@divatoz@tieroneforum For now many common hunting focuses (auth, persistence, anomalous identity activity, etc.) should continue to function, mostly due to the lack of capability in local LLMs. They use what they know, standard post-exploit TTPs. Activity will be faster but familiar.
I am thrilled to finally release my research into the capabilities of local LLMs and their potential for use in offensive research and development. Long read, but an interesting journey!
https://t.co/Y0tf8O8pAM
@volrant136@cyb3rops 100% this. Threat intelligence and threat indicators are a venn diagram. Motivation and modus operandi pair well with detections, they do not supplant them.
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here - https://t.co/c969sNjQH0
🤓 Over the past 3 years, I have been building and sharing real-world applications of AI for cybersecurity.
I just posted a blog with a recap of my public work and a few personal thoughts at the end. Take a look 👇
https://t.co/Qsozyj67k4
The long awaited LOLRMM is here. All the RMM details in a single location along with detection and DFIR details.
This is a huge milestone in the detection space. ⚡🔥
This project would've never seen the light without the amazing contributions listed 💙
Check it out and start leveraging it today https://t.co/kGVC968CDN
Really cool blog and definitely worth a read. Execution decoupling (or as it's called here decorrelating) is still a very powerful way to avoid getting detected.
I also never thought of doing a "ctrl+p" from regedit to print the value, that was a cool trick 🔥
Spent some time looking at logs a couple of things to look in case someone used the same.
- Using EID 307 from Microsoft-Windows-PrintService/Operational. We can see location of printed documents (even the ones saved as pdf). A weak indicator but worth a look (if not expected).
- When saving a PDF via the "Microsoft Print to PDF" from regedit. It will save it with the title "Registry Editor". (Not a very common thing). We can use a Yara rule with the string "/Title (Registry Editor)" to detect instance of the PDF on a host.
A few weeks ago I gave a talk at @a41con on how to phish for PRTs and phishing resistant authentication methods 👀. The slides, plus a demo video on how to do this with credential phishing are now on my blog: https://t.co/nTDAepwUXR
I love the development the MDE team puts into expanding the telemetry! Our slackbot informed me JA3 / JA3S hashes are now recorded. Pretty cool for hunting and detection engineering!
#Breaking#ESETresearch releases a paper about Ebury, among the most advanced server-side Linux malware, which was deployed to 400,000 servers over the course of 15 years, primarily for financial gain. @marc_etienne_ https://t.co/R5yFdlTjqS 1/8
@Andrew___Morris@GreyNoiseIO Mass exploitation starts with adversaries scanning the internet for vulnerable services. Why not block at the earliest possible stage in the attack chain?
Read more about JA4T in our blog (just released): https://t.co/WOdDQqKoHr
For almost a year, invisible password spraying could be performed against any #Azure tenant due to a vulnerability in #MicrosoftGraph. In our latest blog, @nyxgeek walks us through how these attacks could have been carried out. Read it now! https://t.co/MFhwH4vZXy
Full @rapid7 analysis of PAN-OS CVE-2024-3400 now available from @stephenfewer and our stellar new research teammate @ChairNectar! Spoiler: It's a two-vuln exploit chain. https://t.co/KT2Xd7vyE5
From the one and only @mvelazco 🧙♂️✨. The wizard 🪄 who brought to us:
1️⃣ Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard ❄️🌌 https://t.co/JnyYC4Pe8y
2️⃣ Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors 🛡️🗺️ - https://t.co/pCNxs7Dtae
Has released msInvader 👾 to help defenders 🛡️ simulate techniques in multiple variations against M365 and Azure ☁️🔒.
Check it out:
https://t.co/vekI5hluSZ
APT Emulation Labs: NOW LIVE 🎉
Solve incidents emulating APT29, APT10 and other threat groups.
$45 per month access to ALL labs:
👀 150+ hours of lab content
👀 Disk forensics + ELK logs
👀 Hints, questions and point system
👀 7 days free trial
Labs are created & designed by industry peers:
@ZephrFish@svch0st@ippsec@DebugPrivilege @HuskyHacksMK @inversecos
Each lab comes
with scoping notes, Windows VM with forensic tools, network diagrams, disk forensics, ELK access and was created from our collective experience working in the field.
👇ACCESS THE LABS HERE 👇
https://t.co/raaUSztKtT