PC

This was a great blog to help to craft, showing the power behind our IR team and Threat Intelligence capabilities at Talos. Great work Team!

@wolfalicemusic @blueweekendss

@blueweekendss dream or vision?

had a dream last night that wolf alice announced their new album

Investigating a SharePoint Compromise: IR Tales from the Field #DFIR rapid7.com/blog/post/2024…

Going private this weekend, go find me elsewhere

@LemonKiwi_ Woot! :)

💛 it was always about the journey, my love for games, and the people we cast for. But this still really means a lot. I'm grateful

@InfoSecSherpa @JohnHultquist @CYBERWARCON Totally jelly :) sounds like an amazing event

@LitMoose Chris Sanders, Xintra (amazing for O365/Azure goodies), Spectre Ops, and 13cubed. Good on you for supporting training for your team!

PowerShell math:

Fun to work with @Google on their latest Security white paper! My fave quote: “Folks throw money at a super expensive platform, but then don’t have a password manager for the team! It’s like spending money on ballistic windows but your door is wide open.” services.google.com/fh/files/misc/…

I remain as adamant as before that "humanless, full-auto #SOC" is not coming any time soon, BUT I sense that we are close to replicating the quality of shitty, low-cost MSSP/MDR with machines alone, no humans needed... So, shitty, low-cost MDRs beware, you business may be toast.

🔍💻 PowerShell Pro Tip! 💻🔍 Ever wondered what app opens specific file extensions on your Windows machine? 🤔 Sure, it’s not new, but it’s super handy! 💪 Use this PowerShell magic to find file extensions and their associated apps (like finding out `.rdp` opens with `mstsc.exe`)! 🚀 ``` $associations = @() $registryPaths = @( "HKLM:\Software\Classes", "HKCU:\Software\Classes" ) foreach ($path in $registryPaths) { Get-ChildItem $path | ForEach-Object { if ($_.PSChildName -like ".*") { $extension = $_.PSChildName $progId = (Get-ItemProperty -Path "$($_.PSPath)" -ErrorAction SilentlyContinue).'(Default)' if ($progId) { $commandPath = (Get-ItemProperty -Path "$path\$progId\shell\open\command" -ErrorAction SilentlyContinue).'(Default)' $associations += [PSCustomObject]@{ Extension = $extension ProgID = $progId AssociatedApp = $commandPath } } } } } $associations | Out-GridView -Title "File Extensions and Associated Applications" ``` gist.github.com/MHaggis/a5b0af… Hit enter & watch as the magic unfolds! 🎩✨ Explore the full list in a GUI to see extensions + their apps! Because sometimes… knowing is half the battle 🛡️💡 🖥️🐱‍💻

Soooo….the GOP is planning to throw thousands of vets off of VA health care (while also repealing the ACA), and slashing VA benefits and pensions. To my fellow vets, what’s your plan when that happens?

@MuellerSheWrote @joshrogin @JunkMell @thedailybeast She's been a Russian plant for years now, this is disgusting

@joshrogin @JunkMell @thedailybeast But not her ties to Russia

Tulsi Gabbard’s Ties to ‘Cult’ Could Cost Her Intel Job thedailybeast.com/tulsi-gabbards… By @JunkMell for @thedailybeast

@JenMsft beep boop :)

Failing a captcha, thinking to myself, oh god - is this it? Is this how I discover I'm really a bot?

Investigation Scenario 🔎 You’ve discovered a Windows 10 host placed in the wrong AD OU. As a result, WSUS did not pick it up for automatic updates for at least two years. What do you look for to investigate whether it has been compromised? #InvestigationPath #DFIR #SOC

Entra ID monitoring - are you doing the basics? Part 1 securediam.com/f/entra-id-mon… Part 2 securediam.com/f/entra-id-mon… Part 3 securediam.com/f/entra-id-mon…

Invoke-SMBRemoting. utilizes the SMB protocol to establish a connection with the target machine, and sends commands (and receives outputs) using Named Pipes. by @L3o4j github.com/Leo4j/Invoke-S…

The problem I have with AI is that the implementations are attempting to replace critical thinking with a poor replacement. It's not going to work, it causes people to stop learning or trying to be able to critically think, write, etc. and without their crutch they are useless.

New Sigma release r2024-11-10 is available for download 🌟 17 New Rules 🛡️ 35 Rule updates 🔬 4 Rule Fixes This release includes rules covering - Suspicious .RDP file creation by Outlook and other uncommon processes. - IIS config tampering. - PowerShell Web Access abuse. - Antivirus cheat sheet updates And more 🔥 Check the full change log and start exploring this, by downloading the latest release -> github.com/SigmaHQ/sigma/… Also keep an eye for the next release soon, as I go through the rest of the PRs. Thanks to the many contributors that helped shape this release, specifically ahmedfarou22, bharat-arora-magnet, BlackB0lt, CheraghiMilad, dan21san, @defensivedepth, @deFr0ggy, djlukic, @frack113, fukusuket, ionsor, jaegeral, @imlordofthering, Koifman, Mahir-Ali-khan, @MalGamy12, @M_haggis , Milad Cheraghi, @cyb3rops , ruppde, @AltgeltMax , swachchhanda000, @Kostastsale , wieso-itzi, @X__Junior

Nice #PowerShell script Create-LDAPLogsGPO.ps1 github.com/itpro-tips/Act…

SharpADWS is an Active Directory Recon and Exploit tool for Red Teams via the ADWS protocol, Inspired by @FalconForceTeam Without the LDAP protocol, it can easily bypass most traffic monitoring for LDAP #BloodHound #redteam #Pentesting #CyberSecurity github.com/wh0amitz/Sharp…