markus neis

APT Emulation Labs: NOW LIVE 🎉 Solve incidents emulating APT29, APT10 and other threat groups. $45 per month access to ALL labs: 👀 150+ hours of lab content 👀 Disk forensics + ELK logs 👀 Hints, questions and point system 👀 7 days free trial Labs are created & designed by industry peers: @ZephrFish @svch0st @ippsec @DebugPrivilege @HuskyHacksMK @inversecos Each lab comes with scoping notes, Windows VM with forensic tools, network diagrams, disk forensics, ELK access and was created from our collective experience working in the field. 👇ACCESS THE LABS HERE 👇 xintra.org/labs

🎉 Announcing DFIR Labs! 🎉 Introducing our DFIR Labs based on real intrusions from our public reports and private threat briefs! Whether you're starting out or looking to deepen your skills, our labs can help. 1/2

Recently, we published lists for both, APT groups as well as financially motivated threat groups, targeting organizations in Germany. These pages are now also available in english. #threatintelligence #APT

@stvemillertime @Mandiant @googlecloud Congrats my friend

Excited to join @mandiant (for the third time) and start a new adventure @googlecloud (for the first time), now shifting my focus to ICS/OT intel. I plan to continue learning and sharing about shenanigans in the cyber-physical realm and hopefully find lots of evil left of boom.

@ImposeCost All the best!

#100DaysofYARA I created a web service that allows you to verify on which yara versions your rule compiles. In the past, shipping rules to customers, I wondered if there were limitations but couldn't find out easily. Now I can. yaravalidator.manalyzer.org

happy new year and #100DaysOfYara ! Getting right to the nitty gritty - tracking an Andariel/TA430/Onyx Sleet in-memory payloads (as found by our pals at MSFT and Talos!) with @hatching_io and YARA! g-les.github.io/yara/2024/01/0…

@BoredApeSolClub 5JWQ24orD1Wx2DcBNU4CPFYsu8yVcZ76ue5Aeq4aXoWU

Happy New Year 💜 Drop Your Wallet 💙 100 Lucky Winners 🎉

@nahamike01 @embee_research Nice work, thank you for sharing

Next time, I'll cover something a bit more advanced, maybe a Python script to emulate communication with a C2 framework to assist in identifying new hosts. Shout out to @embee_research for the tips and motivation to start sharing more.

Tracking a Rust-based C2 From downloading the framework to refining search queries, I'll guide you through my process of tracking adversary infrastructure. Today, we'll briefly look at "link," which supports implants targeting Windows, MacOS, and Linux. 1/10

Great suggestion by @pcsc0ut

Frank @r3c0nst created a neat #Yara workshop some time ago and released the materials this weekend. If you want to learn Yara (or know someone who does) - this is a very good place to start. #threatintel #detectionengineering

Midnight Blizzard is at it again, this time targeting vulnearable TeamCity servers, disabling AV/EDR, deploying VaparRage, Mimikatz, DSinternals, rsockstun, etc. Microsoft Threat Intelligence: x.com/MsftSecIntel/s… CISA: cisa.gov/news-events/cy… CERT-PL: gov.pl/web/baza-wiedz…

In the blog, we detail malware dubbed 'SnappyTCP', a simple reverse shell for Linux/Unix systems: pwc.com/gx/en/issues/c… #threatintel #seaturtle #marbleddust #snappytcp

The YARA enthusiast community is friendly, skilled and growing, and you can be a part of it. Come learn and have fun, push yourself and your peers, and let's jam on some YARA rules together. github.com/100DaysofYARA/…

TellYouThePass #ransomware

Interesting SANS post by @johullrich: Exploiting #SharePoint CVE-2023-29357. June MS releases patch▶️late Sept exploit released▶️via CVE-2023-24955 (patched in May). Honeypots identify low threshold scanning 30th Sept but recent spike in activity...

@0sm0s1z @stedaniels @cyb3rops Twitter can sometimes be a hard place to have these conversations unfortunately. 😞

@markus_neis @stedaniels @cyb3rops Agreed. I just don’t like the idea of invalidating the work of thousands of people by making it seem like ‘just a game’. It’s not. Folks get real value from these things and have dedicated their lives to it. Triggered me pretty hard. 🤷‍♂️

I don't call myself a 'Blue Teamer' and here's why. The term originates from gaming scenarios, where 'Red Team' implies an adversary. However, my true adversaries aren't fictional teams; they are genuine threats. People often think it's all about Red vs Blue, but it's not. It's more than just beating another team. The main job of the Red Team is to help the defenders get better and test their tools to spot real dangers. We shouldn't just think about this as a game. Our collective aim is to identify risks sooner, prevent harm, and foster positive outcomes. It's about the larger picture - safeguarding and nurturing what is valuable.

@0sm0s1z @stedaniels @cyb3rops Very cool sir! Hey in the end we are all fighting for the better. Lets not make definitions or terms our problem

@markus_neis @stedaniels @cyb3rops Hey! That’s one of my besties. We went to USAFA together!

@cyb3rops Thats correct, it originates from a game / role-play even sixdub.medium.com/common-ground-…

So funny, I wrote "the term originates from gaming scenarios" and people correct me saying that it originates from ☝️"war gaming scenarios" as if that mattered. It originates from a game, a play, a training exercise, a side show .. that's the point. Wasn't that obvious?

@0sm0s1z @stedaniels @cyb3rops I think if somebody with a decent military background agrees on the board-gaming and role-play factor we can accept it though sixdub.medium.com/common-ground-…

@stedaniels @cyb3rops The difference is the idea of “play”. Which was the OP’s entire point. - It’s not real; it’s just a game. That’s a silly and counterproductive take. Blue teams do REAL work that has REAL benefits for REAL organizations. Discounting that value is a disservice to everyone.