Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Dray Agha Profile picture
Dray Agha
@Purp1eW0lf
Hunt & Response Senior Manager @HuntressLabs || "Competition is the law of the jungle, but cooperation is the law of civilisation” - Kropotkin
Dec 5, 2022 7 tweets 3 min read
Think hiring is slowing down??

@HuntressLabs is hiring remote a Threat Operations Analyst 🇬🇧. UK citizenship is non-negotiable

You'll be working with myself, @xorJosh, @PonchoSec, and the rest of the squad!

I have some tips for those applying 🧵

boards.greenhouse.io/huntress/jobs/… I don't care about about degrees 📜

I barely care about certs.

I care about what your contributions have been to your community.

Do you have a github, a blog, a summary of a CTF you did ? GREAT, put the link in your resume
Oct 11, 2022 15 tweets 7 min read
For cyber security investigations, internal silos will make or break your efforts 🧱🧱🧱

I'll show you the power from a LACK of siloing, with a piping hot, fresh @HuntressLabs case @xorJosh and I worked

🧵🧶 What are 'silos'.

@keydet89 educated me on the industry problem where departments cannot easily share findings; a threat intel department doesn't have a way to share findings with DFIR department, for example.

IMO, Silos occur when data & people cannot be circulated easily
Sep 29, 2022 5 tweets 3 min read
Investigating an intrusion? 🕵️🔍

Start with the security solution on the machine. DON'T work hard to timeline the adversaries' activities, work smart👩‍🔬

In a @HuntressLabs case with @nosecurething and Jordan Sexton, we leveraged ESET's data before anything forensically complex🧵 Image This gave us a tonne of starter info
🟡 Timestamps threat actor operated in

🔴 Directories they liked to operate in, the user account they likely controlled, AND that the threat actor liked to use PwSh

🔵 Registry key they had used for persistence.

This saved us time....⏲️
Sep 8, 2022 10 tweets 5 min read
I wanted to share some findings about RDP, Network Layer Authentication, LogonTypes and brute forcing 🔭

Recently, we perused some EventID 4625s (login failures) originating from public IPv4s brute forcing...
🧵 I kept finding LogonType 3s (network)

However only RDP was externally exposed on the machine, which usually records LogonType 10....

When this has happened before, I usually just assume its Windows jank and continue with my investigation 🤷‍♂️

But this time, I wanted to know WHY
Aug 17, 2022 5 tweets 2 min read
In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials - using a technique known as NPPSPY

@0gtweet’s NPPSPY was fascinating to dissect and remediate.

Huge thanks to @keydet89 for guidance and wisdom Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product
Aug 16, 2022 13 tweets 7 min read
Cobalt Strike ain't 💩

Let's chat about how to unravel Cobalt Strike and deny the adversary further access

As ALWAYS, I am showing you data so fresh out the kitchen it hasn't even been cleared by ThreatOps Director @MaxRogers5 👀🧑‍🍳 🧵 Cobalt Strike can often trigger AMSI alerts in Defender. The frustrating thing about AMSI alerts is that they don't tell you what the offending activity WAS.

The alert here was PowerShell based....so let's dig a lil deeper
May 18, 2022 33 tweets 15 min read
Inspired by a SANS poster, I wanted to look at a couple of security solutions and see if their logs provided any key insights an analyst could leverage.

sans.org/posters/window… Image The scenario : if given only product-relevant raw data & logs, would X security solution have data on the host that provides any security value and help with our investigation.

This is a specific use case I know. But it's something I find myself needing every day at work
Mar 17, 2022 16 tweets 8 min read
SRUM is maybe one of the best Windows digital forensic artefacts, if you’re willing to roll your sleeves up.

You can get proof of execution and execution runtime, as well as proof of network communication and the bytes sent and received

Let's take a look in this #DFIR thread🧵 Since Win8, System Resource Usage Monitor (SRUM) monitors a bunch!

What we’re most interested in is its detailed record of programs and network activity.

SRUM has a LONG memory compared to some of the other more ephemeral artefacts📜
Mar 9, 2022 19 tweets 10 min read
As a security investigator, what are your thoughts when you see this result in your SIEM? 🚨

Bad, right?

Let’s discuss how we can conclude something is a false positive, and what we can do with that information🧵 When drafting some internal docs the other morning, I wanted a screenshot of an Elastic search.

Without intending to start any drama, I searched for a string associated with Impacket's lateral movement tools :

*\\\\127.0.0.1\\ADMIN*

github.com/SecureAuthCorp…
Feb 28, 2022 19 tweets 6 min read
Let’s have a chat about web browser investigations

We’ll look at Chrome, Edge, Firefox, and Safari’s data. And investigate if a user has downloaded anything from a dubious, malicious source.

Along the way, we'll drop tips on formatting the data so it's easier to look at.

🧵 We’re not concerned if other members of our org are looking at eBay or cat memes during work hours.

If your employer has tasked you to snoop on your peers' browser history, then dm me about finding a new job.

We're focusing on downloads and their corresponding URLs.
Feb 19, 2022 13 tweets 7 min read
Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️

We'll use real, shady data - fresh out the kitchen 🧑‍🍳

Along the way, I'll share some tips and shortcuts to cut faster through data and logs

🧵 We had an alert for a ScreenConnect session on a DC involving a PowerShell script called 'LAPSToolkit'

This COULD could be for legitimate auditing. But adversaries have been known to use ScreenConnect for their campaigns.

github.com/leoloobeek/LAP…

huntandhackett.com/blog/revil-the…
Feb 13, 2022 15 tweets 8 min read
This is a cool bit of offensive Nim from @WhyDee86

Let's unravel this from a Defenders point of view 🧵

We'll start with some basic reverse engineering analysis, and then move into monitoring this from an ELK stack

TLDR: A decent SIEM setup will catch this. Let's start off by compiling it.

We'll then analyse it like we don't know the source code, and we're investigating malware on a machine.

If your compile fails, you'll likely need to download winim library.

[Winim github.com/khchen/winim#i…]
Feb 7, 2022 8 tweets 4 min read
This is awesome, thank you @x86matthew.

I wanted to share a blue team perspective on monitoring and hunting for this kind of LNK -> EXE bamboozling

We'll use the example PoC if that's alright with you 🧵 Let's execute the PoC of the .LNK, which brings a pop up.

@x86matthew was kind enough to create a non-malicious PoC. But of course an adversary will not be so kind.

So let's take a look at our logs: Image
Nov 22, 2021 6 tweets 5 min read
This article contains DFIR techniques I've used IRL, in investigations where the event logs can't be used.

The real hard work has been done by the articles' referenced tool creators and educators
@davisrichardg / @13CubedDFIR
@scudette / @velocidex
@EricRZimmerman
🧵
1/6 The first technique in the article discusses how to retrieve the PowerShell history for every user account via the 'ConsoleHost_History file' (typically enabled on Windows 10 endpoints)
2/6