Roberto Rodriguez 🇵🇪
@Cyb3rWard0g
Followers
25,246
Following
585
Media
625
Statuses
4,948
Principal Security Researcher @Microsoft #MSTIC RnD & Founder of the @OTR_Community
Joined July 2016
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Francia
• 654168 Tweets
#HouseOfTheDragon
• 535575 Tweets
Rhaenys
• 250488 Tweets
#GranHermano
• 243693 Tweets
Bautista
• 175820 Tweets
Meleys
• 163799 Tweets
Emma
• 161185 Tweets
#HOTD
• 128363 Tweets
#loveislandusa
• 125905 Tweets
Aegon
• 98265 Tweets
Serena
• 63800 Tweets
Daemon
• 61714 Tweets
Uruguayo
• 59118 Tweets
Jana
• 50525 Tweets
Marcos
• 46967 Tweets
FURIA ES LEYENDA
• 41532 Tweets
Sunfyre
• 40143 Tweets
KIM SEOKJIN
• 32163 Tweets
Criston Cole
• 28387 Tweets
Kordell
• 27677 Tweets
FRED GLOBAL AMBASSADOR JIN
• 27438 Tweets
リリカルなのは
• 22584 Tweets
Kaylor
• 18435 Tweets
間宮結婚
• 17164 Tweets
セレクトセール
• 16914 Tweets
Jace
• 16309 Tweets
#JinxFredJewelry
• 15865 Tweets
間宮祥太朗
• 13438 Tweets
萩のツッキー
• 13010 Tweets
hyuna
• 12321 Tweets
KMPDU
• 11068 Tweets
Last Seen Profiles
Pinned Tweet
🚀 Lately, I’ve been fascinated by LLM-based AI Agents, so I built my own from scratch to learn more about them 🤖✨
I hope it helps and inspires you to build your own 🛠️!
#GenAI
#LLM
#AI
@OTR_Community
❤️
2
31
101
I decided to write a book 😅! An online Interactive Book 💥! A book on the top of
@HunterPlaybook
,
@ProjectJupyter
#notebooks
and w/
@mybinderteam
BinderHub links all put together w/ the amazing Jupyter Book project!
#ThreatHunting
Merry Christmas 🎄🎁 🍻
24
339
861
Releasing Mordor 😈📜! A repo of pre-recorded security events generated by emulated adversarial techniques in the form of JSON files for easy consumption!
@Cyb3rPandaH
& I wanted to facilitate the development & testing of data analytics 🍻
#ThreatHunting
18
348
764
Starting 2020 strong 🔥! I'd like to share that I will be joining the amazing MSTIC R&D team
@Microsoft
💥. Looking forward to new challenges and community based research opportunities 💜 ! Salud 😉🍻!
84
25
524
I started to document Win RPC interfaces & their respective methods 📋& ended up using
@GHIDRA_RE
for the 1st time, integrating code from
@_xpn_
&
@Sektor7Net
research 😅 and using
@ProjectJupyter
notebooks &
#GraphFrames
🔗 to analyze the results 🍻
5
247
525
🚨 Learning how to install
#Sysmon
for Linux 🐧 & send security events to
#AzureSentinel
in a research lab environment!! 🧪
#MSTIC
#Microsoft
📡 Sysmon (SysinternalsEBPF) -> Syslog -> SIEM 🚀
✅ Scripts
✅ ARM templates
✅ Sysmon configs and more..
5
181
505
Excited to release the first parts of my
#ThreatHunting
w/
@ProjectJupyter
notebooks series 😊💜 You will go from creating your first notebook to leveraging
@ApacheSpark
SQL to JOIN relevant data sources to detect lateral movement 🍻
@THE_HELK
@SpecterOps
10
224
499
A ThreatHunter-Playbook. Development of techniques & hypothesis for hunting campaigns.
#ThreatHunting
#Sysmon
#dfir
12
270
464
Looking for anything to do this weekend 🏡? Check out Sentinel To-Go!🛒(Part 1)
1) Deploy an
#AzureSentinel
lab w/ prerecorded data
2) Practice your KQL-fu!
3) Ingest other datasets you'd like to explore!
All via Azure Resource Manager (ARM) Templates 🚀
11
171
454
Happy to release the Threat Hunting with ETW events and
@THE_HELK
series! Part I: 🏄♀️🏄♂️ Installing SilkETW to consume events via the event log locally is out! Next, Shipping events to
@THE_HELK
😱 Thank you
@FuzzySec
⚔️
#ThreatHunting
7
180
382
How do you integrate
@ProjectJupyter
#notebooks
with the
#sigma
project? How do you convert 300+ rules to
@elastic
ES query strings & pack them as part of notebooks to query ES? All from code 😱. I wrote about it here! Weekend readings! 🍻
#threathunting
9
174
369
💥🔥 Creating Detection Research Opportunities for the Community 🌎 w/
@MITREattack
APT29 Evals 🍻
a) Infrastructure:
b) Day 1:
c) Day 2:
d) Datasets: (->
@Mordor_Project
soon)
3
135
365
🚨 Stepping into the world of Generative AI has been an eye-opening experience for me as a security researcher! ⚔️ If you have been curious about these topics, then this blog post is for you!
I go all the way from the basics to running experiments with
@ProjectJupyter
notebooks
12
145
361
A sneak peek of
#Sysmon
for Linux 💥
Thank you
@kevsecurity
for your hard work and for sharing your research
@eBPFsummit
!
#ebpf
#eBPFSummit
🚨 Release scheduled for early October 2021 🚨
Looking forward to it 🍻
#MSTIC
R&D team 😎
5
161
347
🧙♂️"ATT&CK Mate" GPT is alive 🌩️🤖 It combines "Web Browsing" and "Code Interpreter" which is backed by the latest
@MITREattack
GitHub release containing the knowledge base in STIX format (JSON)🤯🚀
✅ GPT:
#gpt
@OTR_Community
13
105
336
I updated to include Also, I updated the public shared file that includes all
@MITREattack
Enterprise in one file in a tabular format 😊🍻💜💜 Useful when preparing for
#ThreatHunting
engagements!! 😉
0
170
323
🚨 Sharing how to deploy a lab environment w/
#AzureSentinel
, a few Linux 🐧 VMs and Microsoft Audit Collection Tool (AUOMS) set up 📡to identify & map sources of data to the execution context of OMI!
#MSTIC
#OMIGOD
😎 This has been very helpful 💥
4
117
323
Categorizing and enriching security events in
@THE_HELK
with the help of Sysmon v8.0 and
@MITREattack
. Initial thoughts about utilizing Sysmon rule tagging capabilities
#ThreatHunting
#DFIR
😊💜
2
163
323
I always wondered how I could share
#ThreatHunting
detections via
@ProjectJupyter
notebooks in a more practical and interactive way so that anyone in 🌎 can reproduce the research! Thx to
@mybinderteam
💜
@HunterPlaybook
@Mordor_Project
it is now possible
2
139
308
Initial integration of
@MITREattack
w/
@THE_HELK
! 😊🍻💜
@Cyb3rPandaH
& I worked on this together to share an easier way to explore and interact with up to date ATT&CK content available in STIX via public TAXII server
@elastic
#ThreatHunting
#DFIR
Link:
7
166
308
Looking for a way to replay pre-recorded security events from simulated adversarial techniques? Enter Mordor! Datasets categorized following
@MITREattack
structure! Learn how it all started & how to replay data leveraging Kafkacat
@edenhillm
#ThreatHunting
6
160
304
Looking for anything to do this weekend? 😊
@MITREattack
open sourced its website code & I created a Docker image to automate the installation and help others in the community to start playing with it! 🍻💜
Docker Image:
Docs:
5
144
301
Following on the the latest release of
@THE_HELK
, I wanted to share a little bit of my experience while integrating the Sigma project via Elastalert. I hope this post helps to provide some more details about it! KSQL post is next 😉🦌🎄🎄
#ThreatHunting
🍻
12
165
300
Capturing Network Packets from Windows endpoints leveraging built-in ETW mechanisms via Netsh ⚔️and Azure cloud native services via Azure Network Watcher extensions 🌩️ Documenting and extending the concepts behind
@Mordor_Project
PCAP files 😈
3
128
299
Don't unplug your Domain Controllers yet!😉 An initial detection approach to
@harmj0ys
A defenders approach to learn a little bit more about the data generated & a few ideas for potential hunts in your network 😊💜🍻
#ThreatHunting
1
159
297
A quick post documenting my first attempt at using the latest version of Sysmon v9.0. In this post I share links to the new event log manifest, configuration schema (DTD), and a basic example of a rule 😊🍻🏹
#ThreatHunting
#DFIR
10
140
294
Getting ready for the week?
@Cyb3rPandaH
and I just released 25 new small Mordor datasets 👿 that you could use as inspiration to prepare for your next
#threathunting
engagement 😊🍻 💜
#dfir
3
100
268
💙 THANK YOU
@BlueTeamVillage
for the opportunity to share the virtual stage w/ my brother
@Cyb3rPandaH
& share our research. Also, THANK YOU to everyone who attended & stayed w/ us until the end 🙏🍻💜
📔Notebooks:
🗒️Slides:
8
72
267
Huge revamp of the
@HunterPlaybook
project w/
@ProjectJupyter
Notebooks, Mordor 👿datasets for analytics validation, interactive queries & output made available to the whole 🌎 through
@mybinderteam
#ThreatHunting
@ApacheSpark
@Cyb3rPandaH
@MITREattack
2
108
258
Happy to release the API-To-Event project 😊🍻A repo focused primarily on documenting the relationships between API functions and security events. Mapped to
@MITREattack
#ThreatHunting
#PurpleTeam
⚔️
API-To-Event List:
GitHub:
4
121
257
Starting your week 🏡 & looking for ways to automate the deployment of
#AzureSentinel
w/ a basic Windows environment in your lab?
1) Go to GitHub (OTRF/Azure-Sentinel2Go)
2) Click on Win10 scenario 🏗️ -> ☁️
3) Wait a few mins ⏲️
4) Play 🚀
5) Repeat ♻️
2
82
256
OSSEM!! 😊🍻💜 Don't just collect event logs. Understand & document every single one, standardize your pipeline to allow the correlation of multiple data sets and identify the needed data and relationships to develop analytics. The Basis of
#ThreatHunting
7
109
254
Initial
#Sysmon
dashboard w/
#ELKStack
. Great to tune your Sysmon configs & obtain a consolidated view for
#ThreatHunting
. Blog post soon!
9
125
247
🚨 Log4j 2.17.1 🚨
#Log4Shell
✅ CVE-2021-44832: RCE via JDBC Appender when attacker controls config
✅ LOG4J2-3293
🗒️ Log4j 1.x not impacted
🗒️ Log4j 2.x: Upgrade to
#Log4j
2.3.2 (Java 6), 2.12.4 (Java 7) or 2.17.1 (Java 8+)
5
128
234
🏡 Saturday project (WIP..)! 😅
a) Doc
#Bloodhound
cypher queries from the community in YAML
b) Auto parse queries & create
#jupyter
notebook to query a
@neo4j
DB via py2neo
c) Docker
#jupyter
server &
#neo4j
w/
#Bloodhound
ExampleDB
d) Jupyter Book
6
73
227
🚨 Organizing an Infosec Jupyterthon on 5/8 🚀 An open virtual community event for security researchers to share their favorite
@ProjectJupyter
#notebooks
w/ the Infosec 🌎 Share & meet other Infosec Jovyans!
Site:
Call for 📔:
6
98
217
Interested in learning about what you can do with STIX/TAXII 2.0 APIs and some Python 🐍 code? I created a new function for the attackcti Python library to automate the creation of
@MITREattack
Navigator group layer files 😊🍻🌎💜 and shared the process
6
110
215
Hunting for In-Memory
#Mimikatz
with
#Sysmon
and
#ELKStack
- Part I (Event ID 7).
#ThreatHunting
#dfir
3
127
207
I’m about to start my
@BlackHatEvents
#Arsenal
talk about Cloud Katana! Unlocking serverless compute to assess security controls! Station 1
8
24
202
Are you wondering what free available data sources you could use to detect the
@MITREattack
Round 1- APT3 (Second Scenario) playbook?
@Cyb3rPandaH
& I just released the APT3 Mordor dataset 👿 here 😊🍻💜
@x33fcon
#ThreatHunting
Demo:
3
78
198
🚨 Can't wait to test
#RpcFirewall
in a lab? I just released a new template to deploy a research lab with everything set up & events flowing to
#MicrosoftSentinel
😎
Thank you
@SagieSec
and
@ZeroNetworks
team 🙏
#MSTIC
@OTR_Community
#AnotherOne
5
74
195
Following the latest
@THE_HELK
holiday release 🎄, I wanted to share a three-part series post to introduce the basics of
@confluentinc
#KSQL
for Real-Time Sysmon Processing! See you all next year 😊🍻
@apachekafka
#ThreatHunting
5
103
192
📢 Following my talk w/
@fr0gger_
@sansforensics
#CTISummit
, I can now release IntelRAGU 🔥!
🚀An LLM-Based Agent to share Retrieval Augmented Generation (RAG) techniques, aimed at enhancing search capabilities in threat intelligence!
@OTR_Community
5
68
190
Step-by-step. Building a
#Sysmon
Dashboard with an
#ELKStack
for
#ThreatHunting
and tuning Sysmon configs.
@elastic
2
112
181
Releasing a project to access the latest
@MITREattack
content available in STIX™ 2.0 via public TAXII™ 2.0 server w/ the help of a Python Client.
@ProjectJupyter
notebooks are available to help you familiarize w/ the library 😉🍻💜
#ThreatHunting
#DFIR
2
81
180
After almost 2 awesome years, last week concluded my time
@SpecterOps
💜Shout out to all of my teammates that have helped facilitate one of the most rewarding journeys I have had during my career 🍻💜 Thank you for everything! I'll miss you all! Ready to start a new adventure ⚔️
33
7
180
Happy to release Part II: Shipping ETW events to
@THE_HELK
from the Threat Hunting with ETW events and HELK series! Also, releasing the Mordor Erebor 🐲environment to collect ETW events for new datasets! 👿📜
#ThreatHunting
@HuntersForge
@Mordor_Project
3
80
178
Are you really ready for
#ThreatHunting
? What does your data look like? Data Availability != Data Quality
@SpecterOps
@MITREattack
3
110
175
🔥 How to Community Evaluate FREE Telemetry 🌎 following the
@MITREattack
evals methodology 📋 Sharing detections,
@sigma_hq
rules, data & a
@ProjectJupyter
notebook created during an ongoing hackathon to empower others & create research opportunities 🙏
5
82
176
Can we all contribute to an initial mapping of
@MITREattack
data sources to security events? 😉
@Cyb3rPandaH
& I translated our initial spreadsheet from 2018 to YAML to facilitate collaboration. Looking forward to your feedback! Feel free to open a PR 🏡🍻
Anyone knows mappings "ATT&CK Techniques ⟺ Windows Event IDs" and "Windows Event IDs ⟺ Windows Audit Policies to enable" exist?
cc
@SBousseaden
@Cyb3rWard0g
10
21
90
2
80
172
@_devonkerr_
and I sharing a few steps about a data-driven approach to quantify your hunt. Expanding on the amazing work from the
@MITREattack
team!! Know your data first & no more scoring based on feelings! 😉🍻
@SpecterOps
@EndgameInc
#ThreatHunting
@BSidesCharm
#ThreatHunting
2
72
168
Updated OSSEM data dictionaries after
#Sysmon
v10.0 release. New OriginalFileName field for events 1 & 7. Updated Schema version: 4.21. Take a look at the new events manifest/schema in OSSEM 💜
#ThreatHunting
#DFIR
5
58
164
🚨 Experimenting with a
@MITREattack
based approach to manage our
#Sysmon
configs 🚀
Sharing our
#SysmonForLinux
configs first! Still a WIP, but would 💖 to get your feedback! 😎
All research and community driven!
#MSTIC
@russmcsec
@jessen_kurien
🚨 Learning how to install
#Sysmon
for Linux 🐧 & send security events to
#AzureSentinel
in a research lab environment!! 🧪
#MSTIC
#Microsoft
📡 Sysmon (SysinternalsEBPF) -> Syslog -> SIEM 🚀
✅ Scripts
✅ ARM templates
✅ Sysmon configs and more..
5
181
505
3
70
151
🚨
#Python
for security investigations, research & threat hunting?
🪵 Collect 👔 Enrich 🔍Analyze & 📊Viz data!
💸 oh.. & for free! open source!
The amazing
@ianhellen
@MSSPete
@ashwinpatil
'll show how to w/ MSTICpy 🔥
@BlackHatEvents
#BHUSA
Arsenal:
2
44
148
🚨 APT29 Evals Detection Hackathon! 🏡 Join me on May 2nd to learn about adversarial techniques through free telemetry (e.g Sysmon) and help develop detection rules (e.g
#sigma
) A
@Mordor_Project
Event! 😈🍻
Info:
Registration:
The ATT&CK Evaluations Team just released the APT29 Evaluation results, DIY Eval profile, and a Joystick update on . Check out to learn more about the evaluation process.
3
169
270
9
59
146
💥😱
@tiraniddo
added "named pipe RPC client transport" to NtObjectManager 🔥 Thank you very much James for all your work 👏!
I'll create PS scripts to cover a few scenarios 🍻 (Img 4)
If anyone would like to help me, let me know 😉
@OTR_Community
2
51
143
Hunting in memory w/
#ThreatHuntingSummit
#ThreatHunting
#dfir
TY
@jaredcatkinson
&
@dez_
cant wait to test this!
0
67
134
🚨
#MicrosoftSentinel
Windows Forwarded Events data connector reached Public Preview on Nov. 1st 🚀
Win WS (Windows Event Forwarding) ➡️ Windows Event Collector (WEC) ➡️
#MicrosoftSentinel
New
#MicrosoftSentinel
To-Go🛒 Template
#MSTIC
@OTR_Community
4
48
134
Thank you for sharing
@_xpn_
💜 I took some time in the 🌞 to read a little bit about it. I'm sure there are + resources out there, but I put together these initial notes from a detection perspective. Maybe a SACL &
@sigma_hq
rules for the reg approach? 😈
Want to stop ETW from giving up your loaded .NET assemblies to that pesky EDR, but can't be bothered patching memory? Just pass COMPlus_ETWEnabled=0 as an environment variable during your CreateProcess call 😂
35
375
897
7
41
137
Thank you
@svch0st
! 🙏 I created a
@Mordor_Project
dataset, a
@ProjectJupyter
notebook,
@sigma_hq
rules & shared everything w/ the community 🌎 via
@HunterPlaybook
1) Dataset :
2) Playbook :
3) Sigma :
Updated to include testing with a meterpreter reverse shell remotely recording audio.
@duzvik
@Cyb3rWard0g
1
1
14
2
48
135
PS script to interact w/
@MITREattack
via its own API. Inspired by
@SadProcessor
Work.
#ThreatHunting
5
88
134
Looking for anything to do this weekend? 😉
🔥 A way to create and start services remotely using the amazing NtObjectManager from
@tiraniddo
leveraging the latest support for named pipes RPC clients 🔥
Help us to create more PS scripts
@OTR_Community
0
41
128
🚨Microsoft Security Copilot is out and currently in Preview! 🎊Proud to have worked on the development of the first
@Microsoft
AI-powered security analysis tool! 🚀
#MSTIC
7
33
124
Looking for anything to do while you wait for 2020 🎉? I just created a Jupyter Book for the
@Mordor_Project
! You can now explore mordor datasets w/
@ProjectJupyter
#notebooks
via BinderHub 🌎 Pre
#ThreatHunting
activities for 2020 🍻🤣!
New Site:
3
42
124
💜 So much potential
@Mordor_Project
!
a) 🌎 A community driven effort!
b) Host & Network datasets!
c) ☁️ this summer 🍻
d) 🏗️ Multiple 😈 techniques in one dataset following
@MITREattack
emulation plans! (context for technique correlations all-in-one!)
e) Documentation 😉!
WE HAVE PCAPs 😈
a)
@Suricata_IDS
➕ ET Rules!
b) git clone && cd mordor/datasets/large
c) find apt29/day*/pcaps -name '*.zip' -execdir unzip -P infected {} \;
c) find apt29/day*/pcaps -name '*cap' -execdir suricata -r {} -k none \;
TY
@jason_trost
🙏
2
66
183
1
35
122
🚨 New version of the Windows Security Events connector from
#AzureSentinel
reached public preview
Looking for a way to test & filter the collection of event logs via XPath queries? I got you! 💜🍻
@MSThreatProtect
#MSTIC
@OTR_Community
@OSSEM_Project
5
38
122
Thank you ❤️
@sansforensics
for giving me the opportunity to be one of the keynote speakers at the
#ThreatHuntingSummit
2021 🙏 Let’s go far & fast together! Being different is amazing! Remember you are the best! Do not freeze! Contribute back and empower others in the process 🍻
NEW VIDEO ON YOUTUBE!
In his
#ThreatHuntingSummit
keynote,
@Cyb3rWard0g
shares how you can identify opportunities to contribute and give back to the community.
0
16
50
2
14
115
Few people, big impact 😊🍻 based on research & contributions documented by
@MITREattack
A great way to explore the framework and find relationships among tactics, techniques, data sources, groups, software and more. A few ideas to defend & attack
@SpecterOps
style 💜💜
@THE_HELK
0
47
106
I had so much fun and learned a lot while putting together the first scenario for SimuLand 🏝! Today we release a dataset generated after running the first lab 🍻 You can explore some of the security events without deploying the full environment 😎💥
#MSTIC
In May we announced SimuLand, an open-source initiative for deploying lab environments that reproduce well-known techniques used in real attack scenarios, and test the effectiveness of Microsoft solutions. Today we shared the first SimuLand dataset:
2
142
255
1
26
105
Playing with
@FuzzySec
SilkETW,
@harmj0y
PowerView &
@THE_HELK
tonight w/ my brother
@Cyb3rPandaH
💜 Working on parsing and documenting the data produced & adding a few slides to my
@1ns0mn1h4ck
talk 😊 this Friday! Thank you
@FuzzySec
🍻
#threathunting
4
37
102
🚨💥 Registration for the first community Infosec Jupyterthon is open! Also, check the current talks & speakers that would love share their knowledge with you 💜 🍻
🗓️ Current Agenda:
📒 Registration Form:
See you on Friday 5/8
🚨 Organizing an Infosec Jupyterthon on 5/8 🚀 An open virtual community event for security researchers to share their favorite
@ProjectJupyter
#notebooks
w/ the Infosec 🌎 Share & meet other Infosec Jovyans!
Site:
Call for 📔:
6
98
217
6
61
102
Very happy to share that I started a meetup in the DC metro area. Looking forward to meeting everyone and collaborating with the community 💜 Stay tuned! First meetup coming soon 😊🍻
#ThreatHunting
#DFIR
9
26
101
Has anyone (boss, client, student, etc) ever asked you in what Windows event log can you find a process, IP address, InterfaceUuid, etc? Very helpful to identify providers that you might need to start collecting data from.
@OSSEM_Project
is using online interactive
#notebooks
2. The use of
@ProjectJupyter
#notebooks
to explore events in JSON format and search field names across all events in every Windows 10 ETW provider.
Online Interactive Notebook:
1
5
30
1
21
100
Updated documents in the examples section of with the updated
@MITREattack
DB in ONE file and TTPs mapped to Groups for Adversarial hunting engagements.
#ThreatHunting
#PowerShell
💜💜
1
57
95
I started to play w/
@awscloud
CloudFormation last week, and it was easy to model and provision all the resources needed for my applications. Happy to release the BlackSmith Project⚔️! The Mordor 👿 Shire network is officially in AWS 😊🏹🍻
#ThreatHunting
4
36
96
Teaching
@MITREattack
? The Python library "attackcti" is a must in your toolbox🧰! Share your use cases and empower others around the 🌎
@OTR_Community
Updating our Python library "attackcti" docs after
@MITREattack
update!
🔗 New Site:
📦 Library:
📔 Updated
@ProjectJupyter
notebooks
☁️ Online experience via
@mybinderteam
BinderHub
❤️ Want to share a notebook? let us know! 😉
0
48
120
0
33
96
Today
@DrAzureAD
,
@_dirkjan
,
@ManuelBerrueta
and
@chiragsavla94
explored Microsoft Graph Activity Logs (Private Preview) ❤️
We checked a few
#AADInternals
capabilities in the logs, and we can't wait to share more when this goes public!
@OTR_Community
Just learned that Microsoft decided to add a new log source last month while I was suffering flu:
🔥
#MicrosoftGraphActivityLogs
🔥
This is easily the most important security feature for years!! Hoping to get this in Preview/Production soon so we can catch those baddies faster
15
101
349
3
25
94
💥Thank you
@JohnLaTwC
🍻!
If you want to learn how I share detections via
#notebooks
from
@HunterPlaybook
and datasets from
@Mordor_Project
leveraging
@mybinderteam
project to empower the community and accelerate infosec learning, I wrote about it here:
We hear about attacks at the same time, but learn to defend alone.
How can we change this so every defender can be as good as the best defender?
In this post, I talk about an open, vendor neutral, community based approach to accelerate infosec learning.
16
323
717
0
28
92
Thank you
@irongeek_adc
!! 😊🍻 My talk with
@_devonkerr_
about "Quantifying your Hunt" A data-driven approach to measure the effectiveness of your
#ThreatHunting
program. Make sure you know your data first 😉
@SpecterOps
@EndgameInc
@BSidesCharm
3
48
92
💥New Sysmon V11.10 ! updating configs, rules and parsers? 🌎🍻🏡
1) Event log manifest/schema:
2) Schema version: 4.32
3) New Field for event 15 (File stream created): "Contents"
New Sysmon update, v11.1, that captures alternate data streams (like Mark of the Web) and fixes a few v11 bugs. Check out my June update video describing the releases:
2
152
365
1
37
90
🙏 See you all at
#BHUSA
Arsenal! Stop by for some stickers! 🍻
#MSTIC
I will be talking about Cloud Katana ⚔️
A tool I developed to validate/develop detection rules and learn more about the underlying behavior of cloud attacks via
@AzureFunctions
🌩️
6
18
89
😱 wow! 😅 One of my 1st posts using
@MITREattack
to measure more than just incidents uncovered or detections created (i.e data coverage) 🙏 The beginnings of an awesome journey! Seeing
@MITREattack
Navigator being released was a great feeling and brought me back to those times!
Hey
@Cyb3rWard0g
remember 3 years ago when we used to manage our ATT&CK mapping in Excel? Tomorrow is 3 year anniversary of this post :)
2
2
35
2
11
87
💡I was curious about
#LLMs
&
#Cybersecurity
🎯Goal: Better communicate & collaborate
♻️Method: Take notes, run experiments & share
#X33fcon
@x33fcon
@LangChainAI
#BloodHound
#ROADtools
@Cyb3rPandaH
@MITREattack
✅ Repo
✅ Slides
2
23
87
HOW to contribute a
@Mordor_Project
dataset in 2 mins ⏳w/ the help of
@redcanary
ART & then contribute to
@sigma_hq
after exploring the data!
@OTR_Community
♻️ Clear, Exec & Collect:
😈 Data:
🏹 Rule:
1
38
85
💥 New Sysmon V.12 . Get ready to update configs, rules and parsers! 🌎🍻
1) Event log manifest/schema:
2) Schema Version: 4.40
3) CLI switch: "z" (ClipboardInstance) & Config Option: CaptureClipboard
3) Event: 24 (rule: ClipboardChange)
4) Sample ⬇️
Just posted a major Sysinternals update: Sysmon clipboard monitoring, Procmon enhanced filter edit dialog, Procdump CoreCLR and terminate dump support, and lots of ARM64 ports.
16
442
1K
2
48
86
Invoke-ATTACKAPI -All=Tons of info straight from
@MITREattack
at once. Always updated! 💙
#PowerShell
#ThreatHunting
0
36
85
if u "Restrict clients allowed to make remote calls to SAM" (), set "Event Throttling" to 0 secs to not group "access-denied" events into one, missing context about the client. Standardize the "Client SID" field to join it w/ other events 🍻
#ThreatHunting
0
35
84
Today, while writing
@ProjectJupyter
notebooks for
@THE_HELK
using Graphframes, a graph processing library for Spark, I came across this amazing book by
@amyhodler
&
@markhneedham
w/ hands-on examples of how to use graph algorithms in
@ApacheSpark
&
@neo4j
3
19
82
🚨 A few detection opportunities while interacting with local AD hybrid health agent registry keys & Azure AD connect health AD FS services ☁️
📡SACLs & 🛰️Activity Logs (Directory Activity) FTW
🛡️
#AzureSentinel
:
🌎
@sigma_hq
:
Did you know that local admin can export AD FS Hybrid Health Agent secret and create fake Azure AD sign-in events? 😈
Read my blog "Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent" to learn more & how to do it with
#AADInternals
🔥
3
53
160
1
38
81
OMI was updated to V1.6.8-1, but the OMS-Agent-For-Linux latest bundle script points to V1.6.8.0 🤔
In progress:
🚨Upgrade OMI
1⃣ Configure repos:
2⃣ sudo yum upgrade omi OR sudo apt-get upgrade omi OR sudo zypper update omi
Microsoft just patched 4 vulnerabilities we (
@wiz_io
) recently reported, including a CVSS 9.8 RCE. These vulnerabilities affect countless machines as the OMI agent is silently installed when enabling many Azure services.
#PatchTuesday
5
130
277
1
41
81
@_dirkjan
Currently working on a basic use case w/ it for a project 🤣 & I hope this is helpful from a defense perspective 🍻
signs of:
✅ Listener: Microsoft.HybridConnectionManager.Listener.exe
✅ Execution through wsmprovhost.exe
✅Service: Azure Hybrid Connection Manager Service
3
12
80
Taking a break is fun 😉🔥
@THE_HELK
, Threathunter-playbook, OSSEM, Mordor, etc will still be there tomorrow 😂 Learning the basics of
#Blacksmithing
for now 🍻
6
4
80
🚨 Releasing datasets (Free telemetry 🍻) for
@MITREattack
APT29 Evals (Day1) & Emulation plan💥
1) Download:
2) Get familiarized w/ the data (Host and Network 🔥)
4) Cross-check with emulation plan:
5) Get Ready for May 2nd 🚀
3
34
79
Thank you
@sansforensics
@SANSJen
for the opportunity to share the stage w/ my brother
@Cyb3rPandaH
& talk about
@ProjectJupyter
,
@Mordor_Project
&
@HunterPlaybook
. First times using
@mybinderteam
BinderHub in a talk to let the InfoSec community 🌎 run our notebooks live 🔥🚀
From the 2019 Threat Hunting and Incident Response Summit,
@Cyb3rWard0g
and
@Cyb3rPandaH
's
#Jupyter
Notebooks and Pre-recorded Datasets for Threat Hunting presentation
View now:
0
17
54
0
21
80
😱 Caldera Plugin: to supply CALDERA with the TTPs used within the
@MITREattack
Evals Round 1 (APT3) - 1st Scenario 🍻.
@Cyb3rPandaH
& I ran the 2nd Scenario and shared the dataset 📜: . Integrating plugin with
@Mordor_Project
💜
2
22
79
Hunting for In-Memory
#Mimikatz
with
#Sysmon
&
#ELKStack
- Part II (Event ID 10).
#ThreatHunting
#dfir
0
47
80