William Metcalf

@SquiblydooBlog I was also recently looking into this for keys pulled out of lsass/SSLKEYLOG for cape runs. I found a PAN writeup from years ago that claimed this was possible with tshark but couldn’t get to work so I recently baked it into my HAR/SaZ conversion tool github.com/wmetcalf/GoGoR…

In my own investigation, I downloaded the decrypted PCAP, giving me easy access to poke at and investigate the JS myself: app.any.run/tasks/73fb8a10… AnyRun published about the feature here: any.run/cybersecurity-… 3/3

Nice update to @anyrun_app that seems easy to miss: HTTPS decryption. If you look at the network traffic, click Network Threats, you can click into the analysis to see the decrypted traffic You can also just download the entire decrypted PCAP. 1/3

Security Detections MCP 3.0 is LIVE What started as a detection search MCP is now an autonomous detection engineering pipeline. Agents now run a full workflow: CTI → coverage analysis → detection generation → SIEM validation → PR staging Pipeline example: • CTI Analyst → extracts MITRE techniques from threat intel • Coverage Analyzer → checks 7k+ detections across Sigma / Splunk / KQL / Elastic • Detection Engineer → generates missing detections • Atomic Executor + SIEM Validator → tests detections • PR Stager → prepares them for review Multi-SIEM support: Splunk • Sentinel • Elastic • Sigma Open source 👇 Repo github.com/MHaggis/Securi… npm npmjs.com/package/securi… Pulse MCP listing pulsemcp.com/servers/mhaggi… Watch the full demo: youtu.be/03ZmD5cdfHI

Talk about ending the week on a high note. 🎉 With @Cisco's acquisition of @snapattackHQ now complete, we're looking forward to driving further Splunk innovation as we continue to deliver security solutions that support today's new era of SIEM. Read more here. #SplunkSecurity

Enjoy punching phish? Experience writing detections for phish, using regex, Yara, etc., and looking to grow as a researcher within an experienced team? Join me and the rest of the Splunk Attack Analyzer Misfits of Detection Science. US only, fully remote splunk.com/en_us/careers/…

@kk_onstantin No doubt! But more signal never hurts :)

@node5 And nice addition! I am afraid there will be many invalid legit ones :/

For the 2 people who probably care I took a stab at adding cert validation, SAN extraction, and missing/invalid certs. github.com/wmetcalf/rdp_h…

I'll just leave this here... github.com/wmetcalf/rdp_h…

“America. Oasis is coming. You have one last chance to prove that you loved us all along.” Oasis will tour North America in 2025! Register for the North American ticket pre-sale private ballot 👉OasisMusic.lnk.to/L25NAmPS The pre-sale will take place Thursday, 3rd October. Tickets go on general sale this Friday, 4th October at midday local venue time. @CageTheElephant

“This is it, this is happening” Tickets on sale this Saturday 31st August (🇮🇪8AM IST / 🇬🇧9AM BST) Dates: Cardiff Principality Stadium - 4th/5th July Manchester Heaton Park - 11th/12th/19th/20th July London Wembley Stadium - 25th/26th July & 2nd/3rd August Edinburgh Scottish Gas Murrayfield Stadium - 8th/9th August Dublin Croke Park - 16th/17th August

“Oi bruv me gonna nab some Oasis tickets innit”

Liam and Noel Gallagher seemingly confirmed that an Oasis reunion is happening after sharing a cryptic clip on social media on Sunday. variety.com/2024/music/new…

@node5 Yessir

It’s happening

I've hosted several malware analysis workshops over the past few years, I've collected those on YouTube and added to the following playlist 👇 youtube.com/playlist?list=… Samples from the workshops have been archived on Github: 👉 github.com/jstrosch/malwa…

Moar soon! Big updates coming

@rvrsh3ll @HackingDave sacurrent.com/news/san-anton…

@elasticseclabs @dez_ @SBousseaden Nice write-up. @a_de_pasquale and I cooked up this little tool for analyzing MSC's. Might be useful to you and others? github.com/wmetcalf/msc_d…

#ElasticSecurityLabs is exposing a new threat technique — a fresh application of MMC abuse. GRIMRESOURCE utilizes specially crafted MSC files for full code execution. Read through the breakdown from @dez_ and @SBousseaden : go.es.io/45AO0eG #threattechnique #cybersecurity

Happy to share this #STRT blog focusing on how attacker weaponized .LNK files in several phishing campaigns. In this blog we analyzed several malicious LNK to extract TTP’s for #detections and #simulation dev. enjoy reading! #int3 #splunk #cisco splunk.com/en_us/blog/sec…

I'll just leave this here... github.com/wmetcalf/msc_d…