David Pany

@nicastronaut @bryceabdo @TheGamblingBird Sign me up!

Excited to share some attack path diagram tips and tricks tomorrow with Brad! #DefendersThinkInGraphs #DFIR

Is it weird that it’s a well known faux pas to roll your own crypto, but every website has been rolling their own identity with password policies, hashing, salting, storing, mfa, etc. for many years? Recent advances in “log on with” providers must be relief for devs.

@nicastronaut Wait DavesHell for real? It’s been so long.

@nicastronaut @Gigs_Security I taught another person how to XLOOKUP today!

I find so much joy in making excel templates and you’ll never be able to take that from me.

@ItsReallyNick @derekcoulson @3dRailForensics @MicrosoftTeams

@derekcoulson @3dRailForensics @MicrosoftTeams I blame all the Mandiant people in this old thread for encouraging Skype-style emoji in the first place 😉: (also that thread is about M’s old solution HipChat, which had no text formatting, limited edits w/ sed, couldn’t customize link behavior, … we’ve all come a long way!)

I just made a vector graphic and I liked it. Please don’t tell MS Paint. I’ll tell it via text when I’m ready.

@jamieantisocial @Sysinternals Long time complainer, first time requester: github.com/MicrosoftDocs/… Hopefully we have some luck!

@DavidPany @Sysinternals Lol, not a bad feature request 😅

Anyone know if Sysmon EID 9 RawAccessRead can record the target file being accessed? I only see the process doing the access (less useful if injected) and the Device being accessed (how is that useful?). Not seeing answers in docs/blogs/etc. #DFIR

@jamieantisocial That makes a lot of sense! I assume if it were simple to record the data runs accessed and map that back to file path with the $MFT then @Sysinternals would have baked that in to Sysmon already. Maybe we can dream though?

@DavidPany I might be wrong here, but I don't think this is possible because the read is just targeting the byte offsets of the drive where the file(s) exist

Planning a New Year's resolution to get a new job at an awesome #DFIR company? Make it happen with: Weekend shift IR: jobs.smartrecruiters.com/mandiant/74399… Engineering our in house world class toolset: jobs.smartrecruiters.com/Mandiant/74399… jobs.smartrecruiters.com/Mandiant/74399… Questions? Let me know.

@nicastronaut Internet currently doing whatever snow does in summer.

@inversecos Such a good artifact! In case you have the full image and haven't already tried this, point this usn jrnl record carver at the whole thing and parse the output with your preferred $J parser. It's amazing what has turned up in unallocated journal records: github.com/PoorBillionair…

2\ The change journal basically tracks all changes made to files on a file system including deletion. The operation to look for is “FileDelete”. There are many tools to do this.

1\ How do you prove a TA deleted a file and when?
 Most threat actors including #APT groups perform file deletion. This can be very important to an investigation. If the client has no EDR/SIEM and has an OT legacy environment.. what do you do? Parse the $J file 😇 #DFIR

#FrozenDFIR although @gigasheet changing this one up!

Okay here are more #FrozenDFIR memes you did not ask for to pick up from twitter.com/DavidPany/stat…