Let's quickly look at how Defenders can benefit from tools like Chainsaw, Sigma, docs from KAPE & Velociraptor, and Security Onion 🕵️‍♂️ We'll use real, shady data - fresh out the kitchen 🧑‍🍳 Along the way, I'll share some tips and shortcuts to cut faster through data and logs 🧵

#ContiLeak Tools and Techniques h/t: vx-underground & CyberKnow below0day.com/2022/03/02/con…

F-Secure is hiring my replacement, a new Head of Threat Intelligence, based in Europe. This is a genuinely exciting opportunity to grow a CTI capability from its infancy in to a mature function. The role has a lot of freedom to pursue as desired and.. emp.jobylon.com/jobs/120443-f-…

I usually make short-form satirical videos for fun, but never share them with the world. This time tho, I thought I'd make one for the infosec community. Some might even find it educational 😅 If you're in #infosec and you feel a little down this week, this video is for you💙

I may be very late on this but I stumbled on 🦊 GitLab's handbook for transparency and I really enjoy reading through the reporting on their Security team's KPIs: about.gitlab.com/handbook/engin…

macOS malware often (ab)uses APIs such as NSCreateObjectFileImageFromMemory, NSLinkModule etc) to execute in-memory payloads. Apple has recently updated dyld3 (+these APIs), such that the in-memory payload is now first/always written out to disk 💾 See: github.com/apple-oss-dist…

Check out the first post in my new blog series "On Detection: From Tactical to Functional". The first post explores how we can leverage source code to discover which API Functions an attack tool is using which serves as a base for further investigation. posts.specterops.io/on-detection-t…

Really cool to see this tool finally public! If you’re still viewing alert data in a jira ticket, I’d recommend checking out the approach DetectTree takes to visualise detections, it makes a massive difference.

Hunt, search, and extract Windows event log records with Chainsaw, now in #toolsmith 148. Experiments with an old #DFIR malware case, as well as APT Simulator. The saw is the law! ⁦Alex Kornitzer⁩ ⁦James D sigma ⁦Florian Roth ⚡️⁩ ⁩ holisticinfosec.io/post/chainsaw/

I have never before criticized a competitor by name on the 1Password blog. This is an exception. blog.1password.com/not-in-a-milli…

Dude, you can wipe whatever WEVTXs you want 🪠 Huntress gon' find the user accounts, session times, machines, and method for your lateral movement 🕵️‍♀️ You'd be surprised what #RDP-related event logs can reveal ponderthebits.com/2018/02/window…

Our team at Elastic has been developing this feature for almost six years and we are excited to share our work with the security research community. Thanks to Gabriel Landau William Burgess and many others who have contributed to this effort over the years!

Awesome to see this new feature being added to chainsaw! Great work Alex Kornitzer @56616C6F72 💪

The first part of my blog series on how we’ve been scaling detection and response operations at Coinbase is live! Interested in speeding up your investigations, increasing the visibility of key data sources, and improving quality of life for analysts? coinbase.com/blog/scaling-d…

Scaling detection and response operations at Coinbase part 2 & 3: 🔍 Driving context into detection logic with machine and user profiles 🔧 Codifying automatic remediation for high-risk detections 📫 Automating alert triage with employees via Slackbot coinbase.com/blog/scaling-d…

My talk "Scaling Detection and Response Teams - Enabling Efficient Investigations" is at 3:45pm today at #BSidesLDN2023 on track 2! Come down and say hi if you're around 😀 pretalx.com/bsides-london-…

Slides from this talk are now available here: github.com/FranticTyping/…