I believe communicating and understanding the intention of a detection rule is key to avoiding a lot of unnecessary pain during triage, tunning and bypass discussions. By design every detection is set to detect something. It's the responsibility of the author of said detection /1

The NSA has a free Ghidra debugging class if anyone is interested 👇 ghidra/GhidraDocs/GhidraClass/Debugger at master · NationalSecurityAgency/ghidra · GitHub github.com/NationalSecuri…

If you have a few minutes before leaving work today, pick just one system and review logs for that system. If you don't know what the logs are telling you, research it. If you do, document it for the next analyst (who may not). Happy hunting!

Feeling cute

Please don't use ChatGPT to analyse data. I can't believe I have to say this. 🤦🏻‍♂️

Thanks to Nathan Swift and Microsoft for referencing my Intrusion Detection Honeypots book as an inspiration for their recent article on best practices for identity-based honeytokens. It's neat to see what people are doing with these concepts. techcommunity.microsoft.com/t5/microsoft-3…

Have you seen the Forensics StartMe page yet? It's your one stop shop of #DFIR resources startme.stark4n6.com

Free workshop everyone Hands-On Workshop: Building Better Detections | Azure Edition | SANS Institute sans.org/webcasts/build…

What are five topics you can talk about for 30 minutes with zero prep? 1. Cybersecurity 2. Gardening 3. Star Wars 4. Anime 5. ADHD

Don’t think about it. Don’t try to be cool. Tell me; what was your favorite book when you were twelve? Off the top of my head:

Many people, including myself, struggle with this as people rack up years in InfoSec. Remembering the behaviors that got you to where you are now might not be sustainable for 3,5,10,20+ years in your career, and that's ok. Many of us worked night and day on side projects,

As part of our 2023 Call for Papers, we released a CFP Resources page. A page that helps those new to submitting to CFP's. We also released a form where you can submit your talk and get feedback before formally submitting! We have brought that back! See: blueteamcon.com/cfp-submission…

Florian Roth ⚡️ Feels a lot like this

I feel many people should actually work in the front line of defense. With broken SIEMs, unmanaged and underpaid teams, missing logs, broken workflows...etc. Many, and I mean many talk from their Ivory tower 6/7 figure job with the best, and taking one continent they live in or

My 2 cents on this, yeah it sucks having *your* stuff used in a way you didn't intend, but that is what hackers do. Our job as defenders is to make it more difficult and costly for attackers to operate in our environment. Detections rule, but aren't everything.

me and the boys stretching before we start thrunting in the streets 💯💯💯

Something new to play with!

Evidence Insight 💾 - Internet Explorer/Edge WebCacheV DAT File Starting with IE 10, the WebCacheV*.dat file contains useful browser artifacts.