🚀 Exciting News and a Giveaway! 🚀
Announcing my new course: Advanced Hands-On KQL for Threat Hunting and Detection Engineering! 🎓✨
This course is designed to take you from zero to master, equipping you with cutting-edge skills to stay ahead in the cybersecurity game. Here’s
I'm happy to introduce AC&CD!
You are detecting the wrong C2 beaconing traffic(and I was, too, long ago), so I've fixed it and put it in a Jupyter Notebook! Wanna detect Cobalt Strike, Sliver, Mythic, and all known C2 frameworks' beaconing?
#ThreatHunting
As an infosec person, one of my biggest fears is malicious versions of Python packages used for data science or SOC related tasks. Is there an easy way to analyze Python packages for backdoors, etc.?
Want to detect Cobalt Strike or ALL beacons? I've added data size scoring and improved the score calculations to reduce false negatives. Still, there are some false negative possibilities. I'll work on them next. Stay tuned!
#ThreatHunting
#DFIR
New files are being signed with the stolen
#NVIDIA
certificate.
#Lapsus
You can search for the files signed with the stolen cert using the below query in
#MDE
:
DeviceFileCertificateInfo
| where CertificateSerialNumber == "43BB437D609866286DD839E1D00309F5"
#ThreatHunting
#dfir
Not many people know there are ways to detect DLL Side-Loading and other hijacking attacks. This is just one way, there are other alternatives 😎
#ThreatHunting
SOC analysts,
How do you make sure an alert is a false positive? How confident are you when making the false positive decision? What makes you more confident or provides confidence?
#DFIR
How to detect software supply chain attacks with
#Sysmon
,
#MicrosoftDefender
, or any other
#EDR
:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
This can be quite useful for Live Response in Defender for Endpoint. Since MDE doesn't support YARA, running it manually during live response sounds interesting.
#ThreatHunting
#DFIR
#YARA
If you are trying to detect C2 beaconing using
#Sysmon
logs, you should be careful. Apparently, TCP socket timeout on Windows has a big impact. By default, the timeout is 120s, meaning that a C2 beacon may reuse the same TCP socket. 1/2
#ThreatHunting
#DFIR
Hey DFIR peeps,
How often do you need event logs(EDR/Sysmon) during IR engagements?
Also, why do you deploy EDR/Velociraptor during an IR engagement? Is it to collect and analyze event logs or let them detect stuff? (I'm talking only about the "logs", not AmCache, etc.)
#dfir
EDRs do not log every process creation, every network connection, every registry modification, and so on. Sometimes they don't need to, sometimes they don't, sometimes they can't. I can assure you at least for MDE. Be wary what you read on the Internet.
🚨C2 beaconing detection for everyone!🚨
On Friday, I'll be releasing and giving a demo of the Jupyter notebook I just started to develop for C2 beaconing detection. Just your firewall/proxy logs and a piece of code, that's all.
Registration 👇
Collecting and parsing almost everything, running
#Sigma
,
#YARA
, and
#Osquery
, and displaying results in an interactive UI with MITRE ATT&CK mapping is finally possible!🔥
(More to come)
#DFIR
#ThreatHunting
I just emulated the latest
#NOBELIUM
phishing attack. HTML file -> ISO -> LNK -> C2 beacon.
I'll start writing a blog about not only emulating the attack, but also extracting the TTPs from the
@MsftSecIntel
's report and developing detections. Hopefully, it'll be like a training.
📢 I'm looking for a red teamer who is interested in understanding how threat hunters/detection engineers work, or who wants to switch to that area.
Details:
I want to see if my training course helps red teamers.
- I'll give you a free seat on my course.
One of the most common detection engineering mistakes/biases I've observed so far is about brute force. Most of the time, the logic is "if there are X amount of login failures from the same IP/host for the same user, alert". The problem with this logic:🧵
#DetectionEngineering
📢 I'll start writing blogs about Windows forensics artifact analysis and finding anomalies/evil using Jupyter Notebook. If you want me to cover something specific, reply to this tweet. Follow
@binalyze
to get notified when blogs are out!
#DFIR
#threathunting
Seems like the same stuff with the new MS-DFSNM attack. You have to use the DC computer account from a machine that's not the DC itself. Detection is easy regardless of the attack as long as the DC computer account is stolen and used. Details👇
I am giving away 1 seat for the "Hands-On Kusto Query Language (KQL) for Security Analysts" course.
✅ Lots of hands-on examples in the lessons
✅ A total of 23 exercises
✅ 2 Investigation scenarios
Please Reply, Like AND Repost to participate. The winners will be announced
#DFIR
folks and
#SOC
analysts,
What are your daily go to tools either for triaging alerts or responding to a true positive alert/incident? Which ones make you faster and more efficient?
Even if the task is hidden, the malicious file it must be run by the task scheduler service which is "svchost.exe -k netsvcs -p -s Schedule". I think this is the most resilient place to perform hunting, especially for network conn. I wrote this last year👇
While investigating the forensic artifacts related to threat actor HAFNIUM’s recent activities, Microsoft Detection and Response Team (DART) researchers have uncovered malware that creates “hidden” scheduled tasks as a defense evasion technique. Details:
Many folks use the binning method when developing rules. It's prone to false negatives if not used carefully. Sliding window method is a way better approach.
#ThreatHunting
#DFIR
Sigma is quite useless to be used as detection rules in practice. The best it can do is to kill your SIEM performance and generate lots of FPs. It also makes you blind about your SIEM capabilities. There might be other use cases where it can shine, though.
This blog was quite unnoticed. Don't you want to detect Cobalt Strike? 🤔How about beacons of all C2 frameworks?
Pro tip: you can implement this in Python using Pandas and NumPy.
#threathunting
#DFIR
#AzureSentinel
Book recommendation for everyone, especially for SOC analysts,
#ThreatHunting
, and
#DFIR
people:
"Mastermind: How to think like Sherlock Holmes"
The book has repetitive examples as you might see from the the reviews, but it will definitely provide you with new ways of thinking.
Serious question:
If you have a good
#EDR
solution, do you think you should perform threat hunting on endpoints? EDRs definitely have gaps about specific techniques, but do they have any gap about detecting an entire attack, like not triggering anything at all?
#ThreatHunting
Still one of the best presentations I've watched so far. It's just 20 minutes, highly recommended. If I have a product, I don't like/want to create basic detections that should already be done by the vendor that I'm paying.
@jaredcatkinson
#ThreatHunting
Why do many
#DFIR
reports lack about network forensics? I don't think finding the C2 address is enough. Why don't you create a timeline using the network data? Like 👇
"C2 comm started with 5min sleep, then was changed to 10sec and data transfer was observed during this period...
Saturday night fever:
If a company has a dedicated team, there is probably an EDR in place. If so, there is no need to develop custom detections for well-known methods/tools. If the company's risk is high, it should focus on methods/tools that the EDR can't detect. These
I keep saying
#Cybersecurity
is a data problem. If you have the right data which is consistent across all different products AND you have the right tools to analyse and transform the data (searching is NOT enough!), there is hope.
by
@anton_chuvakin
"Defenders think in lists, attackers think in graphs. As long as this is true, attackers win". Now, open MITRE ATT&CK framework. What do you see? List of tactics and techniques, right?
Can you see a graph? If not, can you draw graphs / think in graphs?
#ThreatHunting
#DFIR
If you are popping calc.exe to simulate TTPs, you are doing it wrong. You're basically discarding your AV/EDR's heuristics, behavioral, and ML features and making a wrong statement that the TTP is not covered by your AV/EDR. The same applies to logging as well.
Attackers think in graphs they said
Think like an attacker they said
I've become one of them, because why not?
Highly recommended (especially if you're on the defensive side)! Thanks
@_RastaMouse
and
@zeropointsecltd
!
Now I can share
#redteamtips
🤣
🎁 GIVEAWAY TIME! 🎁 - I'm giving away 2 seats for my brand new "Hands-On Kusto Query Language (KQL) for Security Analysts" course!
Please follow
@BluRavenSec
, Comment, and Repost to participate.
👉
Two random winners will be announced on 5 December
Seems like you can disable auto mounting of image files. This can have a huge impact on
#Ransomware
attacks combining with disabled macros. No GPO is available but maybe
@Microsoft
adds it in the future? Also, gist from
@wdormann