Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nasreddine Bencherchali Profile picture
Nasreddine Bencherchali
@nas_bench
Detection @nextronsystems | @sigma_hq & LOLDrivers maintainer | Avid learner and passionate about all things #Detection #Sigma
Jan 8 15 tweets 7 min read
As we all know, true APTs and TAs avoid using "whoami" as its a sign of weakness.

So here is a thread of 14 examples of APTs and TAs executing it over the years.

MosesStaff By Checkpoint

1/🧵 research.checkpoint.com/2021/mosesstaf…
Image RATANKBA by TrendMicro

2/🧵 trendmicro.com/en_us/research…
Image
Jan 12, 2023 6 tweets 2 min read
A lesser-known event log I recently found for tracking malicious AppX installations is the "Microsoft-Windows-AppXDeploymentServer/Operational". Here are a couple of ways how you can leverage it with some free SIGMA rules at the end. 🧵 EID 401 with ErrorCode "0x80073cff" (related to policy errors). This could indicate an attempt of installing unsigned packages that perhaps require sideloading to be enabled.
Feb 6, 2022 5 tweets 1 min read
EDRs/AVs sometimes trust certain locations or perform certain behavior when met with unexpected weirdness. Here are some ideas to check/test for, the next time you have some alone time with your solution

1/🧵 -EDRs often times are configured to send telemetry via a pulling mechanism or via batches that can't exceed certain sizes per X time. Generating a lot of benign events before starting the attack could temporarily blind the EDR console

2/
Dec 11, 2021 8 tweets 12 min read
#log4j thread

Detection Ideas + Yara by @cyb3rops - gist.github.com/Neo23x0/e4c8b0…
Hashes for vulnerable LOG4J versions by @mubix - github.com/mubix/CVE-2021…
SIGMA by @SOC_Prime - tdm.socprime.com/tdm/info/XY2Ej…
tdm.socprime.com/tdm/info/4SiOs…
Payloads list by @GreyNoiseIO - gist.github.com/nathanqthai/01… #Suricata and #Snort IDS signature by @ET_Labs - rules.emergingthreatspro.com/open/
Velociraptor artifact by @mgreen27 - docs.velociraptor.app/exchange/artif…
Callback domains by @GreyNoiseIO - gist.github.com/superducktoes/…
List of IP's looking for RCE by @GreyNoiseIO - gist.github.com/gnremy/c546c79…
Feb 2, 2021 6 tweets 7 min read
Following @SwiftOnSecurity amazing thread ().

I’ve compiled some the tools mentioned in it with their corresponding links in the thread below (For reference and easy find). 1. Pressing the F5 key in notepad will insert a timestamp
2. RpcPing (docs.microsoft.com/en-us/windows-…)
3. Qwinsta (docs.microsoft.com/en-us/windows-…)
4. Log Parser Lizard (lizard-labs.com/log_parser_liz…)
5. Dependency Walker (dependencywalker.com)
6. Sysinternals (docs.microsoft.com/en-us/sysinter…)