I spoke at @MSFTBlueHat last week.
➡️
I will follow up with a link to the recording when it is posted.

Some highlights from my talk below👇👇👇github.com/JohnLaTwC/Shar… I talked about how incidents can teach powerful lessons and contain important truths for defenders.

If you work with event logs, here are 2 GREAT utilities:

Parse an EVTX file into JSO: github.com/omerbenamram/e…

Query a JSON stream: stedolan.github.io/jq/tutorial/

Combined with Sysmon and some built-in logs, there is a lot of power at your fingertips 💪 First, export a log to EVTX:
1⃣wevtutil epl Microsoft-Windows-Sysmon/Operational sysmonlog.evtx
2⃣wevtutil epl Security Security.evtx /ow:true
3⃣wevtutil epl "Microsoft-Windows-DNS-Client/Operational" DNS.evtx

I am preparing for an internal talk on career advice learned from working security crises. My notes 🧵 The fastest way to accomplish things is to build trust

My favorite story about VBS files is not the I Love You worm, but one that happened in building 40 at Microsoft. VB Script files are associated with WScript.exe by default. This is an important detail. The other host for VB Script files is CScript.exe.

I've had a lot of neat employee moments at Microsoft. here's one of them.
👇 It was Feb 4, 2014. The board had just named @satyanadella as CEO.
📎news.microsoft.com/2014/02/04/mic…
An email said he was going to make some remarks in a building across campus in like 30 minutes. I jumped in my car.

Found one of my Microsoft notebooks 📔 from 2005. Here are a few pages on what was on my mind then. The Longhorn (aka Windows Vista) security plan.

#HuntingTipOfTheDay
If you're in a SOC or IR role and don't use @GitHub because "you're not a developer", read on! It can be powerful when paired with #VirusTotal.

Came across this interesting command. What is it doing? 🤔 It certainly seems to be mucking with the event log, given the security parameter, it seems clear it's interested in the Windows security event log.
The most obvious explanation is that it is deleting records--the ones that correspond to the EventRecordIDs listed.

Some of my #infosec infographics in one thread
👇👇👇 Adversaries need credentials more than malware. Avoid the sins of Windows credential administration
📎

https://twitter.com/JohnLaTwC/status/682351102688284672

True #DFIR Tales
👇👇👇

https://twitter.com/JohnLaTwC/status/769548547515486209

#HuntingTipOfTheDay
Battle test your rules. Here is an incomplete detection rule for saving a specific registry key. How many ways can you come up with to bypass it? (reply!)

(?i)(reg)[\.(exe)]*\s+save\s+hklm\\HARDWARE

Here's how you play🕹️:
👇👇👇 1⃣ Go to regex101.com and paste the regex in.
2⃣ Develop test strings. A highlighted match means blueteam wins. Keep trying.
3⃣ Once you have a string with no match, verify the test string successfully dumps the regkey.
4⃣ 🍻

Some very interesting XLLs in the wild (#blueteam take note!). Will link to some research in this thread. This one loads a payload from an embedded resource and displays a decoy message.
📎virustotal.com/gui/file/1994a…
🎁🎇joesandbox.com/analysis/21041…

https://twitter.com/moo_hax/status/1314429486335549440

This XLL decodes a Base64 string using CryptStringToBinary and uses the Nt APIs to jump to it.
📎virustotal.com/gui/file/5644a…

Want to see the most beautiful equation in math? I’ll show you. It starts with the Roots of Unity.

"The best way to show that a stick is crooked is not to argue about it or to spend time denouncing it, but to lay a straight stick alongside it"
― D.L. Moody

https://twitter.com/_saadk/status/1288529007714107392

"There is no love, there are only proofs of love"
― Pierre Reverdy

Wonder how these tweets from 2015 aged:
1⃣

https://twitter.com/JohnLaTwC/status/682350922710659073

https://twitter.com/ryanaraine/status/1288519331379372032

2⃣

https://twitter.com/JohnLaTwC/status/682351102688284672

Full of avalanche debris to hike over and logs to traverse. Brush that is way over your head and tricky footing over a hidden floor of logs, roots, and holes. And hazards.

Pacific Northwest: If you look closely at this panoramic view of Gold Creek Valley (Cascades in WA state), notice the downed trees at left and the bare mountainside with waterfalls at right. In 2007 there was a massive avalanche on the right side. The force was so strong it carried across Gold Creek and up the left side of the valley causing the trees to fall UPHILL.

This month marked 20 years at Microsoft. Here’s how I celebrated:

This change @DidierStevens talks about starts with a file discussed on twitter:

https://twitter.com/DidierStevens/status/1243943478557577216

This started with a pentest Excel4 macro file by @spamv noticed by @malwrhunterteam:
🔗virustotal.com/gui/file/ccef6…
🧐

https://twitter.com/JohnLaTwC/status/1242546135169785856

Inspired by this @FireEye post on VBA stomping and the excellent research by @VessOnSecurity @StanHacked @haroldogden @bigmacjpg @OrOneEqualsOne @DidierStevens @ptrpieter @a_tweeter_user @malwaresoup @femmeshoto

I did some spelunking for VBAStomped files. Here's a roundup
👇👇 What is VBA Stomping? One powerful use of it is to make the source code of a macro say one thing, but execute something else by changing the generated pcode:

(all credit to @VessOnSecurity, @StanHacked, @OutflankNL, TEAM @Walmart, and more)

#FFVT Follow Friday on interesting VT Submitter Ids. My first is ec31b410 uploading from Denmark. Examples in this thread Maldocs that launch code via CreateShortcut and SendKeys
🔗virustotal.com/gui/file/6d630…
🔗virustotal.com/gui/file/65420…

Would someone use the Olympics to phish? Yes, yes they would.
🆕hxxps://amazingmonkeys.es/tokyo2020comiteeolympic/
🆕hxxps://amazingmonkeys.es/olympiccomitee/
hxxps://154dst.com/comiteeolympic/
hxxps://154dst.com/olympiccomitee/
hxxps://154dst.com/olympicinternationalcomitee/ and
🆕hxxps://amazingmonkeys.es/tokyo2020portal/