Discover and read the best of Twitter Threads about #blueteam

Most recents (13)

OFC it was. Did you not read a word I said?

That is the ROLE, not job of the Rs when Ds are in power. "Bipartisan" DOES NOT EXIST.

3 Rs and 3 Ds get together and PRETEND to do their job for their slaves back home.

Then all #TheOther #BadCops NIX THE DEAL so the handful of
swindlers can look good and then they just cycle SCAM that around from issue to issue like guns, abortions, climate, school loans and all the rest of the BULLSHIT and as long as you pick the #GoodCop OR... OR the #BadCop THEY FUCKING WIN AND WE STAY STUCK ON STUPID! Who gives a
fuck which party is in power when they are both just looking to BEAT US, not themsel;ves, not their same #PuppetMasters.

WTFU and realize as long as you pick the #BlueTeam or the #RedTeam THEY WIN!

Who gives a fuck whether it is $30B or $6T - WE DO NOTHING EITHER WAY.
Read 7 tweets
Going to be a busy Tuesday for both MS and LG it seems 👀 #Breach
And @okta
Thanks to a pal here's some #blueteam hunt info the earliest date for the breach identified so far is 21st Jan this year. Gives at least a working window for events investigations.
Read 8 tweets
mshtml.dll was loaded into winword process, when Microsoft MSHTML used? I guess, it will be nice for #threathunting perspective
based on sample: app.any.run/tasks/36c14029…
possible another suspicious loads: ExplorerFrame.dll, ieproxy.dll

#CVE-2021-40444 #DFIR #BlueTeam
...run query on prod enviroment, last 30 days - 0 FPs hists. via (MDATP) @MSThreatProtect
Read 3 tweets
🧵on stealing TeamViewer credentials

Many organizations have systems with TeamViewer actively running; some know it and manage it correctly, other have no idea it is running or where. The latter probably have multiple versions #redteam #blueteam #purpleteam #ThreatThursday 1/10
I started looking deeper into TeamViewer when @snlyngaas reported that a Florida water facility had been breached. A malicious actor used TeamViewer to login and change the levels of sodium hydroxide. The plant operator say this and no damage was done cyberscoop.com/florida-water-… 2/10
For those that speak @MITREattack we are talking about T1078 Valid Accounts: attack.mitre.org/techniques/T10…
But how were these credentials obtained? We don't know but @brysonbort spoke with #RSAC about it if you want more on the Florida water plant breach: 3/10
Read 10 tweets
I’m going to tell you some things about #cybersecurity and why you should consider addnig it to your careers. For starters, today there’s a lack of 1.5 million specialists worldwide and the number is expected to grow by 2022.
Today more tan ever, #cybersecurity is important for everyone—professionally, as parents, for our exposition and above all, for our #reputation. Many times I find myself speaking to people that believe that you need to be a #hacker to work in #cybersecurity.
There’re 4 domains you can investigate and study: Information Security Governance, Information Risk Management, Information Security Program Development and Management Information Security Incident Management. All allow to get a #CISM certification,
Read 10 tweets
Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041… ImageImageImageImage
This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a… ImageImageImage
Read 13 tweets
The #Zerologon bug is going to be game over for a lot of companies and I reckon the weaponised payloads in ransomware will be pretty bad now; Destroy the DC by changing the password, get DA ransom the network and it's maximum pay day for criminals.
Equally much like MS08 and MS17 this is a patch that you should apply to all your domain controllers and systems in your estate
What's equally bad is by leveraging the vulnerability it's possible to generate Kerberos golden tickets which could enable an attacker to gain persistence on your estate for years to come.
Read 15 tweets
I've been seeing some tweets about #BlueTeam and documentation and diagrams. Diagrams are an important part of the engineering process! So, I figured I'd do a little diagram breakdown for folks wondering what are some useful types of diagrams.
High level diagrams provide a non-technical overhead perspective of the environment. If you are at all familiar with DoDAF, this would be like your OV-1 diagram. These should tell a high level story and be easily explainable to someone who is new/and or non-technical.
Network level diagrams show logical connectivity between all nodes/devices in the environment. It should include the IP/hostname of the devices. Other details to include are VLAN information, system/authorization boundaries, as well as any unique information that might make sense
Read 12 tweets
“The true test of a man’s character is what he does when no one is watching.” - John Wooden

I like this quote a lot, though I wish it said character is what a person does when they *THINK* no one is watching.

#blueteam loves it when threat actors think that no one’s watching.
What defenders actually do when threat actors think no one’s watching: collect.

For me, I prefer building, improving, or automating around Low-Fi/trap/silent/“weak” signals or undocumented forensic artifacts.

Goal during quiet time: a clear picture to enable impactful decisions
When #blueteam pulls the trigger on whatever quiet plan they’ve cooked up – there is this sweet moment of surprise.

In security, everyone’s trying to avoid unmitigatable surprise. And the ability to inflict confusion is just rarer for defenders.

I hope you get to go big. ⛈🤕
Read 3 tweets
🆕 Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4] Image
I uploaded both to @virusbay_io: beta.virusbay.io/sample/browse/…

and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…

STDOUT:
Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4] Image
@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:

^plus background & links
[3/4]
Read 12 tweets
Please share in this thread some defensive techniques that are relatively simple to configure/deploy that has a high success rate (low false positives).

I'll start:
* Detect Kerberoasting:
trimarcsecurity.com/single-post/Tr…

* Detect PW Spraying:
trimarcsecurity.com/single-post/20…

#BlueTeam
* Deploy LAPS to automatically rotate local Administrator passwords on Windows computers
adsecurity.org/?p=1790
microsoft.com/en-us/download…
* Test & Deploy "AaronLocker" for simplified AppLocker deployment
github.com/microsoft/Aaro…
Read 11 tweets
I've got a story to share. Not as exciting as the exploits of @TinkerSec, @HydeNS33k, or @_sn0ww, but a story nonetheless. #DFIR & #BlueTeam in nature. 1/
I worked for a service provider back in the day. And we provided email accounts to customers. 2/
This was back when most places would slap #SquirrelMail or #Horde on top of a #dovecot server. 3/
Read 13 tweets
Thought of the Day: It's actually possible to cause HARM with a #redteam exercise. Read the thread before you jump to conclusions.
There are many different "goals" that stakeholders of a #redteam exercise may expect (and they probably only latch onto one of them, not even aware of the others):
- Program/Posture Assessment
- Controls Validation
- Adversary Simulation
- Adversary Emulation ^not the same^
In a healthy red team program, you'll have stakeholders from each "camp" expecting each of those items to be represented. A SOC will want controls validation, for instance, but may not care about a Posture Assessment (i.e. this business unit has a C+ security program).
Read 15 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!