Jon Hencinski

@jhencinski

Director of SecOps at . Previously Mandiant/FireEye. Calc is my payload. Personal acct.

Herndon, VA
Vrijeme pridruživanja: rujan 2016.

Tweetovi

Blokirali ste korisnika/cu @jhencinski

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @jhencinski

  1. Prikvačeni tweet
    6. stu 2019.

    Since launching our 24x7x365 SOC as a service almost two years ago we’ve achieved: ✅ +90 net promoter score ✅ 95% analyst retention rate How? 🤔 Habits. Seven, in fact — that we believe help us “SOC” the right way at .

    Poništi
  2. prije 9 sati

    Teach analysts how to think. Don't just hand them a runbook. What does that look like? Meet OSCAR. Not just a grouch, but also a pretty good investigative methodology: (O)rient (S)trategize (C)ollect (A)nalyze (R)ecord findings OSCAR.

    Poništi
  3. prije 17 sati

    ❤️? Yeah, me too! But if you're chasing a bad guy across a > 100K-node environment you're probably pivoting to your . 🤔 shares some of the (many) ways we use as our "cheat code" when responding . 👇

    Poništi
  4. proslijedio/la je Tweet
    30. sij

    1 Deactivate LLMNR/MDNS/NetBios, Remote Assistance, Remote Desktop 2 Admin silo (dedicated hosts for Admins, Prompt for Consent for non-Windows Binaries, Remote Desktop limited to hosts serving hosts/desktop via Hypervisor/VMs, no Local Admin, etc) 3 Zone & Conduit topography

    Poništi
  5. proslijedio/la je Tweet
    30. sij

    Really easy analytic for this- anything with a parent process of wsreset.exe. There's only one FP I know of and you'll find it quickly.

    Poništi
  6. proslijedio/la je Tweet
    29. sij
    Odgovor korisnicima

    Compromising/abusing trust relationships and lateral movement is all about multiple systems networked in an environment. Have come across internal firewall using desktop firewalls, makes it hard. Somehow this is so under-rated by clients in favour of third party products.

    Poništi
  7. proslijedio/la je Tweet
    28. sij
    Odgovor korisnicima

    No client-to-client comm. 😈 This is why I love the Windows Firewall. Supereasy to implement this and thus making lateral movement a lot harder. And again I recommend this pearl by

    Poništi
  8. 28. sij

    GOAL: Spend time pursuing quality leads, efficiently. Make tech do the heavy lifting. Optimize analysts for what they're really good at: making decisions, providing recommendations, and building relationships.

    Prikaži ovu nit
    Poništi
  9. 28. sij

    Broken down a bit more: ✅ Queue wait times ➡️ how long did alerts sit? ✅ Tuning cycle time ➡️ time to deploy to prod? ✅ Incident cycle time ➡️time from "alert" to "fix" ✅ Investigation cycle time ➡️ time spent chasing bad leads ✅ Alert trend ➡️ timeseries decomp w/ Loess

    Prikaži ovu nit
    Poništi
  10. 28. sij

    Hot take: A *can* be a great place to work. Fight alert fatigue with tech + effective mgmt. Use data to make decisions, empower & optimize. Daily metrics review: ✅ Queue wait times ✅ Tuning cycle time ✅ Incident cycle time ✅ Investigation cycle time ✅ Trends

    Prikaži ovu nit
    Poništi
  11. proslijedio/la je Tweet
    28. sij

    1. Windows Defender 2. EDR 3. Automated defanging of documents 4. Disabling macros, OLE, DDE, etc. 5. Disabling Windows Script Hosting 6. Private VLANs 7. Application whitelisting 8. Users not being local admins 9. 2FA on everything 10. Up-to-date patching

    Prikaži ovu nit
    Poništi
  12. 27. sij

    👋 operators: Which defensive settings have you encountered that made it *super* painful for you to operate in a Windows AD environment?

    Poništi
  13. 26. sij

    As an we see *a lot* of and activity. In a recent pentest, team used Python Responder to get DA in < 4 hours. Bottom line: The mitigations for LLMNR/NBT-NS Poisoning and Relay are worth a look if you're unfamiliar. 👇

    Poništi
  14. 26. sij

    and use Windows scheduled tasks to persist and move. When responding: 1. When was the task created? 2. Which account created it? 3. What does the task do? 4. Where did attacker come *from* to auth and create the task? Establish new leads and pursue them.

    Poništi
  15. 25. sij

    In order: Look, learn, listen 1. *Look* for compromise. Hire 3p to perform CA. 2. *Learn* the business, its goals and how security can enable 3. *Listen*. Talk to people, learn the culture, how folks think about security NOTE: You might have to change culture before a config

    Poništi
  16. proslijedio/la je Tweet
    22. sij

    Here is the link to the SpecterOps Adversary Tactics: PowerShell course material: Enjoy! For information about our current training offerings, information can be found here: (4/4)

    Prikaži ovu nit
    Poništi
  17. 17. sij

    Sweet persistence: UserInitMprLogonScript Try it: reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "cmd.exe /K" Shouldn't be on a system by default. Monitor for UserInitMprLogonScript value creation AND/OR mod. Hopefully your testing triggered an alert. 😀

    Poništi
  18. 16. sij

    Can you spot hijacked scheduled tasks? 🔭 1. open PS 2. copy calc.exe c:\legit.exe 3. schtasks /s localhost /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /st 12:00 /enable /tr "c:\legit.exe" 4. Interrogate your and 5. Improve

    Poništi
  19. 15. sij

    . 's guiding principles: - Avoid macros. That's gross. - "Run" keys? You're better than that! - Use DotNetToJScript. It's awesome! /cc: *Really* enjoying the Intrusion Ops training course thus far!

    Poništi
  20. proslijedio/la je Tweet
    15. sij
    Odgovor korisnicima

    Finding service accounts: * Account has a SPN * kerberos delegation configured * password not changed in over $(Policy time) * svc or service or SQL in name That should help get you started. 👍

    Poništi
  21. proslijedio/la je Tweet
    14. sij

    For all of you orgs that aren't logging Citrix and have to export the entire log directory... zgrep -r "nobody" * Easy button to find the first post-exploitation logs from bash.log (thanks and ). Now's a good time to get those logs pumping to [insert SIEM]

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·