Hi, Y'all! I tweet about the intersection of cyber security investigation doctrine, cognitive psychology, and education. Also BBQ. 👨🏻‍🏫 Online Courses I Teach: 📚 Books I've Written: 🌎 Blog & More Links:

RT @chrissanders88: It's a bit tangential to what I do here, but I've been making some short-form video content focused on Meteorite educat…

I’ve always thought these SSH tunneling techniques were confusing to follow at times, but Dan does a tremendous job simplifying the idea. Lots of practical demos. A must understand for attackers and defenders, both.

It's a bit tangential to what I do here, but I've been making some short-form video content focused on Meteorite education. If you're into that sorta thing, you can watch here: Youtube: Instagram: TikTok:

Investigation Scenario 🔎 You discovered a suspicious PDF on a user’s workstation and found this sandbox report referencing it: What do you look for to investigate whether the system was infected and its extent? #InvestigationPath #DFIR #SOC

Investigation Scenario 🔎 You receive an alert that a Linux system is experiencing consistently high CPU usage. Running crontab -l for the related user, you see the pictured entry... However, when you check again, the crontab entry is gone. The file listed in the cron job is not currently available at that URL. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

One of my favorite maxims for anomaly detection in investigations comes from archaeology... One stone is a stone; two stones are a feature; three stones are a wall.

These malware analysis lessons are a great way to learn how the folks doing this work every day think through their analysis process and understand how malware behaves.

@MWollenweber Bless your heart

@MWollenweber Who said they were unprivileged or that they didn't make any changes?

RT @RuralTechFund: Check out the awesome video put together for our project in Los Lunas, NM! "Thank you so much to the Rural Technology F…

This scenario was inspired by AgentTesla, for those trying for bonus points. That said, it's pretty hard to get there from a file name alone, and other malware strains use that filename, too.

Investigation Scenario 🔎 While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53. What do you look for to investigate whether an incident occurred? #InvestigationPath #DFIR #SOC

@mtk01330 Thank you 💙

Nobody in Georgia knows what to do when it snows, so of course somebody is shooting off fireworks at 8:30 in the morning.

Not many better ways to ring in the New Year! One of these days I'm gonna talk them into letting me run the grill for a couple of hours. #WaffleHome

@mtk01330 That's a big question! Any specific facet of cyber security, specifically?