Starting today, if you know one of the SIEM, EDR or Data Lake languages, you know them all!
Dear industry, please meet RootA roota.io

RootA is a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor…

Join for more memes SOC Prime Discord: discord.gg/socprime

#infosec

Florian Roth Ross Haleliuk Florian Roth your comment is very far from the truth my friend. I’ll drop some facts tomorrow. Maybe in some parallel reality you can state things like that, but in this timeline, on this planet, I publicly ask you to not spread misinformation about me and my team’s contribution to…

1\ #ThreatHunting for APT abuse of Exchange

APT Exchange abuse has been a common theme with techniques ranging from:
> Compiled DLL OWA backdoors
> .req webshells
> EWS / Legacy auth abuse
> Log / File deletion

TL;DR below or check out the full blog 👇👇
inversecos.com/2022/07/huntin…

✅ Exploitation of 0⃣ day at the time?
✅ Web🐚s involved?
✅ DNS MiTM? 👨‍🏭

It can only mean one thing.

Volexity blog:

volexity.com/blog/2022/06/1…

#threatintel #cve20221040 #apt

I was able to access thousands of companies’ passwords on #Azure and run code on their VMs.
This includes access to Microsoft’s own credentials… 💣

Here’s HOW I did it.
This is the story of #SynLapse . (1/11)

Адаптований переклад бест практик по кіберзахисту в умовах війни з SANS Shields UP: Six Defensive Techniques to Make Your Attackers Cry: Russia and Ukraine Cyber Crisis. Прошу поширити всім хто долучений до ІТ в Україні.
linkedin.com/pulse/shields-…

HackerHub CERT-UA UnderDefense LLC

Stop providing #DDoS protection to Russia and Belorus. Dear Akamai Technologies Cloudflare Amazon Web Services AWS Security Imperva, a Thales company Radware as a fellow #infosec founder and CEO, as a Ukrainian, I ask you to suspend your DDoS and WAF services for all Russia and Belorus. #stopwar #StopPutinNOW

📌My Quick and Dirty script for defenders to prepare ANY.RUN sandbox (cmdline/powerhell logging, #windows audit, #sysmon ) and grab that logs after #malware execution for additional analysis and #sigma rules creation.

➡️gist.github.com/devnullz/55bad…

#blueteam #threathunting #DFIR

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus

Senior Security Consultant Jean gives us the first comprehensive resource about all things #relaying . This guide covers a range of techniques from most common to the lesser-known.

hubs.la/Q013rK9g0

Delegate to KRBTGT service to get TGT for any users ! Thanks Clément Notin for the help 🙏
skyblue.team/posts/delegate…

⚠️Following the dnspy[.]net case, here is a list of domains owned by the same threat actor. The campaign spreading backdoored installers is STILL ONGOING, and targeting several open source projects: ↘️ (h/t Sekoia.io) [1/6]

I’m a firm believer in the (cliche) adage, “Outcomes, not output.” It’s not about the number of lines of code you wrote in 2021, but the impact those lines of code had - the outcomes they created. Here’s 5 small things you can do in 2022 to create big AD security outcomes:

Your Azure AD Connect server ... it's a Tier 0 asset. Why? Because the Azure AD account it contains can probably compromise your entire tenant. If you use inbound password sync, the AD account it uses can potentially cost you your AD too. 1/7

Hey, what did you call me?

#dailyfox

🧵
A user in the Bloodhound Slack asked a question about how they could start approaching the task of detecting BH (Sharphound) and it inspired me to write my thoughts on the matter. Since it is buried as a random thread in Slack, I figured I'd share it here as a thread.

Blueteamers should read about Windows Syscalls and how they can bypass security solutions as Redteamers and #malware authors make use of them to stay under the radar. Nice writeup by @m0rv4i #DFIR

Lately, two new tools for dumping the lsass process have come up: HandleKatz and nanodump 👀

I've integrated them to CrackMapExec as module:
1⃣ -M handlekatz
2⃣ -M nanodump
3⃣ -M procdump (as bonus 😝)
(dmp parsed by pypykatz from SkelSec )

Available on Porchetta Industries 🪂

New from Jonny Johnson: MSRPC to ATT&CK is an encyclopedia of comprehensive context about specific Remote Procedure Call protocols. redcanary.com/blog/msrpc-to-…