A lot of mud slinging on InfoSec twitter lately; I wanted to flip the script a bit and highlight the blogs, tools, talks etc that I keep coming back to on a regular basis, both as a defender and general InfoSec professional. Thread..

Never worked with Windows logs before and don't know where to start? ➡️ ultimatewindowssecurity.com/securitylog/en…

Got the logs and need to know what to do with them? @neu5ron and @acalarch have you covered➡️irongeek.com/i.php?page=vid…

Confused about what Windows auditing to turn on? @MichaelGoughTX's cheat-sheets are an amazing resource ➡️malwarearchaeology.com/cheat-sheets

Need to send those logs to a SIEM of some kind? My man @InvokeThreatGuy show's you how ➡️invokethreat.actor/2018/09/levera…

Doing all kinds of cool PowerShell attacks in your lab and aren't seeing anything? Turn on the logging:

➡️fireeye.com/blog/threat-re…

Need more info about WEF? ➡️blogs.technet.microsoft.com/jepayne/2015/1… by @jepayneMSFT is a must read

WEF Broken? Check out this post by @Centurion ➡️hackernoon.com/the-windows-ev…

Come across WMI and want to know more ➡️blackhat.com/docs/us-15/mat… by @mattifestation has you covered there

Want to know more about application whitelisting, advanced PowerShell / .NET tradecraft? ➡️exploit-monday.com, also by @mattifestation

Want samples of what attacks look like in logs without actually performing the attacks yourself? Two amazing projects:

➡️github.com/hunters-forge/… by @Cyb3rWard0g

➡️github.com/sbousseaden/EV… by @SBousseaden

Want a detailed breakdown of the artifacts left on the system by popular offensive security tools?

➡️jpcertcc.github.io/ToolAnalysisRe… by @jpcert_en

Want to know about Active Directory and Azure Active Directory security? @PyroTek3's work has you covered there

➡️adsecurity.org

Sick of standard, boring Windows logs and want to 🌶️it up with Sysmon?

➡️ @SwiftOnSecurity 's config: github.com/SwiftOnSecurit…
➡️Check out @c_APT_ure 's various talks
➡️ @olafhartong 's Sysmon Modular config: github.com/olafhartong/sy…

Put your defenses to the test with awesome red team tradecraft

@curi0usJack 's talk ➡️

https://twitter.com/curi0usjack/status/1170450728109973511?lang=en

@FuzzySec 's GitHub repo: github.com/FuzzySecurity

@_xpn_ 's blog: blog.xpnsec.com

@TheRealWover ➡️thewover.github.io

Holy crap Sysmon doesn't log everything. It sure doesn't. Check out SilkETW (by @FuzzySec )

➡️github.com/fireeye/SilkETW

➡️fireeye.com/blog/threat-re…

➡️medium.com/threat-hunters… by @cyb3rops

Now that you're cooking with gas, you want moar, check out Sigma rules by @cyb3rops & @blubbfiction

➡️github.com/Neo23x0/sigma

Windows logs are fun, but you want to know how the guts of malware work, @James_inthe_box, @Ledtech3, @pmelson are great follows.

@ItsReallyNick 's feed and #DailyScriptlet tag are also illuminating.

Want to grab forensic artifacts from hosts? Check out the amazing KAPE by @EricRZimmerman

➡️kroll.com/en/insights/pu…

Logs suck, I want to look at packets, cool. Check out this post by @4A4133

➡️engineering.salesforce.com/tls-fingerprin…

Check out Moloch full packet capture (my blog) ➡️haveyousecured.blogspot.com/2018/10/moloch…

Apologies for the obnoxious tagging, I wanted everyone to get credit where credit was due. I probably missed a ton of cool shit, but I wanted to highlight that Twitter/InfoSec isn't a constant dumpster fire; there's some amazing content being produced by some amazing folks 🎄🤶🤎

Correction: last link is by @Cyb3rWard0g, there has to be a mistake somewhere in there. Apologies!