Thomas Patzke

Thank you all so much for coming to my #Shmoocon talk on threat modeling! You can check out my slides (complete with references) here: https://www.slideshare.net/KatieNickels/resistance-isnt-futile-a-practical-approach-to-threat-modeling …. Thanks to @heidishmoo, @gdead, and the amazing @Shmoocon volunteer crew for having me and making this event possible!pic.twitter.com/GUw6R8tQ14

ICYMI @SOC_Prime developed an online tool to convert Sigma rules into the query language of your choice https://uncoder.io/  FAQs What if my field values differ from the standard? https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac … What if I get too many false positives? https://github.com/Neo23x0/sigma/blob/master/README.md#translate-only-rules-of-level-high-or-critical …pic.twitter.com/elhs1s2CFz

#ESETresearch uncovered a new campaign of the #Winnti Group targeting #HongKong universities with ShadowPad and Winnti. @mathieutartare https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ … 1/3pic.twitter.com/d57V1rhBR1

Sigma rule to detect #Winnti malware process starts as described in ESET's recent blog post on a campaign against HK universities (derived from sandbox reports - won't share them yet) Sigma Rule https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml … Report https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ …pic.twitter.com/NOF1Flx5i0

I'm releasing ghidra scripts that I made for pwn and reversing tasks, starting with this set of scripts to replace linux/libc magic numbers with readable names for aarch64, amd64/i386, arm/thumb, hppa, m68k, mips, ppc, ppc64, sh, sh4, sparc and sparc64. https://github.com/0xb0bb/pwndra pic.twitter.com/o1JPjyjgga

I've spent a whole day on Sigma Focus: Facilitate contributions - New Rule Creation Guide https://github.com/Neo23x0/sigma/wiki/Rule-Creation-Guide … - New colorised test output - New test cases - Rule cleanup (title, date, ids) https://github.com/Neo23x0/sigma/pull/604 … Next step: How-to guide for pull requestspic.twitter.com/5Iy4NSmiEo

I've transformed the expressions from my "Top Base64 Encodings" learning aid into a YARA and Sigma rule and published them in the respective repos Learning Aid https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 … YARA https://github.com/Neo23x0/signature-base/blob/master/yara/gen_powershell_susp.yar#L204 … Sigma https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_powershell_frombase64string.yml …pic.twitter.com/5C5MRGGFaL

Log Sources - ordered by priority - with ratings in different categories - personal and highly subjective assessment - from my most recent slide deck on low hanging fruits in security monitoring #SIEM #SecurityMonitoring #ThreatHuntingpic.twitter.com/wuWImWLB77

Threat Bus: a real-time pub/sub broker to get intelligence/indicators from @MISPProject and feed your @Zeekurity in real-time & get sightings from your NIDS to MISP. A clever way to connect efficiently open source security tools. Thanks to @tenzir_company https://github.com/tenzir/threatbus …pic.twitter.com/vn25bMPix8

Eventually time has come to do the final 3.0 release of #testssl.sh. Get it, use it, enjoy! https://github.com/drwetter/testssl.sh/releases/tag/3.0 …pic.twitter.com/cr9AiK2Uue

When your decision to adopt microservices is missing the big picture.pic.twitter.com/dvRHK4MCyQ