The 2022 Threat Detection Report is out! Join us in counting down the most prevalent threats we encountered in our customers' environments last year. We'll reveal a new threat every hour in this thread (Or just download the report & see them all now) redcanary.com/resources/guid…

Mysteries of the Registry scorpiosoftware.net/2022/04/15/mys…

Important Event Logs for SOC Analysts

🎉 Congratulations to our winners 🎉 🥇1st Place: d1d1d1 de uno 🥈2nd Place: mohan Mohan 🥉3rd Place: m.frithnz Friff We hope everyone enjoyed playing in our #DFIRLabsCTF!

hi fred

I tried to plead with her for one blanket off her pile but she fell asleep 😩

Dropping ngrok in a ZIP file onto disk results in the file being removed and an alert being raised, but installing ngrok via winget works just fine? 🤔🤷‍♂️

I'm playing around with the "Controlled Folder Access" feature in Microsoft Defender because we saw the following alert during a recent incident response case: C:\Windows\System32\mstsc.exe has been blocked from modifying %userprofile%\Documents\ by Controlled Folder Access.

Most SOC teams miss Kerberos attacks because they look like normal authentication traffic. Golden tickets, Kerberoasting, AS-REP roasting, here are the exact Event IDs and detection queries you need to catch them. Saved this cheatsheet? Your future incident response will thank

If I wanted a scripting language optimised for maximum obfuscation and signature evasion, I’d model it on PowerShell This talk by Daniel Bohannon breaks down the real-world methods attackers use youtube.com/watch?v=mej5L9…

Oh Panko… please spare a blanket for the people…

He's deleting the entire world

I analyzed and recreated (a simpler version) of a PHP backdoor we detected in a recent Incident Response engagement. I used the backdoor to install an RMM agent on the compromised machine; the installed EDR did not raise a single alert. You might want to read the accompanying

NPM worm “Shai Hulud” is back and you can see a list of people getting pwned in realtime by refreshing this GitHub search page. When a user is infected the worm collects API keys and secrets and pushes them to a new repo on GitHub.

If you want to learn more about malware the easiest method is learning malware TTPs (Threats Tactics and Procedures). Basically, understand some of the techniques employed by malware authors to do stuff Some malware techniques are simple and old Some malware techniques are

Last week I hosted family for Thanksgiving. My 12-year-old nephew asked for the WiFi password. He wanted to play Roblox on his iPad. I looked at the device. Unmanaged. No antivirus. No encryption. I’m an IT Professional. I don't run an open network. So I didn’t give him the

Last night my wife asked me to install a “cute little npm package” she found on GitHub. I checked the code. No lockfile. No 2FA. Seven maintainers with anime avatars. Last commit was “pls work” from 2019. Published from a username that looked like a WiFi password. The package

Last week our CISO asked me to present on “zero trust architecture.” I don’t know what that means. I make $340,000 a year. I haven’t touched a firewall since Obama’s first term. But I have a CISSP. I passed by memorizing acronyms. I still don’t know what half of them stand for. I

In regards to "cyber influencers", here is a list of people I think are actually great. However, I am extremely biased toward malware related content and/or low-level programming stuff. Unfortunately, some of the really technical people I like also do not post too often. They

People keep asking me how I got into IT. I got into IT because I was too socially awkward for sales and too impatient for engineering. In 2009, I was the only IT person at a 40-person startup. Everything was my fault. Server down? My fault. Email slow? My fault. Someone's