Justin Warner

@sixdub

Security Engineer | Data Analysis | Threat Research | Adversary Emulation | Red Teamer | PowerShell Empire Dev | Reverse Engineer

sixdub.net
Joined March 2012
19 Photos and videos Photos and videos

Tweets

You blocked @sixdub

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @sixdub

  1. Pinned Tweet
    Jul 11

    New blog post that I co-authored with on some threat research the team at has done

    2 replies 36 retweets 67 likes
  2. Dec 21

    Want to read more on true attribution. I am a fan of this post by :

    5 retweets 7 likes
    Show this thread
    Show this thread
  3. Dec 21

    Dismissing the value of "attribution" is common in the commercial space, typically referring to "true attribution". It is valuable for people to understand that there are diff types of attribution. IMO, associating threat activity w/known campaigns or TTPs is useful tactically

    1 reply 4 likes
    Show this thread
    Show this thread
  4. Dec 19

    Everyone go read this! Detection strategy is a super interesting area of research/study. I love the idea of this framework and documentation to ensure better knowledge of detection capability.

    We've open sourced our framework for developing alerting and detection strategies for incident response. We have also included several internal strategies as examples to spur greater sharing and collaboration with defenders.
    5 retweets 21 likes
  5. Retweeted
    Dec 12

    Our CEO serving chicken and waffles this morning at ICEBRG HQ.

    2 replies 5 retweets 21 likes
  6. Dec 8

    Love it! I have talked to several red teams, about the concept of "counter intel" where they monitor popular Intel sources and feeds for the presence of their indicators as a tip off. Addtl training audience and value. Helps ensure real bad guys might not be getting tips...

    Did you know that when your security sandbox/appliance submit only the file hash "in the cloud", you let real attackers know that their target received the dropper?
    11 retweets 18 likes
  7. Retweeted
    Dec 8

    It’s Q4. If you are in a pentest sweat shop questioning if your work is valued while you double book your time through the holidays, know there are better options. Our pentesters matter, we take our findings seriously, and we work as a team.

    2 replies 33 retweets 43 likes
  8. Retweeted
    Dec 6

    Analytic trust is critical. Analysts and enterprises must trust their analytics for them to be useful. One component of that trust is outcome transparency - why did it do what it did? Can the outcome be validated?

    1 reply 3 retweets 13 likes
  9. Dec 5

    I love looking at a histogram of activity to C2 servers during an IR and seeing the dip on the weekends. There really are humans on the other side! They too have habits and flaws.

    5 replies 7 retweets 24 likes
  10. Retweeted
    Dec 3

    As a red teamer, if you ever have the opportunity to work a threat hunting or IR engagement, you should jump at the opportunity! You will be humbled by the challenges defenders deal with at scale and you will gain valuable insight into how they baseline normal and triage alerts.

    19 replies 139 retweets 445 likes
  11. Retweeted
    Dec 1

    Atomic Sysmon configs individually mapped to the ATT&CK Matrix anyone? is on fire! All this now requires is a little code to enable selective merging of technique detections. Detection unit testing FTW! /cc

    9 replies 330 retweets 558 likes
  12. Dec 1

    Seriously everyone... Read this thread. It is extremely insightful and reminds me in many ways of the eye opening experiences I had early on. Also, it's a fun read!

    Reading today reminded me how I got my start in in 2008 investigating FIN1. Let's take a walk down memory lane.
    Show this thread
    5 retweets 13 likes
  13. Nov 30

    Been working a lot with Scala and Spark. Just when I got comfortable with it, I had to analyze some PowerShell and realized how much I missed it.

    3 likes
  14. Retweeted
    Nov 27

    The British forging German ration cards and dropping them over Germany during WW2 is my new favorite attack. Subversive exploitation of human nature to target the state. Clever af

    18 replies 221 retweets 748 likes
    Show this thread
    Show this thread
  15. Retweeted
    Nov 20

    {Blog} Some Comments and Thoughts on Tradecraft

    4 replies 91 retweets 158 likes
  16. Retweeted
    Nov 18

    Cypher – the SQL for Graphs – Is Now Available for Apache Spark

    8 retweets 19 likes
  17. Nov 17

    Great post with some thoughts on detection authoring using Apache Struts as an example. We saw it used in the wild but current sigs weren't detecting... Credit to

    6 retweets 7 likes
  18. Retweeted
    Nov 16

    Huge thanks to a great group from who worked literally until dusk today restoring the urban forest at Delridge and Myrtle!

    1 reply 9 retweets 13 likes
  19. Retweeted
    Nov 15

    SMB and dce_rpc support finally coming to Suricata!

    4 retweets 1 like
  20. Nov 11

    I typically only use this for infosec stuff but ... Must give a shout out to a friends restaurant, Sadies BBQ in Pearl City, Oahu. If you like local style Korean food and are in HI, check it out!

    4 replies 10 likes
  21. Retweeted
    Nov 10

    Most PE files under System32 and SysWOW64 are hard links to the real file under \Windows\WinSxS\. This query finds files that do not match that pattern - defenders, you might want to take a closer look at these across your fleet.

    gci c:\windows\system32 -filter *.exe | %{ = $_.fullname; fsutil hardlink list $_.fullname | measure | ?{ $_.count -eq 1 } | %{ get-authenticodesignature | select IsOSBinary,Status,StatusMessage,Path,SignerCertificate | fl }}
    7 replies 294 retweets 668 likes

@sixdub hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·