Nick Cerny

And it's done, coming next week for folks signed up for Constructing Defense - this new Ludus lab build now provisions all of the following: - AD environment (including ADCS) with custom logging GPO & Sysmon - Linux auditd configured and setup with Laurel for easier to read logs - Local Minikube K8s cluster with logging enabled - All the above telemetry forwarding to a local Splunk instance - Full PCAP including Zeek logs via Malcolm All set up with one ludus range deploy command!

@TheAhmadOsman I realize the recommendation and associated costs are tied to H200 cluster usage, is there any practical way one with at least 4x3090 setup could do this? If not what would be the limiting factors besides the time it takes?

qwen 2.5 14B, for under $350 becomes SoTA BEATS > OpenAI DeepResearch > Claude Research MATCHES performance of > Gemini 2.5 Pro train your own DeepResearch model following this tutorial & beat frontier labs State of The Art LLMs

@KrazyCynic1125 @NathanMcNulty Check out Spur too, that’s where most providers source this info (including Recorded Future). Also can do the same filtering for proxies. You can do some decent amount of enrichment for the $99/month tier. spur.us

@NathanMcNulty Thanks Nathan. Appreciate it. I was just wondering what VPN IP provider intelligence feeds are out there? Would those be Virus Total or Recorded Future or Cisco Umbrella/Zscaler?

@NathanMcNulty is there an automated way of updating known VPN provider IP addresses in Named Locations (Entra ID) and using these in Microsoft Defender for Cloud Apps policies? Think org wants to block all traffic coming from outside North America and users who use VPN to bypass

@parody_ceo Stuff of nightmares - cyclops sighting.

The last thing key stakeholders see before getting aligned

Coming up on my 1 year anniversary with @HuntressLabs ! Taking this opportunity to go over some things myself and the team have seen in intrusions and drop some tips on basic things you can do to make your network more immune to compromise. Let's start with initial access - We see so much VPN compromise, it's by far our number 1 initial access vector - yes 0days for VPN appliance are there, but most of the time the compromise is a result of good ol' fashion credential stuffing or brute force. - Some VPN appliances have decent log retention, others do not and it really sucks when only ~1 hour worth of logs are available - if you're standing up a SIEM or any kind of log collection effort in your org, make sure that devices which are externally exposed are sending their telemetry to the SIEM. If your VPN appliance has different logging settings, check them out and enable as needed - this telemetry is gold during intrusions. - In addition to VPN appliances, we see a lot of RDP / RDS machines get compromised - same story here, no fancy 0days, just weak credentials in use. In some cases, MFA is in use, but has either been bypassed for the compromised user or has "failed open" - if you use RDP for your org, make sure that MFA is enabled somehow on it, if it is enabled, test to see what happens when the process that handles MFA crashes or is turned off. Also, make sure you have good procedures in place for turning MFA bypasses back off when they're applied. - Remember to keep an eye on your web applications, deserialization attacks aren't super common, but happen fairly often. Turn on IIS logging and enable POST request logging if possible. Remember that a standard penetration test often does not deep dive into custom web applications, invest in a good Appsec focused test if you have a custom application exposed externally. Turning to lateral movement - Once inside networks, threat actors move very quickly and unfortunately do not run into a lot of resistance. We typically see multiple accounts compromised in rapid succession, suggesting weak or shared passwords in use. You have no idea how happy it makes me to see "LOGON_TYPE_NOT_GRANTED" in the logs - Yes I know segmenting your network is probably a pain, but its a very effective security control. - In most cases we see, RDP is used for lateral movement and unfortunately, there is often no controls to prevent users from RDP'ing into servers they have no business need to RDP into. Check your Active Directory permissions and see what users can RDP into your file servers and domain controllers, you might be very surprised by what you find! - Impacket & impacket-related tooling is very popular for lateral movement, if you are in charge of defending a network and have telemetry and a lab environment, try to use WMIExec etc for yourself and compare the telemetry you see versus normal activity, this is a great way to build high-fidelity alerts. Aside from that, remove local admin where possible. Local admin rights enable credential access and lateral movement avenues that would be shut right down were a non-admin account in use. Looking at Execution / Impact - Do threat actors use fancy 0days ? Yes of course, but in the cases we work, we rarely see it. Most of the time, "just enough tradecraft" is employed, all a TA needs is FileZilla and 7Zip to ruin your day. - Tunneling tools like ngrok and plink are very popular, most often, these tools are being used to make RDP externally available to the TA - everyone loves a GUI I guess. How do adversaries get credentials ? - Registry credential dumping is extremely popular, same with LSASS credential dumping. Threat actors will also search local file systems and network shares for credentials and - guaranteed - will find them. By segmenting your network, limiting local admin access and hardening authentication silos within your AD environment ( things like a three-tiered admin model, or as close to it as you can get ) will limit the impact of credential theft drastically. - Brute forcing is old and boring I get it, but unfortunately it works, especially for less-monitored environments, some cases we've seen hundreds of thousands brute force attempts for hours before an account is successfully compromised. Don't sleep on brute forcing, ensure you have account lock out policies in place and some kind of monitoring for brute force attacks. Miscellaneous tidbits - Please, please, please - change your default Windows log sizes via GPO. By default, these log channels do not hold a lot of data, if a threat actor undertakes a brute force in the environment, security-relevant telemetry will be clobbered hampering any investigation efforts. - Have a standard naming convention for your organizations' workstations and servers, this makes it so much easier to orientate everything during an investigation and very often bubbles up malicious activity for workstations that don't fit the standard naming convention. - Have a plan in place in case of an incident, it's bound to happen and it's better to be prepared. What happens if certain hosts need to be offline, who do you call to get a potential insurance claim started? What is the threshold for a formal IR engagement - deciding all these things under pressure from an incident is not ideal. I think this post is long enough 😅 so I'll wrap it up 💙

There's some unknown but interesting C2 to 104.16.0.0/13 (@CloudFlare). C2 domains: 🔥event-time-microsoft[.]org 🔥windows-msgas[.]com 🔥event-datamicrosoft[.]live 🔥eventdata-microsoft[.]live Does anyone know malware malware this is? @netresec/114739120040883261" target="_blank" rel="nofollow noopener">infosec.exchange/@netresec/1147…

People often ask why I pivoted away from malware. Sometimes I ask myself the same question. After all, everything I've published until recently was malware-focused - the talks, workshops, research. I literally built a community called OnlyMalware. The answer came from @ollieatnowhere's BlackHat EU 2024 keynote (1). He nailed the problem: "If only I could employ a $10 million security team..." But most organizations can't. They need solutions that work without the top 2% of cybersecurity talent. When we Red Team'd these organizations - we didn't spend time exploiting technology. We exploited the people and their processes. Modern breaches prove the point. Lapsus$, Scattered Spider - their success is not enabled through deploying custom implants. They're "Read Teaming" (2) - looking through knowledge stores and communication channels like Confluence/Slack/GitHub to find API keys - exploiting the people and processes, less so only the technology. So, could I have built another malware product? Another BAS tool to test EDRs? Absolutely. But it wouldn't solve the problem I've seen firsthand. And I'd be just another vendor... The attacks that actually succeed aren't using advanced malware - they're using simple techniques that are nearly impossible to detect with traditional tools. I didn't choose deception because it's trendy. I chose it because it's the only technology I genuinely believe democratizes threat detection. It lets organizations of any size catch nation-state actors and insider threats without a Fortune 50 security budget. Sometimes the best product isn't what everyone expects from you. It's what actually solves the problem. Fundamentally, I could've built another tool that makes money off fear (malware). Instead, I'm building what I wish every company I've compromised had in place. Because democratizing detection isn't just good business - it's the right thing to do.

1/2 We are exposing cybercriminals. China has been persistently trying to undermine our resilience and democracy. Through cyberattacks, information manipulation, and propaganda, it interferes in our society - and we must defend ourselves against it.

Next week I am presenting for NYC Open Data Week. I will be showcasing an early preview of what I’ve been working on for the last few months: an open source data platform for public goods. I’ll be showing how to use open source data tools like parquet, @DataPolars , @duckdb , @dagster, and @evidence_dev alongside an LLM coding partner to build end to end data products locally to create public good data products. This session will be focused on NYC open data. If this interests you, please come attend, link in reply

We've released ProcDump for Linux with bug fixes, and Sysmon for Linux with a more seamless upgrade experience. Get the tools at sysinternals.com. See what's new on the Sysinternals Blog: techcommunity.microsoft.com/blog/sysintern…

NEW LAB: Mustang Panda 🐼🔍 Chinese cyber espionage APT targeting a government body across the U.S, Europe, and APAC Test your blue team skills on 👀 .NET malware 👀 DLL Sideloading 👀 Webshells 👀 Procdumps Lab Contributors Adversarial Emulation: @MDSecLabs @offensiveninja Incident Responder: @svch0st Solve it here👉xintra.org @XintraOrg

Here’s an example of VPN compromise 👇 ✅ It’s a super common technique we see all the time ✅ Effects businesses of every size ✅ Usually caused by a simple configuration mistake, like an account without MFA enabled Yet it can often lead to network-wide compromise 😟

Thousands of drivers across the U.S. are getting fake toll payment texts—but this is more than just another phishing scam. The scale, the tactics, and the origins point to something much bigger. Here’s what we uncovered: censys.com/highway-robber…

@Antonlovesdnb @nyxgeek This! It’s crazy how many dreams have woken me up thinking I missed a mid-term or now in the corporate world an important meeting. Anxiety has a crazy hold on the subconscious it seems.

@nyxgeek Oh man I've been out of school since 2012 and still have dreams that I didn't get enough credits to graduate lol

Anybody else have recurring dreams that you either missed a deadline on a project, or that you missed a meeting? Late-to-meeting dreams are the worst. That spike of panic when you're like "OH FUCK". Bolt upright and scramble to find phone and check calendar.

@ImposeCost Way under represented concentration outside of some pentesting guides. It is hard to find anything like how MacOS was (though that is improving). Big training development opportunity.

@cbecks_2 @ImposeCost Second recommendation for @XintraOrg plus the lab access.

@ImposeCost I haven’t taken this myself but I’ve heard great things xintra.org/training/cours…

@lahjar_ @digininja Yup this is Adobe. You can still generate PDF via Export>Create/XPS Document.

@digininja This seems like the Adobe Reader causing an issue Probably through their plug-in for word The dialogue box is an Adobe Acrobat box, not Microsoft Word

This is new from Word, you can only create one PDF for free per month, after that you have to pay! They've obviously removed the abilty to print to PDF as well so that isn't an option. Guess I'm using Libre Office to finish off my reports from now on.

Finally getting around to sharing the SocGholish infrastructure I've observed over the last year or two. Comprises of known initial Stage-2 and Stage-3 domains as well as the respective Stage-2 scripts found on VirusTotal. github.com/MalwareBrandon…

In real world incidents, we often see attackers compromise on-premises environments and then pivot into the cloud. We understand most large organizations, and even smaller ones, still have a significant on-premises identity footprint. To help you protect M365 from on-premises compromise we have written specific guidance to help you - learn.microsoft.com/en-us/entra/ar…

The FAA is close to canceling a $2.4 billion contract with Verizon and HANDING IT OVER TO STARLINK. - Musk fires FAA employees - Musk gets an inside look at Verizon's contract - Musk gets inside look at the communication system being built by Verizon - Musk cancels Verizon contract and gets it for himself No conflict of interest there.