Discover and read the best of Twitter Threads about #EDR

Most recents (9)

1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK (buff.ly/3BHn9iR): The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK #ThreatHunting Image
3/ 🔍 Sigma(buff.ly/3q12WOC ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma #SIEM
Read 13 tweets
An "Emergency Data Request" (#EDR) is a warrantless demand by a police officer to a tech company, designed for white-hot emergencies when a cop needs an online service to cough up some of its user data to save a life or prevent a tragedy. 1/ A padlocked barn door. The rusty padlock is emblazoned with
Criminals *love* EDRs. Once a crook breaks into a police email server (something so easy that the children running the LAPSUS$ crime-gang did it several times), they can send their own EDRs to online services, who will dutifully dox their own users. 2/
After all, if someone's in mortal danger, there's no time to stop and verify the cop's identity:

pluralistic.net/2022/03/30/law…

Children don't just abuse EDRs, they're also *abused* with EDRs. 3/
Read 20 tweets
Back in '94, @BillClinton signed #CALEA , mandating that all voice-capable switches include a "lawful interception" backdoor that would let cops listen in on phone calls without having to actually physically access the switch itself.

en.wikipedia.org/wiki/Communica… 1/ A padlocked barn door. The rusty padlock is emblazoned with
If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/03/30/law… 2/
CALEA came with three promises:

I. The backdoor would only be used by cops;

II. They would get a warrant first;

III. It would only apply to voice traffic, not the internet.

All of these promises were lies. 3/
Read 29 tweets
Recently @NinjaParanoid and I had some short discussion about #EDR bypasses.
In this thread🧵 I'd like to share my view on EDR bypasses and it's various types from both
offensive & defences sides.
There are three types of EDR bypasses:
1. Technical capabilities bypass
Everything is simple here. EDR isn't capable to collect some telemetry. This is a technical problem, the lack of the feature. Look at dark blue stripes below from @MITREattack evaluation: Image
If I remember correctly, @jaredcatkinson called this type of bypass as "pure EDR bypass", I like this name too😉
EDR development team should remove such telemetry collection ability gaps. In some cases it's quite easy, in some - very difficult.
Read 10 tweets
How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
Read 6 tweets
Can we detect ZIP / JScript for initial access on 🪟?

1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");

WshShell.Popup("You can configure WSH files to open in Notepad");

WScript.exit;

3. Save as 1.js
4. Double-click
5. Query SIEM / EDR Image
What about #BEC in O365?

1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
What about lateral movement?

1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
Read 6 tweets
2020 @expel_io incident stats tell a familiar story: a lot of commodity malware *still* being deployed via evil macros and zipped HTA / JS files.

This isn't a thread to tell you to block macros or associate WSH files with notepad (like PS), but questions to ask if you can't.
On blocking macros: If it were easy, everyone would do it.

But if you're a #SOC analyst, do you fire an alert when winword.exe spawns an unusual process like PS or regsvr32?

Can you create a macro that behaves like an evil one but is totally benign to test your alerting?
Can you use #EDR to understand which processes are almost never spawned from winword.exe? Or maybe ask which processes spawned from winword.exe initiate an external connection out? Can you fine tune your logic and deploy in BLOCK mode?

Yea, the evil macro ran but EDR stopped it.
Read 9 tweets
El #GAR lleva 40 años de servicio. 40 años de lucha. 40 años de evolución. 40 años de sacrificio. En definitiva, 40 años en primera línea.

Hoy vamos a hablar de ellos, del Grupo de Acción Rápida de la Guardia Civil. La unidad que nació para acabar con ETA en el entorno rural.
La estructura del hilo será la de siempre:
-Primera parte dedicada a la historia, estructura y misiones.
-Segunda parte dedicada a analizar el equipamiento y materiales, así como el armamento utilizado.
Aunque desde su creación han actuado a cara descubierta, en las fotos recientes que lo precisen sus rostros serán pixelados. Dicho esto vamos con el hilo.
Read 76 tweets
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network — and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
Read 19 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!