Sr DFIR Advisor, Researcher, Practitioner. USMC vet. Author. Opinions = own. #IntrusionIntel #IObviateCompliance
Planet Earth
Joined June 2017
- Tweets 11,017
- Following 40
- Followers 4,674
- Likes 1,027
Pinned Tweet
Pretty fascinating: bitsadm.in/blog/spying-on-us…
Wrote a plugin for the pro version of RegRipper in Feb.
1
10
Yes. Very much so.
The timeline is the central concept of all investigative work. We seek to uncover events through inquiry, and we represent them (cognitively and physically) as timelines. Good case management should center around that concept.
Show this thread
O
M
G
Thank you.
Time is the most important thing in life, and timelines are one of the most useful tools for investigation and analysis. A great way to organize disparate facts. Engineers, please look for opportunities to create timestamps. I'm always disappointed when I find no timestamps. 👇🏼
Show this thread
1
2
How do you like to see online references in hard-copy books?
Footnote with a URL?
Link embedded in the body, next to the relevant text?
Something else?
4
2
Too many orgs rely on open reporting for attribution, open reporting which states, "...the malware targets...", or the "...the malware conducts/attacks...".
There is compartmentalization, but on the human-operated side.
Division of labor is a hallmark of sophistication. Division of labor is found in criminal and espionage activities. It is a factor to consider while conducting attribution analysis while also not being crippled with analysis paralysis. 👇🏼
Show this thread
Tracking USB devices on Windows systems isn't what it used to be:
windowsir.blogspot.com/2022/…
#dfir
10
119
2
352
Great detection?
lolbas-project.github.io/lol…
How is this used in your environment?
2
Saw the first black snake on our property this weekend...being on horseback gives us an advantage in visibility.
Then I took out a 2nd mortgage so I could go put gas in the truck.
3
Without even reading the actual report, these tweets give you insight into what's been missed in open reporting regarding ransomware and affiliates:
DEV-0504 has deployed at least six RaaS payloads since 2020, shifting payloads when a RaaS program shuts down. However, the practice of clustering activity based on ransomware payload alone can obfuscate the threat actors behind attacks. msft.it/6011bzjYJ
Show this thread
1
1
4
Interesting report:
pwc.com/gx/en/issues/cyberse…
Pg 15 - so much opportunity to share detections...
1
Has anyone observed disabling Windows Event Logs by:
1. Disabling a Channel via the Registry?
2. Unregistering a provider?
3
6
12
Last week's episode of "Picard" included an appearance by @wilw - great to see him back!
1
Too funny, and too much on point, to not share...
Someone actually made a David Attenborough style voiceover for this video of a destroyed Russian tank.
Show this thread
1
5
There is so much to unpack from this thread from @chrissanders88:
nitter.fdn.fr/chrissanders88/s…
...so much...
One of the more unfortunate artifacts from how defensive security evolved is how fractured the SOC, IR, and DF communities are. They all rely on the same cognitive toolset, but often operate as separate professional communities much of the time. 1/
Show this thread
2
2
#6 really gives a peek behind the #DFIR curtain regarding the "gap".
#12 - the only real way to get that "diverse knowledge" is to be curious.
1
1
IMHO, it's best to start around #5, particularly with "...interpreting multiple forms of evidence..."; this is where artifact constellations and #toolmarks come in.
1
Automating memory analysis:
musectech.com/2022/04/automa…
Fascinating approach...add in bulk_extractor and you've got something...
3
10
All your metadata are belong to us...
windowsir.blogspot.com/2022/…
Metadata removal observed in the wild.
4
9