David French

@threatpunter

Security Research | 💙🎣⛰🍻 | Threat Hunting | DFIR

Colorado
Vrijeme pridruživanja: listopad 2014.

Tweetovi

Blokirali ste korisnika/cu @threatpunter

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @threatpunter

  1. proslijedio/la je Tweet
    prije 7 sati

    Reserve your spot! (And your badge 😉). Get your tickets for here: Friday, March 20, 2020 - Workshops & Trainings; Saturday, March 21, 2020 - Sessions & Villages; By the People, For the People!

    Poništi
  2. 17. sij

    My favorite response and something that I will try the next time anyone sings happy birthday to me: "Sing back under your breath and make eye contact with only one person"

    Poništi
  3. proslijedio/la je Tweet
    15. sij

    Fun fact for the day: IntegrityLevel within process creation events provides context to detection opportunities. Example: Open powershell as administrator, the integrity is "High". Processes running under that process will now be high as well. (1/5)

    Prikaži ovu nit
    Poništi
  4. proslijedio/la je Tweet
    15. sij

    I'm hiring a security research engineer: we track adversaries, research emerging threats, give back to the community, and provide detection logic for products. read more or apply:

    Poništi
  5. proslijedio/la je Tweet
    13. sij

    attack frameworks and tools continue to be leveraged by criminal groups and nation state actors. Find new ways to build behavioral detections against post-exploitation frameworks such as using Event Query Language (EQL) in this post →

    Poništi
  6. proslijedio/la je Tweet
    19. pro 2019.

    The DCART (Decoupled Components for Automated Ransomware Testing) github repo is now live and I swear that the code actually works!

    Poništi
  7. proslijedio/la je Tweet
    11. pro 2019.

    This year I learned about Event Query Language (EQL) from (Ross Wolf). It has quickly become an indispensable tool for analyzing Windows Event Logs. It has a bit of a learning curve, so I wrote an article to help people get started:

    Prikaži ovu nit
    Poništi
  8. proslijedio/la je Tweet
    10. pro 2019.

    Someone asked if you could use to hunt C2 over DNS with a high number of subdomains. Here’s one way: dns where query_name == “*.*.*” | unique query_name /* extract after the first dot */ | count substring(query_name, indexOf(query_name, “.”)) | filter count > 100

    Prikaži ovu nit
    Poništi
  9. 6. pro 2019.

    Check out the EQL Analytics Library for over 100 open source security analytics:

    Prikaži ovu nit
    Poništi
  10. 6. pro 2019.

    Unless you have VBA macro-enabled Office documents in your environment that create or modify Windows scheduled tasks, this behavior should not occur often.

    Prikaži ovu nit
    Poništi
  11. 6. pro 2019.

    The following EQL query matches a Microsoft Office application loading the Windows Task Scheduler COM API (taskschd.dll) in order to create or modify a scheduled task.

    Prikaži ovu nit
    Poništi
  12. 6. pro 2019.

    Example 2: In an attempt to evade detection, adversaries sometimes include VBA code in Office documents to create a scheduled task for persistence without using the native scheduled tasks (schtasks.exe) utility.

    Prikaži ovu nit
    Poništi
  13. 6. pro 2019.

    This EQL () query matches events where vaultcli.dll is loaded by a process that is not vaultcmd.exe. This behavior is suspicious and should be investigated.

    Prikaži ovu nit
    Poništi
  14. 6. pro 2019.

    Example 1: Windows Credential Manager (vaultcmd.exe) loads vaultcli.dll so that users can manage saved credentials. This behavior is normal, however some such as abuses the functions of this DLL to steal credentials.

    Prikaži ovu nit
    Poništi
  15. 6. pro 2019.

    Adversaries will often write malicious code to import functions from Windows or 3rd party software DLLs in order to evade detection and help them achieve their objectives such as stealing passwords or establishing persistence on a target endpoint.

    Prikaži ovu nit
    Poništi
  16. 6. pro 2019.

    Image load events can be utilized to monitor which DLLs are loaded by running processes and build high efficacy detections for adversary tradecraft and malware.

    Prikaži ovu nit
    Poništi
  17. proslijedio/la je Tweet
    4. pro 2019.

    I love reading this, and how much we are investing , thanks to the wonderful addition of the Endgame team to our security efforts, so much we can do and help our users now and moving forward

    Poništi
  18. proslijedio/la je Tweet
    4. pro 2019.
    Prikaži ovu nit
    Poništi
  19. proslijedio/la je Tweet
    4. pro 2019.

    We recently saw dropped via software. Here's a rule to detect the PE/DLL, we generated this from observed strings in memory from these process injection alerts.

    Prikaži ovu nit
    Poništi
  20. 4. pro 2019.

    Check out EQLlib for over 100 open source security analytics:

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·