Jack

Getting away from Twitter. You can find me on BlueSky while I rebuild followers and figure it out: malwareforme.bsky.social

We are looking for some interns to join our team here at Microsoft. If you are currently studying cyber security, computer science, mathematics or anything similar and based in Ireland or Cheltenham then we would love to hear from you - aka.ms/ghostjobs

People often share full Kusto queries, which is awesome, but what about those handy one liners and tips you have picked up along the way? Here are some of my favourites, share yours below! Extend an additional column for your local time, example +5 UTC: | extend LocalTime = TimeGenerated +5h Find events only on weekends, cast a variable to make it easy to read: let Saturday = time(6.00:00:00); let Sunday = time(0.00:00:00); AuditLogs | where dayofweek(TimeGenerated) in (Saturday, Sunday) Find events during certain hours of the day: | where hourofday(TimeGenerated) !between (4 .. 23) Calculate the minutes (or hours or days etc) between two events: | extend ['Minutes Between Events']=datetime_diff("minute",Timestamp1,Timestamp2) Parse the details, including browser family and version etc of a user agent: | extend UserAgentDetail = todynamic(parse_user_agent(UserAgent, "browser")) Decode base64 encoded strings, useful for PowerShell: | extend DecodedCommand = base64_decode_tostring(EncodedCommand) Rename columns while using project: | project LogTime=TimeGenerated, SigninLocation=Location, IP=IPAddress, Agent=UserAgent

If you're a guy in your early 20s, learn regex. Go into debt if you have to

@SwiftOnSecurity Prisoners of Geography

Pretend I'm an idiot, what is the best read on the background and motivation of China being a fucking expansionist dick to all its neighbors

excited to announce @sublime_sec has raised a $60M Series B led by @IVP @CNBC wrote about the news this morning: cnbc.com/2024/12/12/ema… @ianthiel and I are so grateful and humbled by the trust our customers and community have placed in us. we won't let you down

Enjoy punching phish? Experience writing detections for phish, using regex, Yara, etc., and looking to grow as a researcher within an experienced team? Join me and the rest of the Splunk Attack Analyzer Misfits of Detection Science. US only, fully remote splunk.com/en_us/careers/…

RT @Raqqa_SL: The great Syrian people overthrew the Assad regime. Syria is Free We are free

🔊 Useful advice for the holiday dinner table sublime.security/blog/talking-y…

Proofpoint has tracked this technique since August 2024, and call it “brooxml”. Our researchers do not consider this a zero-day or vulnerability in general. We’ve released Emerging Threats and YARA signatures at the end of this thread.

The absolute worst take ever. Just don’t end up in PCRE jail and it’s fine. Regex 4ever

Microsoft’s Digital Crimes Unit has seized 240 fraudulent websites, disrupting a major “Phishing-as-a-Service” operation. These campaigns targeted sensitive industries like financial services, jeopardizing data, transactions, and even life savings. aka.ms/DCU-disruption…

I'm told we are hiring in MSTIC: aka.ms/msticjobs Come for the data, stay for the data. Creative problem solvers have the most impact. If we've worked together, I'm happy to refer you. But...

I'll just leave this here... github.com/wmetcalf/rdp_h…

you can deploy verifiable coverage for this with @sublime_sec (for free), here’s the detection that’s been out for over a year (h/t @zoomequipd @ajpc500): sublime.security/feeds/core/det…

There is also this setting in admin.microsoft.com

Announcing our latest NLU model update: BERT Large Language Model (LLM), which is better at understanding tone, intent, and context than ever before. We’ve detailed our research in our latest blog and how it’s used to combat AI-generated attacks: sublime.security/blog/combating…

We are now developing @elastic threat hunting queries, alongside our detection rules, and openly sharing these as well! 🎉🎉 Can visually explore these with rulexplorer.io! 🔥🔥 #ThreatHunting #DetectionEngineering

We're excited to announce the release of our new Public EML Analyzer: a free, unauthenticated tool for analyzing email messages. Upload any EML and get Sublime's analysis results along with URL sandbox and attachment previews, insights, and more: analyzer.sublime.security

Microsoft has been running massive deception campaigns that flood new phishing sites with bogus credentials for bogus companies on MS tenants. When attackers log in, they deliver a torrent of fresh threat intelligence that can be used to defend: #infosec youtube.com/watch?v=78qnM_…