Profile picture
Jessica Payne @jepayneMSFT
, 7 tweets, 2 min read Read on Twitter
Cases I have investigated recently have included:

-new ‘elite’ malware that most well configured/behavioral AV would have caught
-‘junk’ malware used for initial entry
-unpatched servers on the internet

Attackers don’t often encounter networks that require advanced techniques.
Every week we encounter at least one case of malware taking advantage of matching local admin passwords. You can fix that for free with aka.ms/laps
Every week we encounter at least one case of a domain admin level account being available on a web facing/easily compromised server because of doubt about where the account is used and what it might break to remove it. You can figure that out with aka.ms/weffles
At least once a week we encounter a case of lateral movement using off the shelf tools like psexec, command line utilities, or eternal blue. You can stop all of them from moving laterally by blocking SMB and RPC between endpoints using the Windows Firewall channel9.msdn.com/Events/Ignite/…
Supporting our CSS remote IR engineers is one of my favorite parts of my job - it’s not always elite APT malware ‘glamour,’ but it is always a case - even if it’s ‘just’ Qakbot - where you learn the real world isn’t quite like a security product sales pitch.
Have a practice IR. This may look different than you’re expecting.
Can you:
1) deploy software or a script to ALL endpoints without errors?
2) identify all your endpoints?
3) know what your patch or configuration deployment status is for a basic item like KB2871997 or a GPO?
During an actual IR, a shocking number or organizations (even ones with incredible human and monetary investments in their security stack) are unable to do steps like deploying a GPO or software due to unknown infrastructure issues-which often made them insecure in the beginning.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jessica Payne
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @jepayneMSFT see all

Profile picture
Windows Event ID 4624 displays a numerical value for the type of login that was attempted. These numbers are important from a forensic standpoint but also for understanding credential exposure and mitigating risks. Descriptions in replies.
Logon type 10: this is a typical RDP alert meaning that terminal services was engaged for the logon. 3rd party software like virtualization consoles and screen share can also generate it. Means credentials were in memory (lsass) and also hit cached credentials.
Logon type 2: interactive logon, typically associated with hands on keyboard. Credentials in memory and cached credentials. This event can also be generated using RunAs - which is why some normal admin behavior is risky.
Read 11 tweets
Profile picture
Reacting to a new technique with 'well of course it works, they had admin' may indicate you don't fully appreciate the attacker mindset.
The attacker goal is not just to run code, but often to keep it running without you noticing for as long as possible-'borrowed' trust helps.
If you are using a trusted tool or a troubleshooting tool to execute your code, you can inherit the 'reputation' of that process.
Read 21 tweets

Related threads

Profile picture
IDA's remote debugger is my go-to for debugging malware so that I never have to restore my VM and lose. If you're interested in trying it, I've attached some instructions on how to set it up to debug a DLL. (1/4) #malware #reverseengineering
1. Copy the remote debugger for your platform from the "dbgsrv" directory in your IDA installation directory to the debugging target and execute. -h will show you other options for configuring a password, port number etc. (2/4)
2. On the machine running IDA, select "Remote Windows Debugger" from the debugger dropdown.
3. Select Debugger -> Process Options from the menu, and fill in the parameters. Below I've included a sample configuration.
4. Select OK, and start the debugger like normal. (3/4)
Read 4 tweets
Profile picture
Not watching 2 sick from the subpar human conditions St. Louis Co State of Minnesota Hibbing SSA PREDATOR ALYSSA JERULLE #Elite #ChildSexTrafficking #HumanTrafficking #Freemasons #SRA #Pedophile #Cult of #Adrenochrome junkies created cuz💥I EXPOSED💥THE CLARK/ROCKEFELLER KKKLAN💥
.@PeteStauber @realDonaldTrump @GenFlynn
@PeteStauber @realDonaldTrump @GenFlynn
Read 10 tweets
Profile picture
#New Traders, Understand #Mathematics Of #Profit In Market Before You Put Hard #Earned Money On Risk.

Expectancy = Success Rate x Reward Risk Ratio

Lets Talk About Expectancy Of Short Term Directional Trading System.

Read On (1/n)
Success Rate = No Of Profitable Tades/ No Of Loss Making Trades

Reward Risk Ratio = Average Profit Per Trade / Average Loss Per Trade

If Success Rate is 0.5 and Reward Risk 2, Then

Expectancy = 2 x 0.5 =1

For Making Profit, Expectancy Should Be Positive Number (2/n)
To Calculate Expectancy, You Need Defined System With Rules To Get Success Rate and Reward Risk. If You Have No System To Take Decisions, You Are Hanging In Thin Air and Will Never No Whether You Will Keep Making Or Loosing Money In Future (3/n)
Read 12 tweets
Profile picture
#NEW on ARC2020: #CAP & #MFF | Eco-Spin without Public Goods Substance.
Its been 2 weeks since the MFF proposals, here's our round up of some of the perspectives so far.
All perspective-givers tagged in picture.
arc2020.eu/cap-mff-eco-sp…
What's needed?
@davidbaldock & Allan Buckwell of @IEEP_eu:
1: Sufficient funding for environmental measures in Pillar 1
2: Specifics for New Delivery Model
3: Flexibility for Pillar 1 to 2 transfers
4. Fund ANCs under Pillar 1
arc2020.eu/cap-mff-eco-sp…
#MFF #FutureofCAP #CAP
And who said: "unconditional direct income support to farmers is manifestly absurd in today’s world when it maintains uncompetitive farming practices that have negative implications for the climate, the environment or people’s health"?
Why @AnnikaAhtonen of @epc_eu
Read 8 tweets
Profile picture
I’m analysing #KevDroid samples the new #Android #malware discovered several days ago by #ESTSecurity
blog.alyac.co.kr/1587
Articles on the same subject by @PaloAltoNtwks and @TalosSecurity
researchcenter.paloaltonetworks.com/2018/04/unit42…
blog.talosintelligence.com/2018/04/fake-a…
The samples are available on @koodous_project and @virusbay_io
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
Read 13 tweets
Profile picture
#New PA cong. map increases D chance of winning the House majority by 4%. They only need a 6.8% generic ballot margin now (down from 7.7) to be favored.

Diff. will be closer to 10% in Nov when uncertainty from polls is ⬇️. Redraw is a very big deal.

One major reason the new PA map is such a big gain for Democrats is that it solidifies, not just tips, PA districts in Philly burbs. Also creates one additional vulnerable R district. (Easily seen in this map made by @JMilesColeman)
My forecasting model will have new PA map in the near future. This is not just a simple switch; it’s a coding redesign, restructuring of input, & drawing new geographic files. Takes a while (for me, a student).

In the meantime, just add 3-4% to the model: bit.ly/2018_house
Read 4 tweets

Trending hashtags

#RedHenDC #Pedophile #Namibia #sustainability #Mathematics #WordsMatter #YoucanRunButYouCantHide #ComeyLetter #SriLanka #Patriot #ProjectCassandra #First #ClimateAction #OIG #JudgeRudyContreras #RIMPAC #power #debunkthefarb #regimes #Flynn #Dadong #Adams #20IsPlenty #ChildTrafficking #email

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!