Olivia
Online
ʇıq
@CharlieVedaa
blue team, GSE #112
Washington DC
Joined August 2011
6.6K Following
817 Followers
231 Posts
Google's latest BlackFile writeup reinforces two points I have been talking about a lot recently,
In the report they detail how UNC6671 was observed using scripts to harvest data from SharePoint and OneDrive. In one case, the actor accessed and downloaded over 1 million files.
Two things the article reinforced for me:
1: Volume/threshold-based detections for resource access are incredibly important.
What does abnormal resource access look like in your tenant? How many files should one user access in an hour? In a day? When does that activity stop looking like normal work?
2: The importance of having well-placed canary tokens in the productivity suite.
Attackers are going to search and pull data from the places users already work every day. SharePoint and OneDrive need canary tokens, not just logs waiting to be reviewed after the fact.
Detecting post-exploitation behavior is even more critical in this AI-assisted landscape.
Just added the DigiCert breach to my Breach Report Collection repo. The cause was a combination of social engineering, persistence, and misconfigurations. These types of reports are useful & rare. I recommend others to check it out: https://t.co/DzlWaNJO22
My new blog post is released. It explains in detail how applications (App Registrations, Service Principals, MI) and their permissions really work, why they can introduce several subtle paths for privilege escalation, and presents my open-source tool designed to uncover them.
Introducing Combat Theater, a malware technique emulator built for blue teams, detection engineers and security researchers to perform testing and detection validation quickly and easily.
Check out the introduction blog to learn more!
https://t.co/mX8qmWDI9W
Who to follow
John Stauffacher
@g33kspeed
MAKING THE INACCESSIBLE, CESSIBLE.
The views expressed are all my own, and do not represent my employer....
Andrew Rathbun
@bunsofwrath12
Husband, Father, #DFIR @ Unit 42, Digital Forensics Discord Admin, AboutDFIR Contributor, Author, #USMC Veteran, Former LE, NHL Fan, Dark Mode, Animals, Music
UrbanF0X 
@UrbanF0X
SecEng - Threat Hunting & Insider Threat / In my dog dad era / Opinions are mine only
wow! alright… took 1h 57m, but the content is solid and thoroughly reviewed. built a free alternative AI red-team course with original content + hands-on Docker labs generated using pplx Computer. https://t.co/W4hhd6X0NJ
Really cool blog about azure storage accounts by @Haus3c !
Although there is a lot of information missing in the logs, he suggests some solid KQLs for detections, and explains several attack methods 🔥
https://t.co/ZFLQsRhtiA
I fell down the Kubernetes security rabbit hole. So I wrote a deep-dive on attack techniques, detection engineering, and scripts to test everything in a lab. Shoutout to @GrahamHelton and @raesene for their previous work!
https://t.co/5wlHqIZD8X
Just your friendly reminder that no matter how much sense it makes to do your "hygiene" for security, there is no provable correlation between clean teeth and not being punched in the face.
🪩 G E T R E A D Y 🪩
https://t.co/TTEfOcX91J
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
🔗👇
Player weaponized_autism (@droogie1xp) has won the Phrack CTF!
CTF is 2 binary exploitation challenges containing realistic vulns across 2 different targets. It began on Aug 7 and remained unsolved until now. So 1337 😎
Keep playing - all who finish will get a special prize!
During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit
This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands such as 'vssadmin list shadows', and may trigger alerts based on their use.
However, by leveraging the "Previous Versions" feature in Windows (see screenshot), attackers can select a snapshot, view its properties, and enter the '@ GMT' path directly in Explorer. This allows them to browse the snapshot's contents without needing to use the command line.
Because this technique doesn't rely on typical shadow copy commands, it may evade detection by your EDR or SIEM solution. You might want to test it in your environment to identify and close this potential detection gap 🦸♂️🦸♀️
What to do when missiles fell near your house? Chill out and write the blog post you wanted to write 5 month ago!🥳 Peace and love everyone!💕☮️
https://t.co/h6qlliZqfL
A hill I will always die on... Intrusion detection tools that don't expose their detection logic with alerts are a sure sign that product management is out of touch or has misaligned priorities with SOC goals. The product's goal is to help analysts perform their job effectively.
Here is a link to the PIDGN kickstarter project which I showed off this past weekend at @nola_con:
https://t.co/6kKO5YxG0Q
I am so happy to see this project go live!
My personal internal pentest “dirty dozen” list (aka the most dangerous and common internal findings)
*not necessarily in any particular order
1. ESC1
2. ESC4
3. ESC8
4. Kerberoastable admins with weak passwords
5. Plaintext admin or SQL credentials on file shares
6. Insecure nested groups
7. Insecure permissions on a Tier 0 resource
8. Unattend file with valid local admin creds
9. Scheduled tasks running as Tier 0 accounts
10. Services running as SYSTEM with modifiable binaries or paths
11. No LAPS and all local admin passwords the same
12. Domain Admins logged into non-DCs
Book Announcement.
It's official. Coming in 2026 my book on the 7 habits of elite security programs.
Happy to be partnering with https://t.co/pL8nazztFp and become a part of the stable of content like The Phoenix Project.
Device filter rules fail on unregistered devices if you use: (device.deviceTrustType -eq "AzureAD")
> Because props = null, the rule won’t match.
> Use negative logic: -ne, -not, -contains
> Null ≠ value → rule applies.
Pro tip: Always test for null paths in device filters
https://t.co/amyJFTrvu8
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers