HOW TO build your lab to attack a modern Microsoft cloud environment that is protected Microsoft Defender ATP

https://emptydc.com/2019/03/31/go-hack-yourself/amp/#click=https://t.co/pwk7ZK2eHv

If you try to think like an attacker, you will be better able to understand how to protect your environment.
#redteam #blueteam #dfir

Blue ATT&CK will help blue teams in scoring and comparing data source quality, visibility coverage, detection coverage and threat actor behaviours. The Blue ATT&CK framework consists of a Python tool, YAML administration files and scoring tables for the different aspects.

https://github.com/rabobank-cdc/Blue-ATTACK

#blueteam #dfir #ir

Velociraptor - a great opensource #EDR tool influenced by GRR and osquery!

https://velociraptor-docs-staging.velocidex.com/
#ThreatHunting #DFIR

The Easy Way to Learn DFIR

The fact is, perception is not reality, and that virtually everyone in this field of DF/IR/Infosec struggles to learn using every spare minute, any affordable resource, and every free resource available. In totality of the field, a very minute number of people can spend years in training and education while at the same time being able to work and have a life outside of work. It’s just not a realistic scenario for the vast majority.

https://brettshavers.com/brett-s-blog/entry/the-easy-way-to-learn-dfir

#forensics #dfir #blueteam #learning

Windows EVTX Samples

This is a container for windows events samples associated to specific attack and post-exploitation techniques

https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

#threathunting #dfir #forensics #blueteam

Caught in the Web of Shells?

I barely remember a security incident, that I worked on, where the adversary didn’t use web shells here or there. Web shells are effective, publicly available, and sort of hard to discover — they say.
In this piece, I will try to address the discovery challenge by sharing ideas and techniques for web shells hunting and ultimately turn the web shell from a capability to a liability for the adversary.

https://medium.com/@ashabdalhalim/caught-in-the-web-of-shells-e40524ca8097

#dfir #threathunting #webshell

Citrix ADC (NetScaler) CVE-2019-19781 DFIR Notes

https://x1sec.com/CVE-2019-19781-DFIR
#citrix #dfir #forensics #blueteam

macOS Forensics: The Next Level – Taming the T2 Chip & More

https://github.com/ydkhatri/Presentations/blob/master/macOS%20Forensics-MUS2020.pdf
#dfir #macos #forensics #blueteam

AirDrop Forensics

https://kieczkowska.com/2020/06/15/airdrop-forensics/
#macos #forensics #blueteaming #dfir

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #5

In the third part of F-Secure Consulting's Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts. We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a fifth and final step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader's understanding of the concepts shown.

https://labs.f-secure.com/blog/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5/
https://www.youtube.com/watch?v=Pv8eHC1a_bc
#redteaming #blueteaming #dfir #windows

Masking Malicious Memory Artifacts Part II: Insights from Moneta

This is the second in a series of posts on malware forensics and bypassing defensive scanners, the part one of which can be found here. It was written with the assumption that the reader understands the basics of Windows internals, memory scanners and malware design.

https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta
#forensics #blueteaming #dfir #malware