Tweet

Paul Melson

16 Jan, 7 tweets, 1 min read

THREAD
Let's talk about detection philosophy a little bit. There are 2 main competing approaches; 1) Define Normal, Detect Abnormal, and 2) Find Evil. 1/7

First, let's acknowledge this is a false choice. You can do both. The key is to know which approach is superior in which context. In general, I prefer Find Evil. Let me tell you why. 2/7

To make Find Evil work, you need to think of attackers as groups with motivations and goals, then frame that in the context of a process, lifecycle, or even a cyber kill chain. Seriously, this is key. 3/7

Understanding the attackers, either by individual group and/or general category is the next step. ATT&CK is a great resource for this. Use it to build a list of detections to build & deploy. 4/7

Now prepare to monitor and maintain your detection posture against these attackers and their TTPs. The reason to treat detection this way is that attackers are people. 5/7

It is incredibly rare for any attacker to abandon all of their methods, tools, and habits and start from scratch. If we can catch an attacker across all phases of the attack lifecycle at one point in time, then maintain it, 6/7

...we should be able to detect them even if they replace known tradecraft with never-before-seen tactics, because some method or habit will still persisit through that change. 7/7

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @pmelson

Paul Melson

@pmelson

21 May 20

THREAD for beginning malware/SOC analysts
When analyzing interpreted languages like PowerShell, JavaScript, VBA/VBS, there are some handy shortcuts to dealing with obfuscated code. (NOTE: Always do this kind of analysis in a sandbox VM off of your corporate network.)

Let's use this PowerShell script as an example (raw code on the right). The code is triggered with an obfuscated 'IEX' command that is reconstructed from a predictable PowerShell environment variable, $PSHome.

To de-obfuscate the rest of of the script, replace 'IEX' with 'Write-Host'. This general approach, replacing an execution command with a print/write command, works in basically all interpreted languages. In this case, the output is more obfuscated PowerShell.

Read 7 tweets

Paul Melson

@pmelson

21 Aug 18

THREAD
A quick walk-through of analyzing a PowerShell backdoor using Python.
Here's the backdoor if you want to play along at home: pastebin.com/JbYwq9WJ

1. Looking at the raw payload, we can see powershell.exe is invoked and a base64-encoded script is passed for execution.

2. Open Python, import the base64 module, create a string of the original encoded script, and another string (step1) of the decoded script.

Read 8 tweets

Paul Melson

@pmelson

23 Jul 17

view original on Twitter

This thread got me thinking about DefCon, hacker culture, and insecurity. 1/

External Tweet loading...
If nothing shows, it may have been deleted
by @withzombies view original on Twitter

My first con of any kind was DC6 in 1998. At the time, I worked for a school, fixing Macs and LaserJets, resetting passwords, etc 2/

I knew some folks from IRC, but approaching them IRL seemed hard. I was really intimidated. So I hung with the local BBSers I came with. 3/

Read 22 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Share this page!

Paul Melson

Try unrolling a thread yourself!

More from @pmelson

Paul Melson

Paul Melson

Paul Melson

Did Thread Reader help you today?

Like this author's thread?