John Lambert Profile picture
Oct 20, 2023 12 tweets 4 min read Read on X
I spoke at @MSFTBlueHat last week.
➡️
I will follow up with a link to the recording when it is posted.

Some highlights from my talk below👇👇👇github.com/JohnLaTwC/Shar…
I talked about how incidents can teach powerful lessons and contain important truths for defenders. Image
I talked about while it is often romanced that offense has a richer toolset compared to the singular metaphor for defense ("the shield"). Defense has many creative ideas within it as well.
Image
Image
Some foundational concepts for defenders include:
1. Every contact leaves a trace...in a log
2. Defense involves the process of mapping attacker activity to its traces in logs
3. Attacks can take place on many logical layers
4. How essential pivoting is to navigating your data


Image
Image
Image
Image
I talked about the ability to find breaches by time-traveling through logs. Some attacker techniques may have fewer methods of expression (e.g. credential dumping, privileged group enumeration) and these serve as important detection "bottlenecks" in the kill chain. Image
I also talked about the importance of building trust as defenders and how it can be the fastest way to accomplish things. Image
Often our toughest problems at work are not technical, but rather inter-team issues. I gave some tips on dealing with these. Image
Finally, I talked about the importance of staying sane, focusing on your health, and having good work/life boundaries. Image
When the video for the talk is posted, I will link it here.
Thx to @ItsReallyNick for the concept of bottlenecks
Thx to @MSwannMSFT for discussion of many of these topics on our PCT hike.
The audio 🎙️of this talk can be found at the @bluehat podcast: podcasts.apple.com/us/podcast/blu…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Lambert

John Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JohnLaTwC

Apr 9, 2022
If you work with event logs, here are 2 GREAT utilities:

Parse an EVTX file into JSO: github.com/omerbenamram/e…

Query a JSON stream: stedolan.github.io/jq/tutorial/

Combined with Sysmon and some built-in logs, there is a lot of power at your fingertips 💪
First, export a log to EVTX:
1⃣wevtutil epl Microsoft-Windows-Sysmon/Operational sysmonlog.evtx
2⃣wevtutil epl Security Security.evtx /ow:true
3⃣wevtutil epl "Microsoft-Windows-DNS-Client/Operational" DNS.evtx
List hashes of programs that ran:

evtx_dump-v0.7.2.exe sysmonlog.evtx -o json --dont-show-record-number | jq ".Event | select (.System.EventID == 1) | .EventData | {Hashes} | .Hashes " | sort /unique

(PROTIP: Did you know sort has an undocumented /unique switch?)
Read 6 tweets
Mar 13, 2022
I am preparing for an internal talk on career advice learned from working security crises. My notes 🧵
The fastest way to accomplish things is to build trust
You're always on stage. At work, there really is no way to be different in private v. public.
Read 24 tweets
Sep 26, 2021
My favorite story about VBS files is not the I Love You worm, but one that happened in building 40 at Microsoft.
VB Script files are associated with WScript.exe by default. This is an important detail. The other host for VB Script files is CScript.exe.
CScript is a console program. This allows your VBS to write to StdOut and it shows up in console window like cmd.exe.
Read 10 tweets
Sep 24, 2021
I've had a lot of neat employee moments at Microsoft. here's one of them.
👇
It was Feb 4, 2014. The board had just named @satyanadella as CEO.
📎news.microsoft.com/2014/02/04/mic…
An email said he was going to make some remarks in a building across campus in like 30 minutes. I jumped in my car.
The crowd filled all available space. Ballmer was high energy as usual. It was 2014 so, you know, I had my Windows Phone with me. ImageImage
Read 6 tweets
Sep 19, 2021
Found one of my Microsoft notebooks 📔 from 2005. Here are a few pages on what was on my mind then.
The Longhorn (aka Windows Vista) security plan.
Parsers were having many issues. I put this slide together to create awareness about the pattern we were seeing in MSRC at the time.
Occasionally I printed small versions of my slides and inserted them into my notebooks so I could easily socialize to people in 1-1 conversations.
Read 13 tweets
Sep 8, 2021
#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.

Came across this interesting command. What is it doing? 🤔
It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.
How can we find out more about this tool? The tool name (comrelg.exe) is faked🤥 and the hash didn't lead anywhere and I didn't have a copy of the sample. (set aside pivoting on imphash etc for now🧠)
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(