Tweetovi
- Tweetovi, trenutna stranica.
- Tweetovi i odgovori
- Medijski sadržaj
Blokirali ste korisnika/cu @jhencinski
Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @jhencinski
-
Prikvačeni tweet
Since launching our 24x7x365 SOC as a service almost two years ago we’ve achieved:
+90 net promoter score
95% analyst retention rate
How?
Habits. Seven, in fact — that we believe help us “SOC” the right way at @expel_io.#7dailyhabitshttps://expel.io/blog/7-habits-highly-effective-socs/ …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Teach
#SOC analysts how to think. Don't just hand them a runbook. What does that look like? Meet OSCAR. Not just a grouch, but also a pretty good investigative methodology: (O)rient (S)trategize (C)ollect (A)nalyze (R)ecord findings OSCAR.pic.twitter.com/D6UzHnnLeBHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -

#EDR? Yeah, me too! But if you're chasing a bad guy across a > 100K-node environment you're probably pivoting to your#SIEM.
@amrandazz shares some of the (many) ways we use@exabeam as our "cheat code" when responding@expel_io.
https://expel.io/blog/exabeam-incident-investigators-cheat-code/ …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
1 Deactivate LLMNR/MDNS/NetBios, Remote Assistance, Remote Desktop 2 Admin silo (dedicated hosts for Admins, Prompt for Consent for non-Windows Binaries, Remote Desktop limited to hosts serving hosts/desktop via Hypervisor/VMs, no Local Admin, etc) 3 Zone & Conduit topography https://twitter.com/jhencinski/status/1221819451617705984 …pic.twitter.com/leNT99WrtT
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
Really easy analytic for this- anything with a parent process of wsreset.exe. There's only one FP I know of and you'll find it quickly.https://twitter.com/ReaQta/status/1222548288731217921 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
Compromising/abusing trust relationships and lateral movement is all about multiple systems networked in an environment. Have come across internal firewall using desktop firewalls, makes it hard. Somehow this is so under-rated by clients in favour of third party products.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
No client-to-client comm.
This is why I love the Windows Firewall. Supereasy to implement this and thus making lateral movement a lot harder. And again I recommend this pearl by @jepayneMSFT https://channel9.msdn.com/Events/Ignite/New-Zealand-2016/M377 …#BlueTeam#DFIR#IrritateTheHellOutOfThemHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
GOAL: Spend time pursuing quality leads, efficiently. Make tech do the heavy lifting. Optimize analysts for what they're really good at: making decisions, providing recommendations, and building relationships.
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Broken down a bit more:
Queue wait times
how long did alerts sit?
Tuning cycle time
time to deploy to prod?
Incident cycle time
time from "alert" to "fix"
Investigation cycle time
time spent chasing bad leads
Alert trend
timeseries decomp w/ LoessPrikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Hot take: A
#SOC *can* be a great place to work. Fight alert fatigue with tech + effective mgmt. Use data to make decisions, empower & optimize. Daily metrics review:
Queue wait times
Tuning cycle time
Incident cycle time
Investigation cycle time
TrendsPrikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
1. Windows Defender 2. EDR 3. Automated defanging of documents 4. Disabling macros, OLE, DDE, etc. 5. Disabling Windows Script Hosting 6. Private VLANs 7. Application whitelisting 8. Users not being local admins 9. 2FA on everything 10. Up-to-date patchinghttps://twitter.com/jhencinski/status/1221819451617705984 …
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
#Redteam operators: Which defensive settings have you encountered that made it *super* painful for you to operate in a Windows AD environment?Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
As an
#MDR we see *a lot* of#pentest and#redteam activity. In a recent pentest, team used Python Responder to get DA in < 4 hours. Bottom line: The mitigations for LLMNR/NBT-NS Poisoning and Relay are worth a look if you're unfamiliar.
https://attack.mitre.org/techniques/T1171/ …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
In order: Look, learn, listen 1. *Look* for compromise. Hire 3p to perform CA. 2. *Learn* the business, its goals and how security can enable 3. *Listen*. Talk to people, learn the culture, how folks think about security NOTE: You might have to change culture before a confighttps://twitter.com/j_opdenakker/status/1220994652649803776 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
Here is the link to the SpecterOps Adversary Tactics: PowerShell course material: https://github.com/specterops/at-ps … Enjoy! For information about our current training offerings, information can be found here: https://specterops.io/how-we-help/training-offerings … (4/4)
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Sweet persistence: UserInitMprLogonScript Try it: reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "cmd.exe /K" Shouldn't be on a system by default. Monitor for UserInitMprLogonScript value creation AND/OR mod. Hopefully your testing triggered an alert.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
.
@christruncer 's#redteam guiding principles: - Avoid macros. That's gross. - "Run" keys? You're better than that! - Use DotNetToJScript. It's awesome! /cc:@FortyNorthSec *Really* enjoying the Intrusion Ops training course thus far!Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
Finding service accounts: * Account has a SPN * kerberos delegation configured * password not changed in over $(Policy time) * svc or service or SQL in name That should help get you started.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Jon Hencinski proslijedio/la je Tweet
For all of you orgs that aren't logging Citrix and have to export the entire log directory... zgrep -r "nobody" * Easy button to find the first post-exploitation logs from bash.log (thanks
@tfornez and@SecShoggoth). Now's a good time to get those logs pumping to [insert SIEM]Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
1. open PS
2. copy calc.exe c:\legit.exe
3. schtasks /s localhost /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /st 12:00 /enable /tr "c:\legit.exe"
4. Interrogate your