Tim MalcomVetter™️
@malcomvetter
Followers
11,760
Following
470
Media
604
Statuses
13,347
C-Founder at _stealth_; Prev: @NetSPI @CYDERES @FishtechGroup @Walmart Red Team @Sp4rkCon @Optiv @fishnetsecurity . PhD Dropout. BJJ 🟪⬛️⬛️🟪🟪 ⳩
🌎
Joined May 2015
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Francia
• 654168 Tweets
#HouseOfTheDragon
• 535575 Tweets
Rhaenys
• 250488 Tweets
#GranHermano
• 243693 Tweets
Bautista
• 175820 Tweets
Meleys
• 163799 Tweets
Emma
• 161185 Tweets
#HOTD
• 128363 Tweets
#loveislandusa
• 125905 Tweets
Aegon
• 98265 Tweets
Serena
• 63800 Tweets
Daemon
• 61714 Tweets
Uruguayo
• 59118 Tweets
Jana
• 50525 Tweets
Marcos
• 46967 Tweets
FURIA ES LEYENDA
• 41532 Tweets
Sunfyre
• 40143 Tweets
KIM SEOKJIN
• 32163 Tweets
Criston Cole
• 28387 Tweets
Kordell
• 27677 Tweets
FRED GLOBAL AMBASSADOR JIN
• 27438 Tweets
リリカルなのは
• 22584 Tweets
Kaylor
• 18435 Tweets
間宮結婚
• 17164 Tweets
セレクトセール
• 16914 Tweets
Jace
• 16309 Tweets
#JinxFredJewelry
• 15865 Tweets
間宮祥太朗
• 13438 Tweets
萩のツッキー
• 13010 Tweets
hyuna
• 12321 Tweets
KMPDU
• 11068 Tweets
Pinned Tweet
[INTERACTIVE BLOG]
Did you like Choose Your Own Adventure books as a kid?
Are you fascinated by Red Team adversary tradecraft?
Would you like stories inspired from the best defenders?
Then come Choose Your Own Red Team Adventure!
16
167
506
OH:
A: "Just use Terrible to deploy it."
B: "What?"
A: "Terraform and Ansible."
B: "Oh. Yeah. Terrible."
30
753
3K
NOW HIRING: Entry level Cyber Security Analysts who have a minimum of 25 years experience, 3 degrees, and 14 certifications.
24
139
930
A recently mobilized toddler is like a free home penetration test.
32
177
843
Intelligence Test. Complete the pattern.
Win95💩
Win98👍
Win ME💩
Win XP👍
Win Vista💩
Win 7👍
Win 8💩
Win 10👍
Win 11 ...
74
165
850
Unpopular opinion: exploit development should not be part of penetration testing (and definitely not "red team") training courses.
It should be its own standalone course, since it's a separate discipline.
35
53
463
For the newcomers out there...
I’ve been doing InfoSec stuff for ~20 years now, & every 3-5 years I discover a better understanding of the subject. Just when I think I’ve got it figured out, I get a little closer still.
This is for your edification to stick with it 1/
12
164
461
I just published “Multi-Platform Macro Phishing Payloads”
2
255
437
Log into my Christmas tree with your Facebook account!
6
94
400
Red Team != pentest++
Not all penetration testers will be happy doing red teaming. If you like solving puzzles, you may not like planning an "op." Red Teaming isn't necessarily "better." It's "different." It's not necessarily more technical, either.
20
100
416
If you are looking at getting into
#RedTeam
by 2020, you better know how to code— not just piecing together scripts, but actually structuring code like a real developer avoiding code smells.
Commodity attacks are drying up.
13
97
296
PSA: if you have “1337” in your handle, you’re going to come across as an amateur.
Same goes for newish handles (last few years) with “0x{string}”.
Be original.
Wouldn’t hurt you to grow up a bit, too.
207
23
288
#RedTeam
Pro Tip: make sure all of your tools, terminals, output, and screenshots include full timestamps with month, day, and year.
You never know how much later you may need to dig that up and know exactly _when_ something happened.
15
71
314
This weeks' offensive C# templates:
- A windows service that cannot be stopped in the service manager:
- Code execution across named pipes
Both are easier than you might think.
3
164
314
I’ve given
@DuckDuckGo
an entire month across all of my and my family’s devices. It’s come a long way since I first heard of them ~10 years ago & I don’t miss Google.
Looks like this change will be permanent.
18
31
243
I just published “How to Pass a Red Team Interview”
8
136
282
Pentest your prevention controls
Unit test your detection controls
Red Team your response processes
☝️Mixing the above comes with diminished results.
8
99
287
I just published “.NET Process Injection”
4
177
283
I will not touch
I will not touch
I will not touch
I will not ...
27
25
270
I just published “Penetration Testing vs. Red Teaming: PCI Edition”
6
93
274
Happy Saturday Morning!
Turn off the cartoons, here's an open source C# implementation of `psexec`!
Enjoy!
6
132
270
I just published “Red Teaming Through Mistakes”
4
136
266
Imagine how much better Blue Teams would be if Red Teams realized they weren’t Conor McGregor, they’re his sparring/training partner that virtually nobody knows.
If RED thinks they’re the ones showing up at the fight, they have got the date, venue, and match WRONG.
13
78
248
After 5 years of building the Red Team program
@WalmartTech
, I am moving on. Learned a ton & worked with some of the best there are.
We latched onto Mr. Sam's 10 rules for business, specifically
#10
: Swim Upstream. Seemed fitting for us!
$ dig txt
49
6
252
[New Blog]
How to start an internal/corp
#RedTeam
program in 7 Steps.
I get this question a lot, so here's a nicely compiled answer for you that could save you time and keep you busy for a few years. Let me know if this helps you out!
6
82
243
One of my fav parts of my red team is that we rotate campaign leaders every time. Everybody will run a campaign at some point. Everybody gets to feel the pressure of coordinating all the moving pieces. You're not expected to know everything, but you are expected to lead.
10
39
222
Don't underestimate the hacker who parses that weird data dump using Excel.
12
12
210
~Half year later ...
Not only do I NOT hate the word "cyber" I think there is a big distinction between "cyber" and "information" security, and I distinctly prefer the former over the latter.
Maturity? Nuanced understanding?
Your thoughts?
I no longer hate the word “cyber” and I no longer hate C++.
What is happening?
20
2
58
55
16
195
If you're new or been in InfoSec for awhile and you've not read these 2 classic papers, take 15 minutes today and do it. Thank me later.
5
33
209
On this Happy Friday, remind yourself that nobody is going to look out for your career better than YOU.
Invest in yourself. Take risks. Try new things. Don't wait for opportunities to fall in your lap, make them happen.
"The harder I work, the luckier I get."
8
54
192
My 9 year old twins just found an
@Apple
iOS parental controls escape , pivoting through the
@DarkSkyApp
. Yep, hacking runs in the family.
Here is their first (public) attack chain:
Step 1. Tap the warning text in the app.
7
63
194
"Adversary Onboarding"
I'm coining that term. It's the point in which an adversary uses an org's internal documentation for internal recon, much like a new employee's orientation and onboarding.
I'm coining it royalty-free. Yes, you may (and shall!) use it.
14
68
181
I just published “Responsible Red Teams”
10
86
184
Moar C#
Programmatically call UAC and escalate to admin:
Monitor Process Creation/Termination events with some WMI help:
Monitor Security Event Log
* PoC/pattern/example code to be pulled into your tools.
2
89
181
I just published “How we breached your network”
6
66
189
Being a good leader means you let your people do the fun cool stuff and you don’t hog it for yourself.
8
25
174
I wonder if real threat actors have performance reviews and annual goals?
32
21
176
If you're an aspiring
#redteamer
learn as much code as you can. Operating System internals have never been more transparently open to code than they are today.
Don't get overwhelmed. Just practice, learn, and realize it will take a little while, but it's worth the effort.
2
44
167
Choose your own
#RedTeam
adventure.
Your phish lands on a host. What is the first thing you do?
(If 4 answers aren't enough, reply below)
MIMIKATZ! (Leroy Jenkins)
241
Figure out where I am
686
Figure out what's running
450
Prompt user for passwords
130
29
67
172
If you’re into writing or detecting maldocs and you haven’t looked at ViperMonkey, look now:
I’m told it’s now used by Project Zero and DoD.
One of the primary authors is a
@WalmartTech
associate and a good person to follow:
@bigmacjpg
2
56
168
@vysecurity
Well, e.g. in Windows there's ipconfig /displaydns but it's best to stay off the command line & use the native APIs where possible, like this:
What can we learn?
- Browsing habits
- AD Domain
- Cloud Services
- EDR Callbacks
- etc.
2
64
168
Did you know MITRE ATT&CK is hosting its first ever conference and you can livestream it for FREE?!
1
85
168
Did you know that
@WalmartTech
has become one of the largest contributors to the Atomic Red Team project recently? And we're just getting started ...
Contributors:
@OrOneEqualsOne
@Cherokeejb_
@apbeers
et al
2
29
157
I can’t believe pentesters/red teamers still focus on getting Domain Admin. DA is in most cases a waste of access. It’s inefficient. If you’re modeling “sophisticated” (whatever that means) adversaries, abuse the path of least privilege, usually the path of least noise.
22
54
147
I'm over here eating crow. Laugh at this with me, then realize your crow will come, too.
For all the times, as a red teamer/pentester when I wrote something dismissive like "just implement a detection for that" ...
1/
12
33
160
AppSec is only a (small) piece of a security program.
If you focus 90% on AppSec and have no detection/response, you basically don’t have a security program.
7
26
148
Look what I found in a box, almost perfectly preserved.
I bet many of you don’t immediately recognize what this is, and others of you probably have no idea at all.
30
7
133
This just happened.
“Hey Siri, lower the temperature to [stutter] 73 degrees.”
Siri: “Got it. Cooling the house to negative two thousand seventy three degrees.”
“What? No!”
Thermostat is now set to 50 degrees. Apparently that’s as low as it goes.
12
11
126
Expert:
Your company’s VPN credentials and nothing else.
Give me a list of well known tools used by adversaries
Novice:
nmap, Cain, hydra, tcpdump, arpspoof
Intermediate:
Htran, Mimikatz, smbexec, Lazagne, PwDump
Expert:
PowerShell, VBA macros, JavaScript, WMI, certutil, legitimate signed executables
68
351
1K
5
12
139
Here’s a better look at my holiday gift to my team of hackers. It was soooo hard to keep it a secret.
Note the Powershell Empire “ornaments” among the other “layers” ...
Corollary: life is too short not to work with people you love working with.
10
16
135
If you think
#redteam
stuff is all fun all the time:
Try planning a major campaign involving 5+ different component entities that all have to appear physically/logically distinct and unrelated as a resilient, multi-prong attack. A single connected OPSEC line ruins them all.
9
36
131
Ways to turn me off:
-claim you are an expert, thought leader, or value add
-keep a tally of your CVEs
-claim you can hack anything
-list your certs in your name field on social media
Vs:
-build something useful
-teach people skills
-lifelong learner
-be humble
7
15
128
[NOW HIRING- Pls RT]
Rare opportunity: top tier opening for Red Team Operator/Engineer/Dev. US based candidates only; completely remote team w/ great mission across 5 continents.
Pay no attention to the preferred certs, because I won't. (auto-generated)
3
90
124
My youngest recently had a birthday. Kind of a big deal, since he spent his first 5 months of life in the NICU and would have died on Day 1 if it wasn’t for amazing in utero ID of a birth defect & great surgeons ready to fight with him. We expect great things from him.
17
2
127
1998 What is InfoSec?
2008 InfoSec == Prevent all the bad things
2018 InfoSec == Prevention is a losing battle, Containment/Response is where it’s at—make breaches meaningless.
13
42
121
My kids found another parental controls escape (WebKit in an app to full YouTube)!
So, naturally, I solved this problem the way any Dad would. I instituted a family Bug Bounty program.
We pay out in MineCoins. 💰💰💰
6
19
124
It’s been another 5 years and this article holds true. There are really only 5 ways to breach an organization, yet so many over-complicate this concept.
Know the 5. Think simpler.
1
25
133
=== BEGIN INTERNET MATURITY TEST ===
Answer the following fill in the blank:
“I like to ___.”
=== END TEST ===
.
.
.
.
.
.
.
.
If you answered “move it, move it” you’re officially 6 years old. You know who you are.
14
14
108
You may not be able to PREVENT all attacks, but you absolutely must be able to DETECT and RESPOND to them.
8
50
113
Dumping Chrome Passwords from C++
Hint: there's a better way to do it without copying the SQLite db file. Exercise for the reader.
1
30
119
"Red Team" means a lot of different things to different people, especially if those people are from the Marketing Department.
#DailyDose
12
8
115
I just published “Red Team Gut Check”
4
74
117
I just published “Internal Red Teams and Insider Knowledge”
3
45
113
I talked to a 16 year old yesterday who grilled me with questions about a career as a hacker, everything from how to get started, to financial viability, to emotional satisfaction.
When I was 16, I just wanted to drive friends to the movies.
That 16 year old WILL BE successful.
2
1
105
Cannot hit retweet or like as many times as I'd like. +1000
Advice for the aspiring Pentester: Put down the
#Metasploit
books and pick up Windows Internals. There's opportunity on every page.
16
153
318
3
23
112
I think I’m going to start giving out hunt advice to make red teams better.
BLUE: log all process create events centrally and hunt on common LOLbins like “net”. Practice to get your timing window close to zero and crush RED.
1
97
222
4
16
106
If you’re doing red team work and you don’t have a lab with EDR and SEIM products, you’re doing it wrong ... also I’d bet you’re either in consulting or a new internal red team. If former, up your game now or your clients will find someone else.
@HackingLZ
@pmelson
@arekfurt
I would say if you're doing offense security work (mostly speaking about red teams), and you don't know anything about your tools potential detections, what EDR in general is and how it works, what stage of the kill chain you're most vulnerable too, etc... you're being lazy AF.
2
7
36
12
16
105
[BLOG SERIES]
Having a slow Turkey Day?
How about 12 adversary tradecraft related blog posts with reference C# code? Want to pull apart the Windows API in C#?
Start here and follow the links:
Source code (and more) here:
3
56
104
Opinion: Red Teams use domain fronting more than FIN/APT groups.
Why? Because red teams have to follow more rules when acquiring callback domains. We can’t reuse third party victims.
Also, because categorization and aging are hard, requiring discipline & planning.
9
26
105
REMINDER: the primary purpose of a red team exercise when the org doesn’t have Detect/Respond capability (SOC) is to wake them up to realize they need a SOC.
It’s always better if the org builds a SOC capability first, but sometimes you don’t know what you don’t know.
1/
5
22
99
Red: remember you’re not the main event. You’re the strength coach, the nutritionist, the personal trainer, and occasional kicking post for the superstar: Blue.
That’s your job.
11
20
97
[BLOG]
The Future of Adversaries is Software Development
A weather report depicting why APEX predator adversary groups must build custom coded toolkit and why you should start learning to develop code today if you want your red team to model them.
5
28
102
This is why I (still) think the security pros who've bounced from blue to red (or vice versa) and spent time in the trenches of admin work make the best talent overall; they're well rounded.
Be well rounded, friends!
6/6
3
7
101
[New blog]
Emulation, Simulation, & False Flags
(for Red/Blue Teams)
4
33
102
DNS Registrar: "Your account is locked due to hosting malicious content."
Us: "Can you at least cancel the domain renewal?"
DNS Registrar: "Nope, we're going to lock you out and bill you recurring forever."
Us: "Who is the criminal?"
7
14
92
Psst. Hey you. Yeah, you over there. It’s Sunday night. A new week is starting. Don’t compare yourself to others, but make plans THIS WEEK to become a better version of YOU.
Hint: that probably involves learning from people right in front of you, NOT on twitter. (Yeah, I know.)
6
12
89
Y’all are gonna solve that Coronavirus thing by hacker summer camp, right?
7
6
87
76 years ago today. Could you have gotten off the boat? Would you have what it takes to not stop?
I keep this on my office wall to remind me that no work problem is probably as bad as I think it is.
#DDay
8
14
88
Today’s definition of
#redteam
:
“To prepare the business for the realities of unfair adversary tactics in a friendlier way.”
2
27
91
Offensive tool developers: glad to see you working in C#/C/C++.
Please do us a favor & structure your code so that it’s reusable as a library, not a standalone console app. Remove console output. Still want console output in your PoC? Do it in main by iterating on rich data.
4
24
86
I'm now on the receiving end from my fellow pentesters who dismissively say "detect that" or "fix your SIEM" or "work with your MSSP."
Gentle reminder, my red team friends:
Some things are NOT EASILY DETECTED.
Things like false positive rates and alert volumes are a thing.
2/
4
8
94
FACT (not opinion):
#RedTeamFit
is the MOST POSITIVE place in all of InfoSec Twitter.🔥‼️
I ❤️ seeing the new faces, the transformation stories, the support for those starting out.
It’s started with “let’s make this a thing.” Now “lets KEEP this a thing.”
Consistency.
6
10
92
Telemetry is telemetry. Good guys, bad guys ... everybody wants it. I've never met anyone who said "I've got all the telemetry I need, thanks."
Good guys have C2, too (it's just called other names like SCCM, EnTune, JAMF, Tanium, etc.).
6
27
78
Security People frequently jump to technical controls when a process would be more effective. Processes require people, buy-in, and more work, while a technical control may be ineffective.
“When your only solution is a hammer, every problem looks like a nail.” 🔨
14
18
81
Hey Colorado InfoSec people ...
Why isn't there a "SlopeCon" or "PowderCon" or similar? Say, January-February-ish, west of Denver, talks/events during the evenings (4PM - 10PM) with the open mornings (hit the slopes or lobby con). Hosted in a ski resort hotel, of course.
22
6
90
I've been a
@Microsoft
customer for ~33 years (Tandy 1000, MS-DOS, 1985ish), but this is my first time to Redmond, WA, and I get to speak tomorrow at
#BlueHatv18
! I'm excited to make the visit, talk
#RedTeam
, and represent
@WalmartTech
@WalmartLabs
!
See you tomorrow and say hi!
11
3
82
I just survived my first week as an ex/recovering/revoked/disavowed/expired CISSP after 13 years.
The world kept turning.
I still remember halon fire extinguishers and Bell LaPadula.
9
5
82
What have I done??
I just patched my Christmas tree!
3
15
76
Most “gains” are made with 2.5lbs plates, not 45s.
Remember that when thinking about your career: a steady set of small increases will take you farther than a rare large increase. Focus small.
7
17
78
What is something non-infosec that you do that helps your infosec thinking and career? How does it help?
Some examples: chess, jiu jitsu, maybe tennis?
110
11
79
I’ve been saying this for awhile now. I’ll say it again.
One day, we are going to have a company breached and the access vector will be compromised pentest/red team tooling.
“Not on my watch.”
4
13
86
Recipe for a popular tweet:
insult/shame companies + their employees for a breach
Recipe for an unpopular tweet:
recognize infosec people are human, imperfect, and most likely well-intentioned, despite a breach
6
15
83
Red Teams are really good at finding systems and processes that don’t have an owner.
The subsequent exercise of assigning an owner ... well, that’s often very hard. After all, if there was an owner, odds are higher that the red team wouldn’t have as much to say about it.
8
18
88