@stvemillertime S_?O_?F_?T_?W_?A_?R_?E\\M_?i_?c_?r_?o_?s_?o_?f_?t\\W_?i_?n_?d_?o_?w_?s\\C_?u_?r_?r_?e_?n_?t_?V_?e_?r_?s_?i_?o_?n\\R_?u_?n
👀 if a taxing regex is needed, I magically appear
English
md-ir-ap
80 posts
md-ir-ap
@ansari_response
🦅🦅🦅 Mandiant Advanced Practices🦅🦅🦅 *opinions are my own and do not express the views or opinions of my employer
Washington, DC Katılım Aralık 2020
239 Takip Edilen207 Takipçiler
How would you detect something like this, generically?
SOFT_WARE\Micros_oft\Win_dows\Curr_entVer_sion\Ru_n
English
md-ir-ap retweetledi
Oh hey, that's me. Come on by and hear my thoughts on my 10 years providing Frontline Intrusion Intelligence support to Mandiant Managed Defense and Consulting. #NotZapRowsdower
English
Best way to actually detect 0-days is via the post-exploitation traffic
Andrew Case@attrc
Our (@volexity) network security monitoring sensors were the first to detect the majority of the most devastating 0days found in the wild over the last several years. If you want this level of protection in your organization then contact us: volexity.com/company/contac…
English
@x04steve I just got the nightingale CXO 6200D. It’s for $1600 but I got it second hand for $400. I initially went to get a Herman miller aeron but it wasn’t for me.
Whatever chair you choose I highly recommend going to Facebook marketplace or a used office furniture store.
English
@bryceabdo @ItsReallyNick The thrill of being confidently wrong is something else tho
English
English
md-ir-ap retweetledi
It is with great pleasure that I announce
@ansari_response has joined
@Mandiant's Advanced Practices Team. Glad to have you aboard!
GIF
English
md-ir-ap retweetledi
@MaxRogers5 Also, haven’t looked at PCAP in a long time either. I miss it
English
@MaxRogers5 Brooooo same. Haven’t created a snort rule in a looooong time :(
English
alrighty i guess it is my turn to share my path
➡️ grocery store
➡️ autoparts
➡️ help desk
➡️ security engineer
➡️ cheese inspector
➡️ ghost hunter
➡️ pesticide mixologist
➡️ ice road trucker
➡️ the president of united states
➡️ assistant to regional manager
➡️ threat intel
English
It's been a couple of years since I've worked an incident response resulting from a Citrix XenDesktop breakout. I'm not a Citrix admin or an expert at exploiting restricted desktops, but here are a few resources that might be helpful for future reference. (1/6)
English
@Match2022_bot #match2022 can someone help me with tips and tricks in order to prepare for SOAP 2022? Just to prepare for the worst.
English
@stvemillertime Something something computer is 100% the right way to explain things 😂😂
English
PE exports are an analytically rich feature because they contain a plethora of <things> that you can easily parse, measure & compare with YARA rules. Exports are a common convention in malware, potentially 20+% (?) of the time, because something something computer. #100DaysofYARA
Super Sheep (@[email protected])@Qutluch
This is the skeleton of a rule I'm playing with lately, needs a lot of tuning. 30 days of VT data plus a private enterprise feed returns 10K+ results, but a lot of malware. gist.github.com/schrodyn/1d041… #100DaysofYARA
English
@inversecos @kfosaaen I’ve become a huge fan of your blogs. You explain technical details very well and make them so much easier to understand. Also, I really appreciate you cloud based blogs. Thank you for your contributions!
English
😈 Detecting Malicious #Azure Persistence 😈
Automation Accs in Azure can be abused for:
> Persistent access to AAD via Webhooks
> Single factor logon
> Creation of shadow accs
I was inspired by @kfosaaen research and wrote about the detection here:
bit.ly/3GQrYr0
English
@chrissanders88 Most common reasons would be for persistence and user activity during an interactive session. Usually to prove presence of malware, evidence of lateral movement and file interaction.
English
Analysts and Responders: What are the most common reasons you go looking in the Windows registry? What do you use it to prove most?
English
@ImposeCost This is important! Someone in an IR training I was giving a few months back asked about detecting/preventing supply chain attacks. I told them exactly what you quoted from the blog, as it applies to those as well 👍🏽
English