blueteamblog Profile picture
Cybersecurity Analyst. Check out my blog - https://t.co/qa2sTk68xY Support my site - https://t.co/9YbuoGMDb2
Mar 22, 2022 7 tweets 3 min read
I rarely use this account anymore, but due to the potential #Okta breach here are some SIEM rules which could potentially be useful running back over the past 90 days of data if you can.

github.com/SigmaHQ/sigma/…

github.com/elastic/detect… @ZephrFish Has also shared the below hunting opportunities to add to the above links
May 12, 2021 16 tweets 7 min read
LONG THREAD.

Here are some detections / preventions in response to the DarkSide findings.

INITIAL COMPROMISE

Password attacks on perimeter. 2FA everything. Set lockout thresholds on logins. Ingest logs to SIEM and monitor for brute force attempts and impossible travel.
1/14 ItAlso as mentioned the attackers potentially accessed the VPN to disable MFA. Onboard your network devices to SIEM and monitor change events.

Malicious emails. Read this tweet - .

2/14
Jan 7, 2021 11 tweets 3 min read
A quick thread.

Review of the URL's submitted to URLhaus in the past 30 days.

53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.

#infosec #cybersecurity #threathunting 25494 of the URLs end with Mozi.m, relating to the Mozi Botnet - securityintelligence.com/posts/botnet-a…. To detect this, we can look for the regex pattern .*Mozi\.m$

A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$
Jan 6, 2021 7 tweets 5 min read
Quick #Emotet thread with detections / mitigations etc since there has been a spike in the past few months.

Firstly, it is worth blocking the URL's, Domains and IP addresses found at the following links -

paste.cryptolaemus.com
feodotracker.abuse.ch/downloads/ipbl…
urlhaus.abuse.ch/downloads/csv_… Cryptolaemus also contains Emotet hashes in their releases - check for these on your network if possible.

Next, It is worth setting up detections in your SIEM for any communications to the URL's, Domains and IP addresses found at the following links -
Dec 21, 2020 5 tweets 5 min read
SIEM info thread.

I have posts with rules, SIEM best practices, threat hunting - blueteamblog.com

Free SIEM rules -

github.com/Azure/Azure-Se…
github.com/Neo23x0/sigma/…
github.com/elastic/detect…
github.com/elastic/detect…
my.socprime.com/tdm/ (partially free) Understanding commonly used log formats :

Windows Security Event Logs – search Event ID here – ultimatewindowssecurity.com/securitylog/en…
Azure AD Audit logs – docs.microsoft.com/en-us/azure/ac…
Azure AD SignIn logs – docs.microsoft.com/en-us/azure/ac…
Linux Logs – plesk.com/blog/featured/…

1/2
Dec 13, 2020 7 tweets 2 min read
I have a lot of people asking me ‘Will SOAR / Automation in general replace SOC/Cybersecurity Analyst jobs in X number of years’

My opinion - Simple answer, no.

Long answer, it is already (and will in all SOCs in the future) replace simple tasks such as copy pasting info

1/
From tools into ticketing platforms, sorting mailboxes, running scans on IOCs and things such as this. (Which in a lot of cases are currently classed as Tier/Level 1 analysts tasks)

It will not replace expert knowledge, such as in-depth analysis skills, remediating difficult

2/
Nov 22, 2020 4 tweets 3 min read
Work in #Infosec / #CyberSecurity?

Here are some tools I have been using recently that I think will make your life easier!

Got any you would like to share? Put them in the comments. 😀

Sooty (All in one CLI tool) - github.com/TheresAFewCono… Intel Owl (Threat intel data about a specific file IOC from a single API at scale) - github.com/intelowlprojec…

Cyber Chef (Web app for carrying out all manner of "cyber" operations within a web browser.) - gchq.github.io/CyberChef/