElastAlert via Sigma. MISP > Sigmai > Sigma Rule > Sigmac > ElastAlert. a simple Bash Script by @therealwlambert….