Chris

How sure are you that "(Verified) Microsoft Windows" refers to a program that actually originates from Microsoft? Code Signing Certificate Cloning Attacks and Defenseshttps://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec …

Another instance where @mattifestation encourages us to rethink our views on digital signature validation.https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec …

[Get-Doppelgangers] - Powershell script to detect process and dll doppelganging https://gist.github.com/dezhub/6d2a3ced01aaf081da841f4761455c5f … thx @hasherezade for the poc!

We've open sourced our framework for developing alerting and detection strategies for incident response. We have also included several internal strategies as examples to spur greater sharing and collaboration with defenders.https://medium.com/@palantir/alerting-and-detection-strategy-framework-52dc33722df2 …

Are you really ready for #ThreatHunting? What does your data look like? Data Availability != Data Quality @SpecterOps @MITREattackhttps://posts.specterops.io/ready-to-hunt-first-show-me-your-data-a642c6b170d6 …

Several weeks of research and several cease and desist letters later - the longest research paper I've ever written is now out. Read about the never-ending tale of OSX/Pirrit -https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active …

Our February training offering of Adversary Tactics: Red Team Operations is officially sold out. Waitlist is available. More course offerings to be announced shortly.https://specterops-atrto.eventbrite.com 

Today I'm releasing Detection Lab, a personal project that uses Packer & Vagrant to quickly stand up up a fully customizable Windows Active Directory loaded with security tooling and some logging best practices. Blog: https://medium.com/@clong/introducing-detection-lab-61db34bed6ae … Github:https://github.com/clong/DetectionLab …

I did a quick write-up on my method of getting BadIntent for Android set up.http://blog.obscuritylabs.com/badintent-setup/ …

[blog] Designing Effective Covert Red Team Attack Infrastructurehttps://posts.specterops.io/designing-effective-covert-red-team-attack-infrastructure-767d4289af43 …

Domain Fronting with #Meterpreterhttps://bitrot.sh/post/30-11-2017-domain-fronting-with-meterpreter/ …

Atomic Sysmon configs individually mapped to the ATT&CK Matrix anyone? https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/attack_matrix/windows/sysmon_configs … @Cyb3rWard0g is on fire! All this now requires is a little code to enable selective merging of technique detections. Detection unit testing FTW! #DFIR /cc @subTee

Our resident application whitelisting breaker/expert, @mattifestation shows us the steps involved in developing one of the most strict types of Device Guard code integrity policies.https://posts.specterops.io/adventures-in-extremely-strict-device-guard-policy-configuration-part-1-device-drivers-fd1a281b35a8 …