Discover and read the best of Twitter Threads about #AdvancedPractices
Most recents (9)
FLARE #AdvancedPractices has a rep of being a rowdy, hell raising analyst squad (in a nice, fun way). Our culture is to challenge our company norms, demand excellence, take risks, make mistakes, fail & succeed repeatedly. It's who we are.
A #FF of some teammates & team friends:
A #FF of some teammates & team friends:
@ItsReallyNick and @danielhbohannon taught me to $DoTheNeedful, whether I was asked to or not, Ship It and See What Happens
@reesespcres taught me to take chances and make bold moves in our production infrastructure, to get innovate despite seemingly-immobile technology
@reesespcres taught me to take chances and make bold moves in our production infrastructure, to get innovate despite seemingly-immobile technology
@_gormaniac_ & @x04steve taught me to love automations
@ramen0x3f @bwithnell taught me to ask better questions of my data
@3dRailForensics @Isifmobile @ReginaElwell taught me to value quality, and aspire to higher standards
@BakedSec taught me to be a bit nicer
@ramen0x3f @bwithnell taught me to ask better questions of my data
@3dRailForensics @Isifmobile @ReginaElwell taught me to value quality, and aspire to higher standards
@BakedSec taught me to be a bit nicer
🆕 Job Update: I'm joining @Microsoft!
On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF
My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅
Also:
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF
My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅
Also:
I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
• @MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
• @msftsecresponse w/ the awesome @n0x08
• @Lee_Holmes for everything Azure
¹if I say it here, it has to happen right?😉
• @MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
• @msftsecresponse w/ the awesome @n0x08
• @Lee_Holmes for everything Azure
¹if I say it here, it has to happen right?😉
OK so this is my last week at @Mandiant / @FireEye 😢
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day
1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards – #Guardies 🏆
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices 🦅 Adversary Methods team where we "reverse engineer" attacker techniques...
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards – #Guardies 🏆
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices 🦅 Adversary Methods team where we "reverse engineer" attacker techniques...
Why a lightning talk on Execution Guardrails (#T1480)?
• We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
• Smart people suggest that guardrails are correlated with adversary sophistication
• 💂🛤️ are fun! ...
• We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
• Smart people suggest that guardrails are correlated with adversary sophistication
• 💂🛤️ are fun! ...
Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/
The unique combination of behaviors that define guardrailing – and their order – can be used to detect it.
Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing...
$coverage = /de(fini|tec)tion/
The unique combination of behaviors that define guardrailing – and their order – can be used to detect it.
Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing...
🆕 Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4]
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4]
I uploaded both to @virusbay_io: beta.virusbay.io/sample/browse/…
and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…
STDOUT:
Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4]
and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…
STDOUT:
Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4]
@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:
^plus background & links
[3/4]
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:
^plus background & links
[3/4]
🎟️🍿Movie Night: "Between Two Steves"
🆕#StateOfTheHack
@cglyer & I chat with the top two Steves from #AdvancedPractices 🦅: @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
🆕#StateOfTheHack
@cglyer & I chat with the top two Steves from #AdvancedPractices 🦅: @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
@cglyer @stonepwn3000 @stvemillertime 🗣️
• tracking the groups and techniques that matter
• recent #FIN7 events: fireeye.com/blog/threat-re…
• recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
• tracking the groups and techniques that matter
• recent #FIN7 events: fireeye.com/blog/threat-re…
• recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
We highlight a favorite talk
🍎 𝗟𝗶𝘃𝗶𝗻𝗴 𝗼𝗳𝗳 𝘁𝗵𝗲 𝗢𝗿𝗰𝗵𝗮𝗿𝗱 🍎
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-re…
We kinda want to do a full #StateOfTheHack on that one...
🍎 𝗟𝗶𝘃𝗶𝗻𝗴 𝗼𝗳𝗳 𝘁𝗵𝗲 𝗢𝗿𝗰𝗵𝗮𝗿𝗱 🍎
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-re…
We kinda want to do a full #StateOfTheHack on that one...
🤙💰 Mahalo FIN7: fireeye.com/blog/threat-re…
• On several on-going investigations we saw #FIN7 trying to retool 🏄🏼
• Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
• Hunting for #BOOSTWRITE and #RDFSNIFFER 💳
• On several on-going investigations we saw #FIN7 trying to retool 🏄🏼
• Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
• Hunting for #BOOSTWRITE and #RDFSNIFFER 💳
.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5…
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5…
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.
#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft 😜: maps.app.goo.gl/MbznDeJPHJr4n5…
We analyze & discuss how to find the certificate anomalies!
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft 😜: maps.app.goo.gl/MbznDeJPHJr4n5…
We analyze & discuss how to find the certificate anomalies!
Hey I recognize that #AdvancedPractices 🦅 hoodie!
I had a tiny cameo in this 1st part of
a new series highlighting #DFIR/researchers
"hacker:HUNTER - Cashing In" tomorrowunlocked.com/hacking-atms
I expect the series will have #CARBANAK twists & turns + plenty of #FIN7 payment card theft
I had a tiny cameo in this 1st part of
a new series highlighting #DFIR/researchers
"hacker:HUNTER - Cashing In" tomorrowunlocked.com/hacking-atms
I expect the series will have #CARBANAK twists & turns + plenty of #FIN7 payment card theft
@FireEye @TmrwUnlocked "It's very hard to arrest a piece of code." -@stefant
📺 hacker:HUNTER - Cashing In Finale
Showcases the challenges of pursuing & meaningfully impacting fragmented cybercrime group operations.
Also answers the question: "will Nick have a shorter cameo?" 🤣
📺 hacker:HUNTER - Cashing In Finale
Showcases the challenges of pursuing & meaningfully impacting fragmented cybercrime group operations.
Also answers the question: "will Nick have a shorter cameo?" 🤣
More #AdvancedPractices team 🦅 in your timeline: ⚠️ follow @stonepwn3000.
He just joined - prob will be great tweets. But also maybe a huge mistake. I guess time will tell.
I've maintained this list if you want to follow (or block) everyone on our team: twitter.com/ItsReallyNick/…
He just joined - prob will be great tweets. But also maybe a huge mistake. I guess time will tell.
I've maintained this list if you want to follow (or block) everyone on our team: twitter.com/ItsReallyNick/…
With every teammate on here, we're one step closer to locking in that #APT34 counterstrike match.
Also @stonepwn3000 designed these and that's just something you're all going to have to live with. Especially our significant others who see them on the wall every day. Sorry, that's business.
