RE&CT framework released!
A knowledge base of actionable Incident Response techniques, based on @MITREattack philosophy.
Mapping to ATT&CK / AMITT, export to @TheHive_Project templates, visualization in the Navigator, and more!
https://t.co/RTHfhqCgi1
#incidentresponse#dfir
I almost missed to celebrate my 10,000th handwritten YARA rule 🎉
I'm not very proud of the early ones. But being ashamed of old rules (or code) that you wrote months or years ago means that you've improved and that is definitely a good thing, isn't it? 🖖
In case you didn't catch it, we updated the ATT&CK Design and Philosophy paper last week. Details on sub-techniques, what ATT&CK coverage means, and a few more useful tidbits were added! https://t.co/EPE6rjYvDY
A lot of mud slinging on InfoSec twitter lately; I wanted to flip the script a bit and highlight the blogs, tools, talks etc that I keep coming back to on a regular basis, both as a defender and general InfoSec professional. Thread..
Sigma2Attack
generates #MITRE ATT&CK navigator heat maps from a set of #sigma rules
by @christophetd
Pull Request - already merged into master
https://t.co/X5lUQFI47D
ATT&CK Navigator
https://t.co/0cwq8gH6CX
We put a lot of effort in the creation of anomaly detection rules for our scanner
Example:
1. Report mentions adversary exfiltrating ntds.dit in RAR archive
2. Create such an archive
3. Open in hex editor
4. Write YARA rule
I'll put this one in the signature-base repo for LOKI
Added 63 threat hunting searches for Windows events. New total is 152 Windows searches & rules. And 35 for Linux (more to come)
https://t.co/w8J73zwK69
Stringless YARA Rules
> a guide to build faster YARA rules by @InQuest
https://t.co/4cnFzDB1Of
The most common performance sin:
$h = "MZ"
condition: $h at 0 ...
Also see my YARA Performance Guidelines
https://t.co/nsZkgTTxLk