RTFM @redteamfieldman - Twitter Profile

Pinned Tweet

almost 3 years ago

The time is almost here! The RTFM Video Library will be released in 6 days! The #RTFM is at its core, well a field manual, but if you want that extra guided support, the Video Library will walk through the most important #RedTeam references in the book. https://t.co/zFvEVv0rbV

8

286

87

75

31K

RTFM @redteamfieldman

over 1 year ago

RTFM Black Friday Sale + Giveaway! (First TEN orders get SWAG). The RTFM Video Library is now 25% OFF! To celebrate the sale, Nick Downer and I are giving away 2 instances of the RTFM Video Library! Like, Comment, and Repost to enter! https://t.co/EJM8COxt8t

1

5

3

1

584

redteamfieldman retweeted

Microsoft Threat Intelligence

@MsftSecIntel

over 2 years ago

Microsoft has observed a subset of Iran-based threat actor Mint Sandstorm (PHOSPHORUS) employing new TTPs to improve initial access, defense evasion, and persistence in campaigns targeting individuals at universities and research orgs. Read our analysis: https://t.co/GnqhGmRWH3

9

301

127

74

80K

redteamfieldman retweeted

Cyber Detective💙💛 @cyb_detective

over 2 years ago

https://t.co/fJ8ZoTSxgY A collection of links to public records databases for finding information on people and companies around the world. Creator @osintearth Thanks for tip @akaclandestine #osint #geoint

cyb_detective's tweet photo. https://t.co/fJ8ZoTSxgY

A collection of links to public records databases for finding information on people and companies around the world.

Creator @osintearth

Thanks for tip @akaclandestine

#osint #geoint https://t.co/0NFTSMvkTg

3

565

175

391

54K

Who to follow

Shodan

@shodanhq

Monitor your external network, search the Internet of Things and perform empirical market research. You can also find us on https://t.co/nPLFbFy8R5

Black Hills Information Security

@BHinfoSecurity

Specializing in pen testing, red teaming, and Active SOC. We share our knowledge through blogs, webcasts, open-source tools, and Backdoors & Breaches game.

Will Schroeder

@harmj0y

Researcher @SpecterOps. Coding towards chaotic good while living on the decision boundary.

redteamfieldman retweeted

0xor0ne

@0xor0ne

over 2 years ago

Reliable exploit engineering and Linux kernel bug hunting Presentation slides from OffensiveCon 2023 Credits @saidelike and @alexjplaskett (@NCCGroupInfosec) https://t.co/P81V5uRT8k #Linux #kernel #cybersecurity

0xor0ne's tweet photo. Reliable exploit engineering and Linux kernel bug hunting
Presentation slides from OffensiveCon 2023
Credits @saidelike and @alexjplaskett (@NCCGroupInfosec)

https://t.co/P81V5uRT8k

#Linux #kernel #cybersecurity https://t.co/XcOEb4g1mP

1

246

75

88

33K

redteamfieldman retweeted

Andrew Morris (afk)

@Andrew___Morris

over 2 years ago

AWS HAS ENTERED THE HUGE HONEYPOT NETWORK GAME LETS GOOOOOOOOOOO https://t.co/uEHfoynJTS stoked to see @awscloud finding success with honeypots. I continue to carry an incredibly healthy respect for the excellent folks at @AWS_Security. BLUF: huge, adaptive honeypot networks are effective where the rest of the cyber vuln mgmt, perimeter security, and cyber threat intel industries are failing miserably. having spent the last six years building, expanding, tuning, and operating @GreyNoiseIO, I figured I'd share some thoughts in no particular order: AWS is moving 5.5 billion events in one quarter, which is about 61m events on average per day (The average routable IP on the internet receives between 10k and 100k unsolicted packets per day) we move about ~400m events per day at greynoise (receipts attached). averages are useful in some stats for honeypot networks, averages are misleading in others. > "The sensors observe more than 100 million potential threat interactions and probes every day around the world, with approximately 500,000 of those observed activities advancing to the point where they can be classified as malicious." ^^^^ 0.5% malicious tag rate is a great place to start, but leaves a lot of wood left to chop. We've gotten up to between 30% and 50% malicious tag rate with high confidence (receipts attached). You're going to need to really really build up that corpus of detections. if I were having a conversation with the leads/architects/product managers of AWS's MadPot, I'd give the following (very unsolicited) guidance: - Get into every single other cloud provider. Collection from AWS is not enough. You need to be in every country and every provider. - You're going to need to collect from non-cloud (residential, business, mobile) networks as well. - Persona & state management (what the sensor looks like, and when) is going to become increasingly complex and challenging. Think about a strategy for this. - You're going to have to allow sensors to be compromised eventually, and you're going to have to have solid data models for endpoint telemetry in addition to network telemetry - You're going to need to eventually combine the sensor data with port scan/crawl data in order to achieve "malicious" or "compromised" verdicts. - If you don't have a strategy for benign internet scanners, you'll need one - Primitives for byte-level pattern matching in unstructured byte data in the state-of-the-art in datastores are very poor, you'll need to fill the gaps here - If you don't have an opsec strategy (counter-fingerprinting) then you'll need one - Prepare a strategy for dealing with spoofed TCP SYN noise storms - off the shelf detections and IDS signatures are built for middling and detecting on traffic for networks that also do business things (service users and servers, etc). They will provide value but they *will not all work out of the box* on honeypots for a multitude of reasons. - The right enrichments are crucial for decorating the data. Attacks will practically pop out of the computer screen when you enrich and lay the data out correctly. - You're going to need to partner with the cybersecurity research community to win this game- think about how the rest of the world can contribute data or analysis. - Don't let your eye off the ball on achieving high and tight, rapidly shifting block verdicts. - Store *everything* *forever*. I'm excited to see how AWS's MadDog honeypot evolves. Huge adaptive distributed honeypots are effective but hard to build and scale. Congrats team- this is one of the best writeups I've seen to date!

Andrew___Morris's tweet photo. AWS HAS ENTERED THE HUGE HONEYPOT NETWORK GAME LETS GOOOOOOOOOOO

https://t.co/uEHfoynJTS

stoked to see @awscloud finding success with honeypots. I continue to carry an incredibly healthy respect for the excellent folks at @AWS_Security.

BLUF: huge, adaptive honeypot networks are effective where the rest of the cyber vuln mgmt, perimeter security, and cyber threat intel industries are failing miserably.

having spent the last six years building, expanding, tuning, and operating @GreyNoiseIO, I figured I'd share some thoughts in no particular order:

AWS is moving 5.5 billion events in one quarter, which is about 61m events on average per day (The average routable IP on the internet receives between 10k and 100k unsolicted packets per day)

we move about ~400m events per day at greynoise (receipts attached). averages are useful in some stats for honeypot networks, averages are misleading in others.

> "The sensors observe more than 100 million potential threat interactions and probes every day around the world, with approximately 500,000 of those observed activities advancing to the point where they can be classified as malicious."

^^^^ 0.5% malicious tag rate is a great place to start, but leaves a lot of wood left to chop. We've gotten up to between 30% and 50% malicious tag rate with high confidence (receipts attached). You're going to need to really really build up that corpus of detections.

if I were having a conversation with the leads/architects/product managers of AWS's MadPot, I'd give the following (very unsolicited) guidance:

- Get into every single other cloud provider. Collection from AWS is not enough. You need to be in every country and every provider.

- You're going to need to collect from non-cloud (residential, business, mobile) networks as well.

- Persona & state management (what the sensor looks like, and when) is going to become increasingly complex and challenging. Think about a strategy for this.

- You're going to have to allow sensors to be compromised eventually, and you're going to have to have solid data models for endpoint telemetry in addition to network telemetry

- You're going to need to eventually combine the sensor data with port scan/crawl data in order to achieve "malicious" or "compromised" verdicts.

- If you don't have a strategy for benign internet scanners, you'll need one

- Primitives for byte-level pattern matching in unstructured byte data in the state-of-the-art in datastores are very poor, you'll need to fill the gaps here

- If you don't have an opsec strategy (counter-fingerprinting) then you'll need one

- Prepare a strategy for dealing with spoofed TCP SYN noise storms

- off the shelf detections and IDS signatures are built for middling and detecting on traffic for networks that also do business things (service users and servers, etc). They will provide value but they *will not all work out of the box* on honeypots for a multitude of reasons.

- The right enrichments are crucial for decorating the data. Attacks will practically pop out of the computer screen when you enrich and lay the data out correctly.

- You're going to need to partner with the cybersecurity research community to win this game- think about how the rest of the world can contribute data or analysis.

- Don't let your eye off the ball on achieving high and tight, rapidly shifting block verdicts.

- Store *everything* *forever*.

I'm excited to see how AWS's MadDog honeypot evolves. Huge adaptive distributed honeypots are effective but hard to build and scale. Congrats team- this is one of the best writeups I've seen to date!

8

582

112

233

112K

redteamfieldman retweeted

Daniel Kelley

@danielmakelley

almost 3 years ago

30 cybersecurity search engines for researchers: 1. Dehashed—View leaked credentials. 2. SecurityTrails—Extensive DNS data. 3. DorkSearch—Really fast Google dorking. 4. ExploitDB—Archive of various exploits. 5. ZoomEye—Gather information about targets.

9

722

176

1K

95K

redteamfieldman retweeted

Cyber Detective💙💛 @cyb_detective

almost 3 years ago

SANS Osint Summit 2023 resources Wizards, Utilities and Helpers Telegram Web, Internet Infrastructure Phone number Backlinks Social Media Analysis Tracking Maps And GIS Legal and Govt. Public Records Visualization Mindmapping Tools https://t.co/Uy8PIKIML1 Contributor @ranlocar

cyb_detective's tweet photo. SANS Osint Summit 2023 resources

Wizards, Utilities and Helpers
Telegram
Web, Internet Infrastructure
Phone number
Backlinks
Social Media Analysis
Tracking
Maps And GIS
Legal and Govt. Public Records
Visualization
Mindmapping Tools

https://t.co/Uy8PIKIML1
Contributor @ranlocar https://t.co/vlF6OTxfFI

4

325

110

210

39K

redteamfieldman retweeted

0xor0ne

@0xor0ne

almost 3 years ago

Series on Windows kernel drivers for red team tools development Introduction by @Idov31 Part 1: https://t.co/gLIk9tGiEI Part 2: https://t.co/ryrPfTLJrR Part 3: https://t.co/l6C4j7TMte Part 4: https://t.co/SONhXgCEp7 #windows #kernel #redteam #malware #infosec #cybersecurity

0xor0ne's tweet photo. Series on Windows kernel drivers for red team tools development
Introduction by @Idov31

Part 1: https://t.co/gLIk9tGiEI
Part 2: https://t.co/ryrPfTLJrR
Part 3: https://t.co/l6C4j7TMte
Part 4: https://t.co/SONhXgCEp7

#windows #kernel #redteam #malware #infosec #cybersecurity https://t.co/4c5vPKVcpy

0

305

121

173

35K

redteamfieldman retweeted

DirectoryRanger @DirectoryRanger

almost 3 years ago

Pentesting Azure: Recon Techniques https://t.co/yMLlcoXWxF

0

82

28

25

8K

redteamfieldman retweeted

Charlie Bromberg « Shutdown » @_nwodtuhs

almost 3 years ago

Refreshed "pass the things" AD mindmap, the previous one was not in a dark theme (outrageous I know) ⏩ https://t.co/muRKiM1mre 💡 made with https://t.co/eEyNNIH3zs

_nwodtuhs's tweet photo. Refreshed "pass the things" AD mindmap, the previous one was not in a dark theme (outrageous I know)

⏩ https://t.co/muRKiM1mre
💡 made with https://t.co/eEyNNIH3zs https://t.co/x95g2kICBF

2

351

106

105

29K

redteamfieldman retweeted

Hacking Articles

@hackinarticles

almost 3 years ago

Wireshark Filter Cheat Sheet 🔴⚫️Full HD Image: https://t.co/gS49lvi2uM #infosec #cybersecurity #cybersecuritytips #pentesting #redteam #informationsecurity #CyberSec #networking #networksecurity #infosecurity #cyberattacks #security #linux #cybersecurityawareness #bugbounty #bugbountytips

hackinarticles's tweet photo. Wireshark Filter Cheat Sheet

🔴⚫️Full HD Image: https://t.co/gS49lvi2uM

#infosec #cybersecurity #cybersecuritytips #pentesting #redteam #informationsecurity #CyberSec #networking #networksecurity #infosecurity #cyberattacks #security #linux #cybersecurityawareness #bugbounty #bugbountytips

4

394

113

231

68K

redteamfieldman retweeted

SpecterOps @SpecterOps

almost 3 years ago

What is Tier Zero? 🤔 Read our latest blog post from @Jonas_B_K & @elad_shamir on the intricate world of critical identities and resources across Active Directory and Azure. https://t.co/ORrU9WznT6

0

150

47

55

18K

redteamfieldman retweeted

Microsoft Threat Intelligence

@MsftSecIntel

almost 3 years ago

Beginning July 2023, Storm-0324, a financially motivated threat actor known to gain access to networks and then hand off access to other actors, was observed distributing payloads by sending phishing lures thru Microsoft Teams chats. Get TTPs, mitigation: https://t.co/gLeid8uwYG

7

366

147

116

133K

RTFM @redteamfieldman

almost 3 years ago

Less than 24 hours until the RTFM Video Library release. We will draw the 3 winners tomorrow morning. First 100 signs ups (and 3 winners) will get limited RTFM swag pack! https://t.co/zFvEVv0rbV #RTFM

redteamfieldman's tweet photo. Less than 24 hours until the RTFM Video Library release. We will draw the 3 winners tomorrow morning. First 100 signs ups (and 3 winners) will get limited RTFM swag pack! https://t.co/zFvEVv0rbV #RTFM https://t.co/fbH2KMXluJ

6

204

38

19

30K

RTFM @redteamfieldman

almost 3 years ago

Some good basics. Hard to perform SQLi if you don’t understand SQL. Well unless you just blindly blast some automated tool.

Hacking Articles

@hackinarticles

almost 3 years ago

SQL Cheat Sheet #infosec #cybersecurity #pentesting #redteam #informationsecurity #CyberSec #networking #networksecurity #infosecurity #cyberattacks #security #linux #cybersecurityawareness #bugbounty #bugbountytips

hackinarticles's tweet photo. SQL Cheat Sheet

#infosec #cybersecurity #pentesting #redteam #informationsecurity #CyberSec #networking #networksecurity #infosecurity #cyberattacks #security #linux #cybersecurityawareness #bugbounty #bugbountytips https://t.co/XsgS94LhHM

2

248

67

108

35K

0

20

5

13

5K

RTFM @redteamfieldman

almost 3 years ago

Nick and I will be giving away 3 free subscriptions to the Video Library and a limited release swag pack. You’ll be entered for every like, comment, and repost. We’ll draw the winners the day before the release. Get a head start on the #RTFMChallenge, sign up for the email list.

8

33

16

0

3K

RTFM @redteamfieldman

almost 3 years ago

The time is almost here! The RTFM Video Library will be released in 6 days! The #RTFM is at its core, well a field manual, but if you want that extra guided support, the Video Library will walk through the most important #RedTeam references in the book. https://t.co/zFvEVv0rbV

8

286

87

75

31K

RTFM @redteamfieldman

almost 3 years ago

If you are headed to @BsidesCLT you should find something in your conference swag kit. Be sure to find Nick Downer and say hey. Hope you enjoy the con! #RTFM #RedTeam