I rarely use this account anymore, but due to the potential #Okta breach here are some SIEM rules which could potentially be useful running back over the past 90 days of data if you can.

github.com/SigmaHQ/sigma/…

github.com/elastic/detect… @ZephrFish Has also shared the below hunting opportunities to add to the above links

https://twitter.com/zephrfish/status/1506228921142063107

LONG THREAD.

Here are some detections / preventions in response to the DarkSide findings.

INITIAL COMPROMISE

Password attacks on perimeter. 2FA everything. Set lockout thresholds on logins. Ingest logs to SIEM and monitor for brute force attempts and impossible travel.
1/14

https://twitter.com/likethecoins/status/1392249090260537344

ItAlso as mentioned the attackers potentially accessed the VPN to disable MFA. Onboard your network devices to SIEM and monitor change events.

Malicious emails. Read this tweet -

https://twitter.com/tinkersec/status/1392196981733445635?s=21

.

2/14

A quick thread.

Review of the URL's submitted to URLhaus in the past 30 days.

53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.

#infosec #cybersecurity #threathunting 25494 of the URLs end with Mozi.m, relating to the Mozi Botnet - securityintelligence.com/posts/botnet-a…. To detect this, we can look for the regex pattern .*Mozi\.m$

A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$

Quick #Emotet thread with detections / mitigations etc since there has been a spike in the past few months.

Firstly, it is worth blocking the URL's, Domains and IP addresses found at the following links -

paste.cryptolaemus.com
feodotracker.abuse.ch/downloads/ipbl…
urlhaus.abuse.ch/downloads/csv_… Cryptolaemus also contains Emotet hashes in their releases - check for these on your network if possible.

Next, It is worth setting up detections in your SIEM for any communications to the URL's, Domains and IP addresses found at the following links -

SIEM info thread.

I have posts with rules, SIEM best practices, threat hunting - blueteamblog.com

Free SIEM rules -

• github.com/Azure/Azure-Se…
• github.com/Neo23x0/sigma/…
• github.com/elastic/detect…
• github.com/elastic/detect…
•my.socprime.com/tdm/ (partially free) Understanding commonly used log formats :

Windows Security Event Logs – search Event ID here – ultimatewindowssecurity.com/securitylog/en……
Azure AD Audit logs – docs.microsoft.com/en-us/azure/ac…
Azure AD SignIn logs – docs.microsoft.com/en-us/azure/ac……
Linux Logs – plesk.com/blog/featured/……

1/2

I have a lot of people asking me ‘Will SOAR / Automation in general replace SOC/Cybersecurity Analyst jobs in X number of years’

My opinion - Simple answer, no.

Long answer, it is already (and will in all SOCs in the future) replace simple tasks such as copy pasting info

1/ From tools into ticketing platforms, sorting mailboxes, running scans on IOCs and things such as this. (Which in a lot of cases are currently classed as Tier/Level 1 analysts tasks)

It will not replace expert knowledge, such as in-depth analysis skills, remediating difficult

2/

Work in #Infosec / #CyberSecurity?

Here are some tools I have been using recently that I think will make your life easier!

Got any you would like to share? Put them in the comments. 😀

Sooty (All in one CLI tool) - github.com/TheresAFewCono… Intel Owl (Threat intel data about a specific file IOC from a single API at scale) - github.com/intelowlprojec…

Cyber Chef (Web app for carrying out all manner of "cyber" operations within a web browser.) - gchq.github.io/CyberChef/