Discover and read the best of Twitter Threads about #edr
Most recents (9)
1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK (buff.ly/3BHn9iR): The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK #ThreatHunting 
3/ 🔍 Sigma(buff.ly/3q12WOC ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma #SIEM
An "Emergency Data Request" (#EDR) is a warrantless demand by a police officer to a tech company, designed for white-hot emergencies when a cop needs an online service to cough up some of its user data to save a life or prevent a tragedy. 1/
Criminals *love* EDRs. Once a crook breaks into a police email server (something so easy that the children running the LAPSUS$ crime-gang did it several times), they can send their own EDRs to online services, who will dutifully dox their own users. 2/
After all, if someone's in mortal danger, there's no time to stop and verify the cop's identity:
pluralistic.net/2022/03/30/law…
Children don't just abuse EDRs, they're also *abused* with EDRs. 3/
pluralistic.net/2022/03/30/law…
Children don't just abuse EDRs, they're also *abused* with EDRs. 3/
Back in '94, @BillClinton signed #CALEA , mandating that all voice-capable switches include a "lawful interception" backdoor that would let cops listen in on phone calls without having to actually physically access the switch itself.
en.wikipedia.org/wiki/Communica… 1/
en.wikipedia.org/wiki/Communica… 1/
If you'd like an unrolled version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
pluralistic.net/2022/03/30/law… 2/
pluralistic.net/2022/03/30/law… 2/
CALEA came with three promises:
I. The backdoor would only be used by cops;
II. They would get a warrant first;
III. It would only apply to voice traffic, not the internet.
All of these promises were lies. 3/
I. The backdoor would only be used by cops;
II. They would get a warrant first;
III. It would only apply to voice traffic, not the internet.
All of these promises were lies. 3/
Recently @NinjaParanoid and I had some short discussion about #EDR bypasses.
In this thread🧵 I'd like to share my view on EDR bypasses and it's various types from both
offensive & defences sides.
There are three types of EDR bypasses:
In this thread🧵 I'd like to share my view on EDR bypasses and it's various types from both
offensive & defences sides.
There are three types of EDR bypasses:
1. Technical capabilities bypass
Everything is simple here. EDR isn't capable to collect some telemetry. This is a technical problem, the lack of the feature. Look at dark blue stripes below from @MITREattack evaluation:
Everything is simple here. EDR isn't capable to collect some telemetry. This is a technical problem, the lack of the feature. Look at dark blue stripes below from @MITREattack evaluation:
If I remember correctly, @jaredcatkinson called this type of bypass as "pure EDR bypass", I like this name too😉
EDR development team should remove such telemetry collection ability gaps. In some cases it's quite easy, in some - very difficult.
EDR development team should remove such telemetry collection ability gaps. In some cases it's quite easy, in some - very difficult.
How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
Can we detect ZIP / JScript for initial access on 🪟?
1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");
WshShell.Popup("You can configure WSH files to open in Notepad");
WScript.exit;
3. Save as 1.js
4. Double-click
5. Query SIEM / EDR
1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");
WshShell.Popup("You can configure WSH files to open in Notepad");
WScript.exit;
3. Save as 1.js
4. Double-click
5. Query SIEM / EDR
What about #BEC in O365?
1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
What about lateral movement?
1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
2020 @expel_io incident stats tell a familiar story: a lot of commodity malware *still* being deployed via evil macros and zipped HTA / JS files.
This isn't a thread to tell you to block macros or associate WSH files with notepad (like PS), but questions to ask if you can't.
This isn't a thread to tell you to block macros or associate WSH files with notepad (like PS), but questions to ask if you can't.
On blocking macros: If it were easy, everyone would do it.
But if you're a #SOC analyst, do you fire an alert when winword.exe spawns an unusual process like PS or regsvr32?
Can you create a macro that behaves like an evil one but is totally benign to test your alerting?
But if you're a #SOC analyst, do you fire an alert when winword.exe spawns an unusual process like PS or regsvr32?
Can you create a macro that behaves like an evil one but is totally benign to test your alerting?
Can you use #EDR to understand which processes are almost never spawned from winword.exe? Or maybe ask which processes spawned from winword.exe initiate an external connection out? Can you fine tune your logic and deploy in BLOCK mode?
Yea, the evil macro ran but EDR stopped it.
Yea, the evil macro ran but EDR stopped it.
El #GAR lleva 40 años de servicio. 40 años de lucha. 40 años de evolución. 40 años de sacrificio. En definitiva, 40 años en primera línea.
Hoy vamos a hablar de ellos, del Grupo de Acción Rápida de la Guardia Civil. La unidad que nació para acabar con ETA en el entorno rural.
Hoy vamos a hablar de ellos, del Grupo de Acción Rápida de la Guardia Civil. La unidad que nació para acabar con ETA en el entorno rural.
La estructura del hilo será la de siempre:
-Primera parte dedicada a la historia, estructura y misiones.
-Segunda parte dedicada a analizar el equipamiento y materiales, así como el armamento utilizado.
-Primera parte dedicada a la historia, estructura y misiones.
-Segunda parte dedicada a analizar el equipamiento y materiales, así como el armamento utilizado.
Aunque desde su creación han actuado a cara descubierta, en las fotos recientes que lo precisen sus rostros serán pixelados. Dicho esto vamos con el hilo.
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network — and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
