Holiday time and it's been a while since I did one of these. Here goes: a 2021 reading thread with some of my favourite blogs / tools / posts ✨thread✨
Cobalt Strike featured large in 2021 and if you're in the defensive arena, it's a good idea to familiarize yourself.
My colleague @ZephrFish had a great post on CS profiles
◾️blog.zsec.uk/cobalt-strike-…
My colleague @ZephrFish had a great post on CS profiles
◾️blog.zsec.uk/cobalt-strike-…
.@M_haggis also had a fantastic post at the start of the year going over the structure and options contained within CS profiles
◾️haggis-m.medium.com/malleable-c2-p…
◾️haggis-m.medium.com/malleable-c2-p…
Keeping with the CS theme, @dez_ put out a fantastic blog post looking at CS memory signatures. The most valuable part of this post for me is the methodology
◾️elastic.co/blog/detecting…
◾️elastic.co/blog/detecting…
One last CS-themed shoutout to @DidierStevens who released a whole suite of tools designed to parse CS configs, MITM CS traffic and much more, check it out
◾️github.com/DidierStevens/…
◾️github.com/DidierStevens/…
From detecting beacon to detecting beaconing😏this post by @ateixei is a must read if you're using KQL/Sentinel
◾️ateixei.medium.com/detecting-netw…
◾️ateixei.medium.com/detecting-netw…
.@Cyb3rMonk put out tons of content in 2021, but one of my favourites - and keeping with the beaconing theme - is this post on at-scale beaconing hunting via machine learning
◾️mergene.medium.com/enterprise-sca…
◾️mergene.medium.com/enterprise-sca…
Moving away from beacons/beaconing - @SBousseaden masterfully covers a new detection engineering technique, showing you how to design abnormal child/parent detection rules without access to telemetry
◾️blog.menasec.net/2021/01/how-to…
◾️blog.menasec.net/2021/01/how-to…
Another prolific sharer, @nas_bench released tons of content in 2021, but this post on finding forensic goodness in obscure Windows event logs is one of my favourites
◾️nasbench.medium.com/finding-forens…
◾️nasbench.medium.com/finding-forens…
Usage of Syscalls presents lots of challenges to us blue teamers, but this post by @winternl_t covers some really interesting techniques for the detection of this potentially stealthy TTP
◾️winternl.com/detecting-manu…
◾️winternl.com/detecting-manu…
Some blog posts are so good that I almost want to take them to my local Staples and have them printed & bound 📘, this blog on access token manipulation by @joehowwolf is one of those
◾️elastic.co/blog/how-attac…
◾️elastic.co/blog/how-attac…
Think RDP logins are just 4624 Type 10 -- I wish. Check out this amazingly helpful mind map of RDP authentication by @Cyb3rSn0rlax
◾️unh4ck.com/dfir/rdp-authe…
◾️unh4ck.com/dfir/rdp-authe…
We are close to moving onto ☁️articles, but don't forget about the command line! This blog by @Wietze is a great reference for command-line obfuscation
◾️wietzebeukema.nl/blog/windows-c…
◾️wietzebeukema.nl/blog/windows-c…
Okay onto Azure now - this blog on command execution on Azure VMs by @Haus3c is a must-read
◾️hausec.com/2021/12/03/abu…
◾️hausec.com/2021/12/03/abu…
Everything authored @DebugPrivilege is a default-must-read, but this post in particular is worth your time if you deal with Azure in any capacity. I find myself coming back to this post often.
◾️m365internals.com/2021/07/24/eve…
◾️m365internals.com/2021/07/24/eve…
Keeping with the theme of Azure SPs, this blog by @_wald0 is another highlight for me. I find that Andy is a master at breaking complex topics down into a digestible and readable form, new research areas are always highlighted as well
◾️posts.specterops.io/azure-privileg…
◾️posts.specterops.io/azure-privileg…
Like so many others highlighted in this thread, any content from @inversecos is a must-read, but this blog on detecting Azure persistence through Automation Accounts is a favourite for me this year
◾️inversecos.com/2021/12/how-to…
◾️inversecos.com/2021/12/how-to…
One last Azure blog. This post by @0xBoku is a great read and does a fantastic job of articulating the attack path as well as providing additional links to further research & researchers
◾️0xboku.com/2021/07/12/Art…
◾️0xboku.com/2021/07/12/Art…
Wow that's a lot of Azure attack primitives, how do I wrangle the KQL to find all this stuff ??
Check out @reprise_99's #365daysofkql hashtag and threads!
Check out @reprise_99's #365daysofkql hashtag and threads!
From Azure to containers, if you're like me and are just dipping your proverbial toes into this area, this blog by @iximiuz is a fantastic resource
◾️iximiuz.com/en/posts/conta…
◾️iximiuz.com/en/posts/conta…
If you haven't checked out @FuzzySec's Fermion project, I highly recommend tinkering around, a detection engineering goldmine!
◾️github.com/FuzzySecurity/…
◾️github.com/FuzzySecurity/…
Tooting my own horn, but I dig Sysmon Config Pusher as it helps me manage and juggle Sysmon configs around
◾️github.com/LaresLLC/Sysmo…
◾️github.com/LaresLLC/Sysmo…
Probably a surprise to no one, but I am a huge @splunk fan. The team there put out too many blogs to link in 2021, so check them all out. I love these blogs as they always contain directly actionable detection content
◾️splunk.com/en_us/blog/aut…
◾️splunk.com/en_us/blog/aut…
Finally, and in the spirit of loving yourself more, I want to highlight two of my favourite blogs that I put together this year on the @Lares_ blog
◾️lares.com/blog/hunting-i…
◾️lares.com/blog/sysmon-fo…
Huge thank you to all those who shared your work this year
💙💙💙
◾️lares.com/blog/hunting-i…
◾️lares.com/blog/sysmon-fo…
Huge thank you to all those who shared your work this year
💙💙💙
• • •
Missing some Tweet in this thread? You can try to
force a refresh
