DANΞ

@cryps1s

DFIR @ Palantir | Windows Security Fanboy | | All views are my own, not my employer

The Internet
dane.io
Joined February 2011
3 Photos and videos Photos and videos

Tweets

You blocked @cryps1s

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @cryps1s

  1. Retweeted
    Dec 20

    I wrote about my experiences responding to security breaches and intrusions this year.

    3 replies 29 retweets 51 likes
  2. Dec 19

    We've open sourced our framework for developing alerting and detection strategies for incident response. We have also included several internal strategies as examples to spur greater sharing and collaboration with defenders.

    10 replies 245 retweets 456 likes
  3. Retweeted
    Dec 19

    [blog/tool] InsecurePowerShell - PowerShell Without .Automation.dll I promise that one day I will blog about something other than PowerShell... but today is not that day 🙂

    2 replies 139 retweets 181 likes
  4. Dec 15

    Fun facts about mavinject: - Present in system32\mavinject.exe - Present in UEV (program files\microsoft user experience virtualization\agent\x86\mavinject32.exe) - Present in clicktorun (program files\common files\microsoft shared\clicktorun\mavinject32.exe)

    2 retweets 11 likes
  5. Dec 15

    Reaching out to see if anyone has a success story they can share with . Looks like they've had a bad run of luck and could use some help.

    1 reply 1 like
  6. Retweeted
    Dec 11

    Today I'm releasing Detection Lab, a personal project that uses Packer & Vagrant to quickly stand up up a fully customizable Windows Active Directory loaded with security tooling and some logging best practices. Blog: Github:

    14 replies 403 retweets 759 likes
  7. Retweeted
    Dec 11

    Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI:

    22 replies 572 retweets 1,066 likes
    Show this thread
    Show this thread
  8. Dec 6

    Mad props to not only for a great product (app firewall), but for going out of their way to sign binaries to support device guard application whitelisting. Filed a ticket for support and they had a new build out two days later. Vendors take notice.

    1 reply 9 likes
  9. Retweeted
    Dec 6

    If you are looking for a Windows security related role at a company where management is willing to get things fixed, please DM me. I have a friend who is looking for someone with ~5yrs Windows experience and security passion (and wants to fix things).

    21 retweets 28 likes
  10. Retweeted
    Nov 28

    Any Windows 10 device that includes Hyper-V hypervisor can now turn on HVCI, a powerful mitigation against kernel exploits. This method uses a WDAC/config CI audit policy to enable HVCI.

    13 replies 220 retweets 421 likes
    Show this thread
    Show this thread
  11. Nov 30

    That one special moment when you realize you're the one originally responsible for bringing the security product you hate into your environment.

    3 replies 10 likes
  12. Retweeted
    Nov 28

    ADSecurity Blog Post: "Securing Microsoft Active Directory Federation Server (ADFS)" Includes ADFS & Federation overview and key security recommendations.

    1 reply 143 retweets 220 likes
  13. Retweeted
    Nov 27

    As a follow-up to this experiment , I documented my process/experience/methodology developing the most secure Device Guard policy I could: "Adventures in Extremely Strict Device Guard Policy Configuration Part 1 — Device Drivers"

    I'm going to embark upon a terrifying experiment to see how well Windows 10 works if I only allow it to execute only what I need. Wish me luck!
    Show this thread
    4 replies 103 retweets 202 likes
  14. Nov 22

    Not only is it bad infosec practice to drop unsigned DLLs on-disk, it's pretty difficult to identify that this was originally installed due to your application since it's loaded from outside the typical application path.

    14 likes
    Show this thread
    Show this thread
  15. Nov 22

    Hey - I love using 1PWv4 for Windows, but man -- y'all need to sign your stuff. Just discovered you drop an unsigned DLL to System32 called chilkat.dll and it's ruining my application whitelisting juju. Can we get this signed in future releases?

    4 replies 13 retweets 43 likes
    Show this thread
    Show this thread
  16. Nov 16

    Sincerest thank you and kudos to the for their Adversary Powershell course. Easily one of the most difficult, rewarding, and inspiring courses I've taken in my career. Defenders would be remiss not to take any training offered by them.

    3 replies 13 retweets 53 likes
  17. Retweeted
    Nov 16

    "Companies like these are a reminder that your success or failure in business as in life is directly tied to what you produce — not what you promise or represent." I had always assumed root9B was actually doing well. I guess not :(

    6 replies 10 retweets 47 likes
  18. Retweeted
    Nov 16

    [Blog] Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript

    7 replies 422 retweets 570 likes
  19. Retweeted
    Nov 15

    In my career I've had to work with jerks. Some of the best advice I've seen for coping during adversity was in this HBR article, which focuses on how to manage your own happiness. "An Antidote to Incivility" [sorry for the paywall]

    13 retweets 32 likes
  20. Nov 13

    We've recently open-sourced our osquery configuration on GitHub (). Audit registry keys, monitor your security tooling, and provide better data for hunting and incident response. CC

    52 retweets 107 likes

@cryps1s hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·