If you missed us, Join PwC again today at 2:15pm in Independence B/C for a fully loaded threat detection session - attack simulation, orchestration and automation, analyst workflow management and a demo #TaniumCONVERGE Oliver Smith @fromCharCode Chris AB Tanium

"The members of the APT10 Group worked in an office environment and typically engaged in hacking operations during working hours in China"

Do you need a standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm, .html, .mht, .csv, and .pdf where any non-supported files are shown in a hex editor (with data interpreter!)? #DFIR

CVE-2019-9019 The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft, does not prevent the USB charging/data-transfer feature from interacting with USB keyboard and mouse devices, ... bit.ly/2BObUXn

Need to steal the password to a wireless network? Have access to Windows 8 or 10 box? 1) netsh wlan show profiles 2) netsh wlan show profile name=WIFI_NAME key=clear 3) Look for the “Key Content” line, the cleartext password will be there.

Here is the link to the SpecterOps Adversary Tactics: PowerShell course material: github.com/specterops/at-… Enjoy! For information about our current training offerings, information can be found here: specterops.io/how-we-help/tr… (4/4)

Alright, I think it's time we talk about MSBuild.exe. Not enough discussion around detecting malicious use. Here we go: github.com/MHaggis/CBR-Qu… Do you have any more to share? #DFIR #ThreatHunting

I’ve been tracking #kimsuky for a while. Excited to share Part 1 of a 2-part series - exploring how the threat actor’s campaigns are connected by infrastructure overlaps, consistent TTPs, and overall strategic objectives. pwc.co.uk/issues/cyber-s…

😂

Windows Privilege Escalation Guide #infosec #pentest #redteam absolomb.com/2018-01-26-Win…

More malware research videos coming up on my channel - what malware should I pull apart?

This also works really well: cmd.exe /c "gpupdate /force/../../../../../../../../../../windows/notepad.exe" and cmd /c "mshta.exe c:\temp\none.hta/../../../../../../../../../../windows/notepad.exe" Fun stuff to be had with this technique

Just recorded my breakout for Tanium #Converge2020, talking about how PwC use Tanium to ensure full coverage of PowerShell activity and avoid EDR blind spots. Join me this month to understand how you can too: converge.tanium.com/agenda/session… #tanium #powershell #threathunting #cyber

Data Exfiltration with LOLBins #infosec #pentest #redteam medium.com/@DebugActivePr…

make sure u monitor changes to the wbem default xsl templates (require admin but good option for persistence), an attacker may backdoor them to run malicious scripts via wmic bypassing process/cmdline based detections.

looking for masquerading as legit system bins (lsass, csrss, svchost ...) from unusual directories ? don't forget about legit directory subdirs :D

New article from Richard Ackroyd and I on our global forensic artifact collection/analysis platform, which leverages Tanium and GCP technologies - an integral component of our #ThreatHunting methodology. Take a look! #cyber #tanium #gcp pwc.co.uk/issues/cyber-s…

Pay on the go using Monzo with Apple Pay. Head to your Wallet, or the Monzo app, to add your card today. More info: monzo.com/blog/2018/05/1…