Discover and read the best of Twitter Threads about #advancedpractices

Most recents (9)

FLARE #AdvancedPractices has a rep of being a rowdy, hell raising analyst squad (in a nice, fun way). Our culture is to challenge our company norms, demand excellence, take risks, make mistakes, fail & succeed repeatedly. It's who we are.

A #FF of some teammates & team friends:
@ItsReallyNick and @danielhbohannon taught me to $DoTheNeedful, whether I was asked to or not, Ship It and See What Happens

@reesespcres taught me to take chances and make bold moves in our production infrastructure, to get innovate despite seemingly-immobile technology
@_gormaniac_ & @x04steve taught me to love automations

@ramen0x3f @bwithnell taught me to ask better questions of my data

@3dRailForensics @Isifmobile @ReginaElwell taught me to value quality, and aspire to higher standards

@BakedSec taught me to be a bit nicer
Read 13 tweets
🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

Also:
I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
• @MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
• @msftsecresponse w/ the awesome @n0x08
• @Lee_Holmes for everything Azure

¹if I say it here, it has to happen right?😉
Read 4 tweets
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

1/8
💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
2/8
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2: fireeye.com/blog/threat-re…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
3/8
Read 9 tweets
Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards – #Guardies 🏆
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices 🦅 Adversary Methods team where we "reverse engineer" attacker techniques... ImageImage
Why a lightning talk on Execution Guardrails (#T1480)?
• We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
• Smart people suggest that guardrails are correlated with adversary sophistication
• 💂🛤️ are fun! ... ImageImageImage
Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/

The unique combination of behaviors that define guardrailing – and their order – can be used to detect it.

Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing... ImageImageImage
Read 7 tweets
🆕 Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4] Image
I uploaded both to @virusbay_io: beta.virusbay.io/sample/browse/…

and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…

STDOUT:
Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4] Image
@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:

^plus background & links
[3/4]
Read 12 tweets
🎟️🍿Movie Night: "Between Two Steves"
🆕#StateOfTheHack

@cglyer & I chat with the top two Steves from #AdvancedPractices 🦅: @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
@cglyer @stonepwn3000 @stvemillertime 🗣️
• tracking the groups and techniques that matter
• recent #FIN7 events: fireeye.com/blog/threat-re…
• recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
We highlight a favorite talk
🍎 𝗟𝗶𝘃𝗶𝗻𝗴 𝗼𝗳𝗳 𝘁𝗵𝗲 𝗢𝗿𝗰𝗵𝗮𝗿𝗱 🍎
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-re…
We kinda want to do a full #StateOfTheHack on that one...
Read 5 tweets
🤙💰 Mahalo FIN7: fireeye.com/blog/threat-re…
• On several on-going investigations we saw #FIN7 trying to retool 🏄🏼
• Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
• Hunting for #BOOSTWRITE and #RDFSNIFFER 💳 Image
.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5…
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules. Image
#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft 😜: maps.app.goo.gl/MbznDeJPHJr4n5…

We analyze & discuss how to find the certificate anomalies! ImageImageImageImage
Read 7 tweets
Hey I recognize that #AdvancedPractices 🦅 hoodie!

I had a tiny cameo in this 1st part of
a new series highlighting #DFIR/researchers
"hacker:HUNTER - Cashing In" tomorrowunlocked.com/hacking-atms

I expect the series will have #CARBANAK twists & turns + plenty of #FIN7 payment card theft Image
@FireEye @TmrwUnlocked "It's very hard to arrest a piece of code." -@stefant
📺 hacker:HUNTER - Cashing In Finale
Showcases the challenges of pursuing & meaningfully impacting fragmented cybercrime group operations.
Also answers the question: "will Nick have a shorter cameo?" 🤣
Read 4 tweets
More #AdvancedPractices team 🦅 in your timeline: ⚠️ follow @stonepwn3000.

He just joined - prob will be great tweets. But also maybe a huge mistake. I guess time will tell.

I've maintained this list if you want to follow (or block) everyone on our team: twitter.com/ItsReallyNick/…
With every teammate on here, we're one step closer to locking in that #APT34 counterstrike match.
Also @stonepwn3000 designed these and that's just something you're all going to have to live with. Especially our significant others who see them on the wall every day. Sorry, that's business.
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!