Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Vadim Khrykov Profile picture
Vadim Khrykov
@BlackMatter23
Threat Hunter | Head of SOC | OSCP | GCDA | CRTE | Share my experience with you #ThreatHunting #DFIR #ThreatIntel #Azure #AWS
velespr0 Profile picture 1 subscribed
Oct 6, 2021 10 tweets 3 min read
Recently @NinjaParanoid and I had some short discussion about #EDR bypasses.
In this thread🧵 I'd like to share my view on EDR bypasses and it's various types from both
offensive & defences sides.
There are three types of EDR bypasses: 1. Technical capabilities bypass
Everything is simple here. EDR isn't capable to collect some telemetry. This is a technical problem, the lack of the feature. Look at dark blue stripes below from @MITREattack evaluation: Image
Aug 5, 2021 12 tweets 4 min read
Our 6th detection & IR quiz is finished, I'm starting posting the answers. I'd like to thank @DebugPrivilege @oskulkin @arekfurt @atn1ght1 @PhilipARobson for their great answers👏
If you want to participate go straight to the tweet below: 0. The attack was rapid & merciless. The attacker compromised Exchange server via RCE or valid account (we couldn't find the exact initial vector). After that, the attacker dropped China Chopper web shell and established persistence with SYSTEM privs on the server.
Jul 24, 2021 11 tweets 2 min read
Sure) First of all you should know very well which telemetry is available and provided by your OS/detection tools. If it's Windows, you must know which events are on the table and how to enable them using audit policies.
(1) 2. If it's EDR you should know how it works and where it gets telemetry. Which kernel callbacks exist, useful ETW providers, minifilter driver capabilities. Learn the structures and fields you get from these sources, analyse them, think how this info may be useful for you.
Jul 17, 2021 13 tweets 4 min read
Thanks to everyone for participating in the 5th detection Quiz!
I'd like to mention @Cyb3rSn0rlax @Antonlovesdnb and @atn1ght1 - great answers folks👏
I'm starting posting answers. If you want to participate, don't look at the answers and go straight to the tweet below: 1. The detailed events sequence was published here:
Jul 15, 2021 6 tweets 2 min read
I've recently consulted one company about #NTLM-family protocols. They had various monitoring & hardening questions.
So, I decided to post some of their questions with the answers:
1. LM protocol is old and weak - how can we monitor its usage? 1. In general, you can monitor it using "Package Name" field of 4624/4625 events. But, keep in mind that LM is disabled by default starting with Win7/WS2008R2.
So, if you still have some old machines using it, LM is definitely not the biggest problem for you😵
Jul 14, 2021 5 tweets 2 min read
I see the Quiz is not easy for many, so let's look at particular events together and learn a little bit.
Let's try to think like an analysts!
1. "Medim" IL powershell.exe spawns "Medium" IL Wusa.exe, UAC is enabled on machine, so this is an expected behaviour: Image 1.1 As we know, Wusa.exe has "autoElevate" = TRUE in its manifest, that means it will be automatically elevated by UAC without consent prompt (except "AlwaysNotify" mode). So, svchost.exe spawns consent.exe: Image
Jul 13, 2021 20 tweets 4 min read
Detection Quiz!💡
Look at the process creation events depicted below:
1. Can you recognise the technique?
2. Map it to the @MITREattack
3. Which tool was most likely used?
4. Detection ideas?

#ThreatHunting Image Columns: Time, Parent, ParentIntegrityLevel, Child, ChildIntegrityLevel