Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Chris Sanders 🔎 🧠 Profile picture
@chrissanders88
Dec 20, 2021 8 tweets 3 min read Read on X
Scrolly
We had a big fundraising weekend -- we're past 50K in donations which unlocked another 10K bonus from our friends at Blackthorne Consulting and a SECOND Golden Ticket to be drawn and given away.
The Golden Ticket fundraiser ends on Friday. You can win a free seat in all my
@NetworkDefense training, more training from @DragosInc @TrustedSec, all my signed books, and more.

Entry information and full prize list here: chrissanders.org/2021/12/golden…
This also means we're only $7K from a massive 15K bonus, and within shouting distance of the BBQ tier, where I'll personally cook a pork butt or brisket for the golden ticket winners.
Just think about it... this brisket could be yours. I'm talking about American wagyu prime brisket smoked all day with oak and cherry wood.
Now that we're all hungry... the BBQ tier means I will:

- Cook you either a brisket or pork butt (your choice). We'll pre arrange the date.

- If you're reasonably close to Gainesville GA/Atlanta I'll deliver it. If not, I'll ship it (this can only be for US based winners).
Of course I'll help you eat the BBQ too, but that's optional.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders 🔎 🧠

Chris Sanders 🔎 🧠 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

Chris Sanders 🔎 🧠 Profile picture
Jul 19, 2023
I’m excited to launch our latest online course, YARA for Security Analysts.

We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intel research.

#Yara #DetectionEngineering #DFIR #Malware YARA for Security Analysts
In the course, you’ll learn how to use YARA to detect malware, triage compromised systems, and collect threat intelligence. No prior YARA experience is required.

You can learn all about the course and register here: . It's discounted right now for launch.networkdefense.co/courses/yara/
Steve Miller (@stvemillertime) is the primary instructor for this course. I was so excited to work with him because he is one of our industry's best detection engineering minds.
Read 9 tweets
Chris Sanders 🔎 🧠 Profile picture
Mar 10, 2023
There are many paths you could take with this scenario. At a high level, the big question you want to be answered is whether the user or an attacker set up the forwarding rule. But, you've got to ask other, more specific questions to figure that out. #InvestigationPath #DFIR
A lot of great responses this week so I won't rehash every path, but there's an opportunity to explore the disposition and prevalence of the client IP, the timing of the rule creation versus AD auth, potential outgoing spam activity,
A few folks pointed out the timing of the rule creation, which is undoubtedly significant. Was the rule created well before djenkins went on their trip? Right before? During it? Those timings all have different implications.
Read 8 tweets
Chris Sanders 🔎 🧠 Profile picture
Nov 29, 2022
This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.
Something we know from research is that the initial path (“opening move”) matters.

I shared some of this research in this blog post: chrissanders.org/2016/09/effect….

That effect is a product of the path itself and the evidence being examined.
There is often a best opening move in a scenario, but in those like the one I’ve shared here, there isn’t an obvious opening move without gaining more information first.
Read 7 tweets
Chris Sanders 🔎 🧠 Profile picture
Nov 8, 2022
Investigation Scenario 🔎

A workstation attempted authentication to every other Windows system on the local network.

What do you look for to start investigating this event?

Assume you have access to any evidence source you want, but no commercial EDR tools.

#InvestigationPath
Response of the week goes to @DanielOfService.

When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.

Many good responses -- lots of folks want to find the source process, which when examined, will reveal a lot regarding disposition. Many want to understand the ratio of success/failed logins. That may not help with disposition, but if malicious, will help with affected scope.
Read 6 tweets
Chris Sanders 🔎 🧠 Profile picture
Nov 2, 2022
When an attacker gains initial access to a system on a network, common actions are:

1. Scanning the network for pivot targets
2. Pillaging the system for valuable files
3. Stealing credentials from the system

Each provides an opportunity for honeypot-based detection 🧵

1/
When an attacker is scanning the network for pivot targets, a listening honey service on a common port that is placed on that network segment is likely to receive a probe. That probe generates an alert indicating the compromised source host.

2/
When an attacker is pillaging the system for useful files, an enticingly named honey file is likely to be accessed (either directly or after exfil). When opened, that file contacts a listening server that generates an alert.

3/ An attacking system that co...
Read 9 tweets
Chris Sanders 🔎 🧠 Profile picture
Oct 31, 2022
One of the underappreciated benefits of the increased acceptance of remote work — it makes more jobs accessible to folks with disabilities. Since April 2020, the amount of disabled folks participating in the workforce has increased 5%. bloomberg.com/news/articles/… A line graph from the US Bu...
Even when a workplace is accessible to someone with a disability (and despite the ADA, many are not), the commute there may not be. Eliminating. that commute opens up a lot of possibilities.
The benefits here are not just about new folks gaining access to the workforce…it’s also a win that disabled folks already working have access to a greater number and diversity of jobs. More options means more social mobility.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(