Adam Swan

Output redirection from cmd.exe is not captured on the command line unless it is part of an argument (e.g. cmd.exe /c "whoami > out.txt"). So a SIGMA rule like this one will work 60% of the time all the time. github.com/SigmaHQ/sigma/…

@vysecurity This is me using a 4k screen at 225% scale lol

Once you use a 4k Screen at 100% scaling, you can not really go back.

@ImposeCost You don't have the standard issue lanyard made by SKILCRAFT?

@ImposeCost Seems to me that paying some desperate person 10-20k for access must be cheaper (and easier?) than paying for a 0-day.

@ImposeCost And make sure you post 6000 times per hour like @imposecost :P

@kafkaesqu3 @vysecurity NIST 800-53

@acalarch @vysecurity which audits require red teams? as far as my knowledge goes (which is limited to PCI audits), only a pentest is required. If there is an audit framework requiring red team engagements i'd love to know what those are :)

Drop a canary Excel file called "hackedsystems.xlsx" on every endpoint you pop. If it triggers you know IR started? :D

@kafkaesqu3 @vysecurity Tell that to the auditors :)

@acalarch @vysecurity those are not the orgs that should be paying for red teams

@kafkaesqu3 @vysecurity In theory, sure. In practice, the vast majority of organizations are understaffed and do not have the time to handle fake incidents.

@acalarch @vysecurity isnt that the entire point of a red team?

@ImposeCost Targeting of things like critical public infrastructure (to include health infrastructure) via 'cyber weapons' (e.g. ransomware) is IMO terrorism. Those criminals should be getting free red eye flights w/ complimentary pickup.

@NathanMcNulty It's on my personal bingo board that the name Entra doesn't survive 2024. Probably will be MActivision Entre by November.

This title gets funnier every time I read it 🤣

@ImposeCost @Waterpik Both methods leave crap behind. I use both.

@Cyb3rMonk The deployment of the SIGMA rule

If you are spending too much time just to write a Sigma rule, something is really wrong, in my opinion. It is not just Sigma, it applies to any detection engine/rule where you just do simple string matching/lookup. 1. execute/simulate attack 2. check logs to identify relevant events 3. write your rule that detects the identified events 4. exclude false positives on the way If you want to spend that much time anyway, spend it on data analysis methods and use it for developing robust detections. #ThreatHunting

@andriinb @cyb3rops To say that a majority of SOC Prime's content comes from the public SIGMA repo is simply fake news.

youtube.com/watch?v=mZEtvg… The only thing worse than a false sense of security is a false representation of facts. It hurts me personally, that @cyb3rops , a Sigma language co-inventor and my companion during a 6-year path of making Sigma a common language for cybersecurity, now erases my team’s legacy in it. I just read this last evening on X: “...The primary essence of content provided by SOCPrime and [omitted] comes from the Sigma community's rules, presented through a web GUI with some added context. It could mislead readers to believe that these content providers generate most of the content, whereas, in reality, they mostly repackage the community-driven Sigma rules. Particularly, the generic rules which are crucial, are provided by the Sigma community…” continued in Florian’s tweet x.com/cyb3rops/statu… Sometimes, it takes one tweet from the company Advisor to break the trust and lose faith of people behind Sigma backends R&D, vendor alliances, threat research, community, and marketing. Facts (The comprehensive version is in the the attached video): SOC Prime has been the largest commercial contributor to the #Sigma language since 2017, proven by holistic effort, the number and quality of rules or even backends developed. Our team added MITRE ATT&CK tags to Sigma rules in 2017, I publicly presented this at the very first MITRE ATT&CK EU Conference on May 24-25, 2018, which served as a pivotal event for Sigma’s popularity. Authors who participate in SOC Prime’s Threat Bounty program, the only program to my knowledge that provides monthly payouts to threat researchers for Sigma rules, have delivered a major part of all Sigma rules created since 2017 to the date. This has set Sigma rules quantity for exponential growth. That is without mentioning all the countless contributions, projects, educational webinars, and community efforts my team did that have propelled Sigma to its recognition and adoption today. We believed in Sigma, due to the GPL nature of the project and DRL license, which both promote inclusivity and equal opportunity. While Sigma inventors deserve credit for the idea and initial code, the project belongs to the world and global cyber community. Popularity should not come at the expense of all of its contributors, be it backend makers, rule researchers or users who share feedback. If we are to make a difference and defend together, we need to act together. A change more significant than a pull request is needed. @sigma_hq

@nas_bench @MITREattack Remove all software from your orgs stack

How do you know that you've reached 100% coverage of @MITREattack 🤔or a specific technique?

Let’s give public school teachers a raise.

@anton_chuvakin I think by the time AI is able to replace "Joe Schmo" the economy and cyber ecosystem will look completely different. Jobs that would've been killed.. will already not exist.

@anton_chuvakin AI is increasing the overall efficiency of cybersecurity teams which will help fill the massive talent shortage well before it "kills" specific jobs. We will be able to do more with less folks, specific jobs shouldn't be impacted so much.

So, yesterday somebody asked me "what security job/role would be the the first to be eliminated by advances in #AI?" While a bit sensationalistic, this is a useful thought to pursue. (1/3)

@Antonlovesdnb I would say that it's generally bad hygiene to have the manager & MFA on the same device. More and more password managers are changing the game to "what I have and what I have" instead of what I know and what I have.

Genuine question - is it still MFA if the one-time password is in the password manager ? I guess so, if the password manager itself is MFA'd. Personally I've avoided doing this as it felt like poor cred hygiene; but maybe I'm wrong