Discover and read the best of Twitter Threads about #detection

Most recents (19)

Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.

Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
Read 14 tweets
Mieux comprendre les catastrophes naturelles et nous en protéger : voici l'objectif de plusieurs services nationaux d'observation #SNO de l'INSU ⛈️🌪️☀️🌊🌋
On vous en parle toute la semaine dans ce #thread

#OnlyTogether #DRRday #CatastropheNaturelle Image
@UNDRR @CNRS Le #SNO Dynalit étudie les risques qui menacent le littoral : érosion, #submersion et pollution🌊
Pour en savoir plus ➡️ insu.cnrs.fr/fr/Observation…

#OnlyTogether #DRRday #CatastropheNaturelle Image
Le #SNO BCSF-Rénass est dédié à la #détection et la localisation des #séismes en France 💣
Pour en savoir plus ➡️insu.cnrs.fr/fr/observation…
#OnlyTogether #DRRday #CatastropheNaturelle Image
Read 16 tweets
😱Video of New Zealand PM 'smoking crack'😱

#Real or #fake? Let’s find out. 👇👇👇 1/...

#OSINT 🔎
#Verification 📹
#SpeurJeMee? 🧐 #HowToOSINT Image
On 1 Oct. someone posts a video on #Twitter.

We see two videos superimposed. According to the caption , we would see the New Zealand Prime Minister Jacinda Ardern twice.

At the top she appears to be talking to #BillGates and at the bottom she appears to be using #crack. 🔞2/. Image
We also find the same video in various other posts on #Twitter, #YouTube, #Facebook and on the alternative video site #BitChute.

In total, these videos were viewed more than 31,000 times. Let's verify! 3/...
Read 34 tweets
Meanwhile in #France,
"the peak of this second wave is over"

(according to the President in his Adress to the Nation):
Wait... "the peak is over" doesn´t mean "it´s back to normal"!

Confinement will only fall on December 15,
if there´s less than 5.000 new cases a day.
(today it´s ~9.000).

France is disappointed.🙁

Although they certainly can make it happen.
Meanwhile in #Switzerland:
(excess mortality of the second wave is significant)

Good news: fastest decrease in infections happens in the worst hit areas now.
Image
Read 2817 tweets
So, I was trying to summarize my thoughts on why THREAT #DETECTION is hard (1/m)
Naturally, first a quip on "well, the attackers don't want to be detected" came to my mind ... (2/m)
Well, except for ransomware after they are ready ... (3/m)
Read 5 tweets
As #COVID19 cases are found to spread, #Melbourne (city of ~5 million) tries to contain them by going into #Lockdown.
(The interview features the idea of a dedicated #Quarantine building - that would actually help, I guess)...
"People acting as if the pandemic was over was 'not the answer, it is part of the problem' ".

"The virus had leaked from postcodes already under the stay-at-home orders to other parts of #Melbourne."
(and beyond, it is feared).
Due to #Melbourne's outbreak, neighbouring South Australia is about to completely close it's borders to #Victoria.

(Nearly) no exceptions. And those essential few who are allowed in, will have to wear facemasks the entire time...
Read 2915 tweets
Daily Bookmarks to GAVNet 6/27/2020-2

greeneracresvaluenetwork.wordpress.com/2020/06/27/dai…

New Geometric Perspective Cracks Old Problem About Rectangles

quantamagazine.org/new-geometric-…

#geometry #perspective
Detecting Regions At Risk for Spreading COVID-19 Using Existing Cellular Wireless Network Functionalities - IEEE Journals & Magazine

ieeexplore.ieee.org/document/91170…

#detection #network #coronavirus #regions #wireless #cellular
The Dudes Who Won't Wear Masks - The Atlantic

theatlantic.com/ideas/archive/…

#coronavirus #masks
Read 4 tweets
Vorpommern-Greifswald district (where rejections of #Gütersloh residents took place, yesterday)
has specific rules:
"Those who return from international risk areas (out of Germany) or whose Corona-Warning App has alerted them, need to report to authorites"
kreis-vg.de Image
In fact, Mecklenburg-Vorpommern's Corona-ordinance really prohibits entry of people from international risk areas AND german risk areas as well.
It's just not prominently featured on their websites.

(Overlooked that myself, hence deleted earlier tweet)
landesrecht-mv.de/jportal/portal… Image
People from #Gütersloh district may have to scrap all their holiday plans anyway...

An official #Lockdown is just being announced for the entire district.
(for one week, as of now)
Read 2556 tweets
Moving average of new cases of #COVID19 and new deaths in #India

#Gujarat has a way higher case fatality ratio than the national value, followed by #WestBengal and #MadhyaPradesh.

We need the CFR to fall to 0!

(1/3)

@aparanjape @c_aashish @MulaMutha @nebuer42 @oommen
In the next 12 states, #Telangana has the worst CFR followed by #Punjab - though the latter is lower than the national CFR.

#Uttarakhand has seen a sudden spike in deaths over the last few days, though luckily the base is low

(2/3)
Deaths due to #COVID19 in #India is yet to really slowdown, we need this to happen.

Early #detection, #quarantine, #treatment & #Masks4All is crucial for this.

Given that we have to live with this for a while, we need to reduce the #deaths to zero!

(3/3)
Read 3 tweets
#Myanmar reports 1st 2 confirmed #COVID19 #coronavirus cases in nation after some 3 months since virus outbreak. Both appear to be imported from citizens returning from abroad. 1 reportedly returned from the #UK, other the #US. US has more than 41,000 cases, UK more than 5,900
This 1st #Myanmar report of #COVID19 #coronavirus is just beginning of potentially more to come as thousands head home from different parts of the world esp from #Thailand as many nations temporarily shut borders. Hope Myanmar can cope with #detection #ContactTracing #treatment
Already there've been complaints of poor #COVID19 #coronavirus facilities by at least 1 person under #quarantine in #Myanmar after flying in from the #UK few days ago. Experience posted on person's #FB described how there's no sleeping/showering privacy
m.facebook.com/story.php?stor… ImageImageImageImage
Read 7 tweets
🚨 New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
• ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ 👀
@snort 🐷 #detection tricks (negative distance, exploitation flowbits)
👉🔗 fireeye.com/blog/products-…
#DFIR tips ⤵️ ImageImage
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-…

Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 😅

As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 🙇🏽‍♂️
Read 6 tweets
🆕 Microsoft.Workflow.Compiler sample with low VT detection!
1⃣C:\ProgramData\ccm_deploy.xml 🧐
MD5 fb98cddfa2e13334989d27d1b5b7cdda
VT (0/56): virustotal.com/gui/file/8b6d8…
2⃣Loads C:\ProgramData\package.xml
MD5 a916ca1d57d9c3b2627907ab68a264fe
VT (1/58): virustotal.com/gui/file/9a8b5…
[1/4] Image
I uploaded both to @virusbay_io: beta.virusbay.io/sample/browse/…

and the extracted payload to @anyrun_app: app.any.run/tasks/35c09520…

STDOUT:
Injection Target Process = %ProgramFiles%\Internet Explorer\iexplore.exe
PPID Spoof Parent = True
PPID Spoof Process = explorer
Returned true
[2/4] Image
@virusbay_io @anyrun_app More info on @mattifestation's method:
1⃣ My favorite implementation uploaded publicly is this Excel file (probably authored by @egyed_laszlo):
2⃣ The first workflow VT sample uploaded was ~1 year ago:

^plus background & links
[3/4]
Read 12 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!