HOW TO build your lab to attack a modern Microsoft cloud environment that is protected Microsoft Defender ATP
https://emptydc.com/2019/03/31/go-hack-yourself/amp/#click=https://t.co/pwk7ZK2eHv
If you try to think like an attacker, you will be better able to understand how to protect your environment.
#redteam #blueteam #dfir
https://emptydc.com/2019/03/31/go-hack-yourself/amp/#click=https://t.co/pwk7ZK2eHv
If you try to think like an attacker, you will be better able to understand how to protect your environment.
#redteam #blueteam #dfir
Empty Datacenter - 100% Cloud
Go, hack yourself!
While talking about the protection mechanisms in modern cloud environments, one tends to forget the other side. You must know your enemy in order to fight him successfully. Today we will build a la…
Blue ATT&CK will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The Blue ATT&CK framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.
https://github.com/rabobank-cdc/Blue-ATTACK
#blueteam #dfir #ir
https://github.com/rabobank-cdc/Blue-ATTACK
#blueteam #dfir #ir
Velociraptor - a great opensource #EDR tool influenced by GRR and osquery!
https://velociraptor-docs-staging.velocidex.com/
#ThreatHunting #DFIR
https://velociraptor-docs-staging.velocidex.com/
#ThreatHunting #DFIR
Velocidex
Velociraptor: Hunting Evil!
The Easy Way to Learn DFIR
The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.
https://brettshavers.com/brett-s-blog/entry/the-easy-way-to-learn-dfir
#forensics #dfir #blueteam #learning
The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.
https://brettshavers.com/brett-s-blog/entry/the-easy-way-to-learn-dfir
#forensics #dfir #blueteam #learning
Brett Shavers
The Easy Way to Learn DFIR
SummaryThere is no easy way to learn DFIR. You can stop reading from here if you want.Longer versionOk. Since you are still reading, you ...
Windows EVTX Samples
This is a container for windows events samples associated to specific attack and post-exploitation techniques
https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
#threathunting #dfir #forensics #blueteam
This is a container for windows events samples associated to specific attack and post-exploitation techniques
https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
#threathunting #dfir #forensics #blueteam
GitHub
GitHub - sbousseaden/EVTX-ATTACK-SAMPLES: Windows Events Attack Samples
Windows Events Attack Samples. Contribute to sbousseaden/EVTX-ATTACK-SAMPLES development by creating an account on GitHub.
Caught in the Web of Shells?
I barely remember a security incident, that I worked on, where the adversary didn’t use web shells here or there. Web shells are effective, publicly available, and sort of hard to discover — they say.
In this piece, I will try to address the discovery challenge by sharing ideas and techniques for web shells hunting and ultimately turn the web shell from a capability to a liability for the adversary.
https://medium.com/@ashabdalhalim/caught-in-the-web-of-shells-e40524ca8097
#dfir #threathunting #webshell
I barely remember a security incident, that I worked on, where the adversary didn’t use web shells here or there. Web shells are effective, publicly available, and sort of hard to discover — they say.
In this piece, I will try to address the discovery challenge by sharing ideas and techniques for web shells hunting and ultimately turn the web shell from a capability to a liability for the adversary.
https://medium.com/@ashabdalhalim/caught-in-the-web-of-shells-e40524ca8097
#dfir #threathunting #webshell
Medium
Caught in the Web of Shells?
Be the spider not the prey
Citrix ADC (NetScaler) CVE-2019-19781 DFIR Notes
https://x1sec.com/CVE-2019-19781-DFIR
#citrix #dfir #forensics #blueteam
https://x1sec.com/CVE-2019-19781-DFIR
#citrix #dfir #forensics #blueteam
macOS Forensics: The Next Level – Taming the T2 Chip & More
https://github.com/ydkhatri/Presentations/blob/master/macOS%20Forensics-MUS2020.pdf
#dfir #macos #forensics #blueteam
https://github.com/ydkhatri/Presentations/blob/master/macOS%20Forensics-MUS2020.pdf
#dfir #macos #forensics #blueteam
GitHub
Presentations/macOS Forensics-MUS2020.pdf at master · ydkhatri/Presentations
Slides and material from my conference presentations - Presentations/macOS Forensics-MUS2020.pdf at master · ydkhatri/Presentations
AirDrop Forensics
https://kieczkowska.com/2020/06/15/airdrop-forensics/
#macos #forensics #blueteaming #dfir
https://kieczkowska.com/2020/06/15/airdrop-forensics/
#macos #forensics #blueteaming #dfir
Kinga Kieczkowska // #tech #dfir #infosec
AirDrop Forensics
✨ Welcome to AirDrop forensics! ✨ Let’s start with the basics: what is AirDrop? It’s a file-sharing service in macOS and iOS which uses both Bluetooth and WiFi to transfer files from on…
Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5
In the third part of F-Secure Consulting's Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts. We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a fifth and final step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader's understanding of the concepts shown.
https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5/
https://www.youtube.com/watch?v=Pv8eHC1a_bc
#redteaming #blueteaming #dfir #windows
In the third part of F-Secure Consulting's Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts. We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a fifth and final step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader's understanding of the concepts shown.
https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5/
https://www.youtube.com/watch?v=Pv8eHC1a_bc
#redteaming #blueteaming #dfir #windows
YouTube
Attack Detection Fundamentals: Workshop #3 - Discovery and Lateral Movement
Alfie Champion led our third workshop of the series where he explores and demos opportunities to detect an attacker:
- Detect an attacker as they seek to discover high-value assets within your environment, including file shares and Active Directory groups. …
- Detect an attacker as they seek to discover high-value assets within your environment, including file shares and Active Directory groups. …
Masking Malicious Memory Artifacts Part II: Insights from Moneta
This is the second in a series of posts on malware forensics and bypassing defensive scanners, the part one of which can be found here. It was written with the assumption that the reader understands the basics of Windows internals, memory scanners and malware design.
https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
#forensics #blueteaming #dfir #malware
This is the second in a series of posts on malware forensics and bypassing defensive scanners, the part one of which can be found here. It was written with the assumption that the reader understands the basics of Windows internals, memory scanners and malware design.
https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
#forensics #blueteaming #dfir #malware
ForrestOrr
Masking Malicious Memory Artifacts – Part II: Blending in with False Positives
IntroductionWith fileless malware becoming a ubiquitous feature of most modern Red Teams, knowledge in the domain of memory stealth and detection is becoming an increasingly valuable skill to add to both an attacker and defender’s arsenal. I’ve written this…