Josh Madeley

@cyb3rops If the TA had the privileges to install software, not sure what tool they downloaded and used really matters. Seems “troll-ey” that they picked an open-source forensic tool more than anything else.

Interesting blog.talosintelligence.com/velociraptor-l…

@ItsReallyNick Jesus. That pace. Well done.

little faster today. 19 miles after work! get it. time for the weekend

marathon training with busy/travel weekends is rough – cramming the long runs in before or after work i genuinely don’t understand how distance runners find the time, aside from just being lots faster than me

@BakedSec @Blackhat Looks vaguely familiar. Can’t quite place my finger on it.

I had the great fortune to share a great tool called TIM at @BlackHat Arsenal - and I wanted to share it here with the InfoSec Twitterverse too! TIM (no, it doesn't stand for anything) is a fantastic alternative interface to work with ADX/KQL-accessible data.

UNC3944 Evolving Tactics Exposed! Our new blog dives deep into UNC3944's recent SaaS attacks, analyzing their changing methods and goals. Read now: bit.ly/3x5WC0l #Cybersecurity #ThreatIntelligence #UNC3944

Thrilled to co-present on cloud threat hunting with the IR legend @MadeleyJosh on June 13th! Tune in to hear: ☁The nuances of hunting in the cloud ☁ How to turn intel into detection/TH opportunities ☁ Case studies on recent compromises Register now: bit.ly/3Vmnstd

@ImposeCost xlsx2csv and csvkit

@gleeda @ImposeCost This is not to say they can’t benefit from it; just my observations in practice is that they don’t use it that way. Security vendors are exempted from my observations - someone has to build detections at scale.

@MadeleyJosh @ImposeCost That isn’t my experience at all, but I can see how your mileage may vary

@gleeda @ImposeCost There probably isn’t a good way. My intuition (and anecdotal experience) is that most blue teamers are not using the POC code to build detections; they are using it to test if the mitigation or patch worked until their is an official vuln scanner detection.

How would you propose sharing such things? Because I personally think that blue teamers can benefit from exposure to exploits and POCs. I think they need it in order to better understand the attacks, and a lot of them aren’t able to craft these things themselves in order to study these things. Should these be vetted research groups or … ?

@_Omer_GG @Big_Bad_W0lf_ @cglyer Commercial datasets like Spur attempt to identify them. They are not “great” given the high turnover, but it’s a starting point.

@Big_Bad_W0lf_ @cglyer How does one identify residential proxies with a company that has remote work or hybrid work?

Additional TTPs from Midnight Blizzard campaign “Due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of…activity” 👆👆 microsoft.com/en-us/security…

@DeltaTangoTwo Need help? I know some people :)

We are continuing to investigate, more to come soon. msrc.microsoft.com/blog/2024/01/m…

@derekcoulson @ImposeCost Bank fraud and loss prevention are big business. Not usually the type of crime we see.

@ImposeCost and 26% of its workforce is employed to "fortify its defense against cyber crime"......

@itsfoss @srunnels

Where them swole Arch users at? #linux #archlinux

@PJ47596176 @jamieantisocial Hard to explain the fingernail pain to anyone who hasn’t played.

@jamieantisocial I grew up on these streets.

I grew up on these streets 🤷‍♂️

@PJ47596176 The baby swing is a great touch! I started getting my daughter to count reps!

Putting the end of year work in, in spite of last night's whisky.

@brettshavers Maybe I am missing something, but are they saying that IP address based tracking still worked when people were incognito? Was the expectation that client side changes impact server side analytics?

I wonder if Google’s ROI justified the $5B settlement…my guess is yes.

"Google has made itself an unaccountable trove of information so detailed and expansive that George Orwell could never have dreamed it” news.yahoo.com/google-agrees-… #privacy

@ImposeCost Maple syrup should only come in a glass bottle. Zero exceptions.

Listen to the recent #DefendersAdvantage podcast with @doughsec and @MadeleyJosh sharing the trends they’ve experienced when responding to breaches in 2023. Check out their episode here: spoti.fi/3TmbnVe #ThreatIntelligence

Quality advertising

@ImposeCost Juxtaposed to a tweet about needing a mobile IV van paints the picture of a wild Friday night.

Today we launched a 🔎 scanning tool for orgs to search their Citrix netscalers for evidence of CVE-2023-3519 post-exploration. You can run this direct on the ADC or against a forensic image. With public POCs out there expect more exploitation! mandiant.com/resources/blog… #DFIR