Share this page!

blueteamblog Profile picture
Twitter logo
Mar 22 7 tweets 3 min read
I rarely use this account anymore, but due to the potential #Okta breach here are some SIEM rules which could potentially be useful running back over the past 90 days of data if you can.

github.com/SigmaHQ/sigma/…

github.com/elastic/detect…
@ZephrFish Has also shared the below hunting opportunities to add to the above links
Some further Okta events to check from @thechrisharrod

And another from @understudy77

For anyone following this, Okta have released an updated statement, make of this what you will - okta.com/blog/2022/03/u…
Another Okta statement - now admitting 2.5% of customers (They have around 15000) were impacted in some way and will / have been contacted -

okta.com/blog/2022/03/u…
Splunk have some detections (Haven’t checked overlap with Sigma/Elastic rules I shared initially)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with blueteamblog

blueteamblog Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @blueteamblog

blueteamblog Profile picture
May 12, 2021
LONG THREAD.

Here are some detections / preventions in response to the DarkSide findings.

INITIAL COMPROMISE

Password attacks on perimeter. 2FA everything. Set lockout thresholds on logins. Ingest logs to SIEM and monitor for brute force attempts and impossible travel.
1/14
ItAlso as mentioned the attackers potentially accessed the VPN to disable MFA. Onboard your network devices to SIEM and monitor change events.

Malicious emails. Read this tweet - .

2/14
ESTABLISH FOOTHOLD.

BEACON - Hunting Tips, detections and IOCs - github.com/MichaelKoczwar…

MAINTAIN PERSISTENCE

TeamViewer / Anydesk. Create a SIEM rule and / or run threat hunt for ports in below thread. Try to pick one remote access for your organisation, block the rest.

3/14
Read 15 tweets
blueteamblog Profile picture
Mar 24, 2021
Yes SIEMs can be expensive, but are you getting full value from yours? Or are you just using it for security monitoring?

Here are some other things a SIEM can be used for, to provide much more value to a business.

#siem #infosec #CyberSecurity

1/6
Dashboards. Yes, your security team has dashboards, but have you thought of creating ones to be used by Networking, Desktop Support and other teams? Ask them what dashboards could be useful, and provide them access to the SIEM which only allows access to these dashboards.

2/6
Threat Hunting. There are bountiful threat hunting resources online - Perform these threat hunts on your SIEM logs! This could find things your alerts or analysts have missed; and can lead to future detection opportunities.

3/6
Read 6 tweets
blueteamblog Profile picture
Mar 3, 2021
Thread to help anyone logging to #HAFNIUM / Microsoft Exchange Zero Day and wondering where to start.

CVEs as follows - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

These CVEs are for Exchange Server. Exchange Online users are not affected by this.
Start by reading the following two articles, patching if required and looking for the IOCs provided (they are extensive).

Microsoft Article - microsoft.com/security/blog/…

Volexity Article - volexity.com/blog/2021/03/0…
Further useful reading / detections -

Splunk Queries -

Sigma Rule to detect procdump on lsass.exe -

OSQuery hunt to identify systems that the ProcDump EULA has been accepted-
Read 6 tweets
blueteamblog Profile picture
Jan 7, 2021
A quick thread.

Review of the URL's submitted to URLhaus in the past 30 days.

53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.

#infosec #cybersecurity #threathunting
25494 of the URLs end with Mozi.m, relating to the Mozi Botnet - securityintelligence.com/posts/botnet-a…. To detect this, we can look for the regex pattern .*Mozi\.m$

A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$
Finally, there are 10 URLs which contain Mozi within them in different patterns to above. It is therefore worthwhile searching for any case of Mozi within a URL (This will be greedier than the above, but still worthwhile checking)
Read 11 tweets
blueteamblog Profile picture
Jan 6, 2021
Quick #Emotet thread with detections / mitigations etc since there has been a spike in the past few months.

Firstly, it is worth blocking the URL's, Domains and IP addresses found at the following links -

paste.cryptolaemus.com
feodotracker.abuse.ch/downloads/ipbl…
urlhaus.abuse.ch/downloads/csv_…
Cryptolaemus also contains Emotet hashes in their releases - check for these on your network if possible.

Next, It is worth setting up detections in your SIEM for any communications to the URL's, Domains and IP addresses found at the following links -
feodotracker.abuse.ch/downloads/ipbl…
urlhaus.abuse.ch/downloads/text/
paste.cryptolaemus.com

Next, There are Sigma rules to detect Emotet, for example -

github.com/Neo23x0/sigma/…

github.com/Neo23x0/sigma/…
Read 7 tweets
blueteamblog Profile picture
Dec 21, 2020
SIEM info thread.

I have posts with rules, SIEM best practices, threat hunting - blueteamblog.com

Free SIEM rules -

github.com/Azure/Azure-Se…
github.com/Neo23x0/sigma/…
github.com/elastic/detect…
github.com/elastic/detect…
my.socprime.com/tdm/ (partially free)
Understanding commonly used log formats :

Windows Security Event Logs – search Event ID here – ultimatewindowssecurity.com/securitylog/en…
Azure AD Audit logs – docs.microsoft.com/en-us/azure/ac…
Azure AD SignIn logs – docs.microsoft.com/en-us/azure/ac…
Linux Logs – plesk.com/blog/featured/…

1/2
DHCP Logs – serverbrain.org/network-planni…
DNS Logs – nxlog.co/whitepapers/dn…
Office365 – docs.microsoft.com/en-us/microsof…
Proxy Logs – vanimpe.eu/2016/10/21/pro…

2/2
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @blueteamblog has new unrolls!

Check out other threads from @blueteamblog!

Read all threads by @blueteamblog

:(