James D

I'm happy to announce the release of Chainsaw v2! 🥳 Chainsaw allows users to rapidly search through Windows event logs and hunt for threats using @sigma_hq detection rules, all without a SIEM! Version 2 includes some exciting new features, info in 🧵 github.com/WithSecureLabs…

@__invictus_ @RedTeamTactics PPID spoofing was the gift that kept giving a few years ago. Threat actors were doing it without realising it was a very high fidelity detection for most EDRs. It so rarely happens normally that it was a dead giveaway something malicious was going on blog.f-secure.com/detecting-pare…

@RedTeamTactics Ppid spoofing is mega easy to spot, afaik pretty much every EDR will detect that trivially. Friends don't let friends ppid spoof

@thechrisharrod Congrats @thechrisharrod 💪

Pretty exciting career announcement. As of Monday, I'll be a Government employee as the Manager of Security Operations at the United States House of Representatives.

Slides from this talk are now available here: github.com/FranticTyping/…

My talk "Scaling Detection and Response Teams - Enabling Efficient Investigations" is at 3:45pm today at #BSidesLDN2023 on track 2! Come down and say hi if you're around 😀 pretalx.com/bsides-london-…

@AngusRedBlue @JohnHultquist @BSidesLondon I’ve got a spare one as well, let me know you still need one.

Anyone have a spare ticket to @BSidesLondon? Have a Veteran I am trying to help get a ticket to BSides. Man has saved lives (Medic), lets see if we can help him? Thanks in advance!

Scaling detection and response operations at Coinbase part 2 & 3: 🔍 Driving context into detection logic with machine and user profiles 🔧 Codifying automatic remediation for high-risk detections 📫 Automating alert triage with employees via Slackbot coinbase.com/blog/scaling-d…

The first part of my blog series on how we’ve been scaling detection and response operations at Coinbase is live! Interested in speeding up your investigations, increasing the visibility of key data sources, and improving quality of life for analysts? coinbase.com/blog/scaling-d…

Awesome to see this new feature being added to chainsaw! Great work @AlexKornitzer @56616C6F72 💪

@OMENScan @AlexKornitzer Hey @OMENScan - feel free to open an issue on GitHub and we can take a look: github.com/WithSecureLabs…

@AlexKornitzer @FranticTyping - Would really like to chat with you about some issues I am having with Chainsaw

Our team at @elastic has been developing this feature for almost six years and we are excited to share our work with the security research community. Thanks to @GabrielLandau @joehowwolf and many others who have contributed to this effort over the years!

Dude, you can wipe whatever WEVTXs you want 🪠 @HuntressLabs gon' find the user accounts, session times, machines, and method for your lateral movement 🕵️‍♀️ You'd be surprised what #RDP-related event logs can reveal ponderthebits.com/2018/02/window…

I have never before criticized a competitor by name on the @1Password blog. This is an exception. blog.1password.com/not-in-a-milli…

@visibil1 @sigma_hq Hey! That requirement isn’t available within chainsaw and would need to be handled within the rule logic. If you find problematic rules you can either disable them or alter them to exclude ParentProcessName as you need. I hope that helps!

@FranticTyping @sigma_hq Is there an exclusionary capability with Chainsaw v2.0? For instance, the ability to exempt certain ParentProcessName values from generating output results?

I'm happy to announce the release of Chainsaw v2! 🥳 Chainsaw allows users to rapidly search through Windows event logs and hunt for threats using @sigma_hq detection rules, all without a SIEM! Version 2 includes some exciting new features, info in 🧵 github.com/WithSecureLabs…

Hunt, search, and extract Windows event log records with Chainsaw, now in #toolsmith 148. Experiments with an old #DFIR malware case, as well as APT Simulator. The saw is the law! ⁦@AlexKornitzer⁩ ⁦@FranticTyping @sigma_hq ⁦@cyb3rops⁩ ⁩ holisticinfosec.io/post/chainsaw/

Also, a massive shout out to @AlexKornitzer for all of his work on v2. He managed to take my “lockdown 2020 Christmas project” and turn it into a much more polished solution. ❤️

v2 highlights💡 📖 Support for event logs in XML and JSON format 🎯 Increased sigma rule logic support. More detections! 📘 Chainsaw output displays important information more clearly 🔎 Better filtering/searching options 🦖 Updated Velociraptor Plugin bit.ly/3woOaFz

@Purp1eW0lf @AlexKornitzer Ah, that's so cool to see Chainsaw being useful!😀 We've just released the beta of Chainsaw v2 which contains a lot of improvements over v1 (support for loading EVTX in JSON & XML format, better sigma detection coverage, faster execution etc). I'd love to hear your feedback!

To get all of these in a grepable file, collect the relevant EVTXs, then run Chainsaw in search mode, for either a string or EventID, or pivot between the two iteratively Chainsaw is @FranticTyping and @AlexKornitzer's awesome tool for investigating EVTXs github.com/countercept/ch…

Take a look at the IPs in your 4625s (failed logins) on external perimeter servers Then compare these IPs in your 4624s (successful logins). Have any been successful? Take the successful IPs, expand the 4624 search results to identify the time, logon type, and user account

Really cool to see this tool finally public! If you’re still viewing alert data in a jira ticket, I’d recommend checking out the approach DetectTree takes to visualise detections, it makes a massive difference.

Check out the first post in my new blog series "On Detection: From Tactical to Functional". The first post explores how we can leverage source code to discover which API Functions an attack tool is using which serves as a base for further investigation. posts.specterops.io/on-detection-t…