Lmst

@brianvastag I'm still stuck on why I try to sign into GitHub on my phone and it asks me to scan the provided QR code from my supported iPhone 16 while displayed on my phone.

I just use the alternate 2FA method and enter my code instead. I can't care enough fix it right now.

Update: I'm learning malware development & C from https://maldevacademy.com/

I'm getting to the point of learning the Windows API where I feel like I just need to read the Windows Internals book in its entirety.
#Windows #ThreatHunting

Something I really enjoy about threat hunting after years of CTI is the more hands on approach. With threat hunting, I can focus on a feature like named pipes, create some connections in my lab and observe various sources of telemetry for baseline usage to get an idea of what a client/server connection looks like.

Then I can pivot into threat intel examples of how adversaries may have abused this feature to build a more nuanced hunt. That is a very important aspect which I don't see often.

I've always enjoyed this level of work but for years, it stayed at a hobbyist level since I couldn't tie it into a threat intel report.
#ThreatIntel #ThreatHunting #Homelab

Nice an Event ID to monitor when an RPC was attempted: 5712

Hope is the thief of joy
#ThreatHunting

5712(S): A Remote Procedure Call (RPC) was attempted.

It appears that this event never occurs

Numerous hours spent trying to figure out why my OPNsense LAN net wasn't getting internet access. Finally tried to disable Unbound and enable DNSMasq instead...it worked.

ITS.ALWAYS.DNS
#DNS #Opnsense #Proxmox

Taylor Parizo boosted:

Please raise your hand if you've disabled PowerShell 2.0 on your Windows systems. What? Didn't know that was a thing you should do? PowerShell 2.0 does not have any of the modern logging and security features that newer versions like v5.1 or 7.x have. But if you don't remove or disable the old 2.0 version, it can be used and abused by malware, info stealers, ransomware operators, etc. Here's an article that provides you with several ways to remove it from you systems (while keeping the newer version in place) #cybersecurity

https://powershellcommands.com/disable-powershell-20

TIL Censys also has a direct query to look for public NFS mound daemons:
services.service_name=NFS_MOUNTD

It's a good starting point but I prefer looking for other identifiable attributes in case the service name filter doesn't capture everything.

An interesting observation from this is public PORTMAP services can be helpful in uncovering mounted shares open to the internet. This Censys query helps to rule out empty NFS shares (mostly).

(services.parsed.portmap.portmap_entries_v3.shorthand=mountprog and services.parsed.portmap.portmap_entries_v3.shorthand=nfs_acl)

For hosts that look interesting:
showmount -a < ip >
showmount -e < ip >

https://censys.com/blog/poking-the-flodrix-botnet
#ThreatHunting

@johntimaeus @mttaggart
Don't make me tap the sign

HOW STANDARDS PROLIFERATE:
Situation:
There are 14 competing standards.
14?! RIDICULOUS! WE NEED To DEVELOP ONE UNIVERSAL STANDARD
THAT COVERS EVERYONES USE CASES.

YEAH!

Situation:
There are 15 competing standards

Taylor Parizo boosted:

Don’t Make it Easier than it Already is…..Default Passwords [Guest Diary] https://isc.sans.edu/diary/32054

@mttaggart Lets start with the naming convention. APT28 including itself goes by 16 different names.

G0007 APT28:
IRON TWILIGHT,
SNAKEMACKEREL, Swallowtail,
Group 74, Sednit, Sofacy, Pawn
Storm, Fancy Bear, STRONTIUM,
Tsar Team, Threat Group-4127,
TG-4127, Forest Blizzard,
FROZENLAKE, GruesomeLarch

G0016 APT29:
IRON RITUAL, IRON HEMLOCK,
NobleBaron, Dark Halo,
NOBELIUM, UNC2452, YTTRIUM,
The Dukes, Cozy Bear,
CozyDuke, SolarStorm, Blue
Kitsune, UNC3524, Midnight
Blizzard

@neurovagrant
I’d start with documented references here:
https://attack.mitre.org/techniques/T1071/004/

Happy Monday I guess

Taylor Parizo boosted:

Great article by @huntress in which they have analyzed the 'defendnot' evasion technique. Clever technique used to disable Windows defender by registering a fabricated AV-product.

Great amount of detail, detection and defense suggestions.

https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques

#Cybersecurity

@AAKL

@mttaggart https://en.wikipedia.org/wiki/Dead_Internet_theory

RPC has been an interest as of late so I might start there

Maintaining motivation for threat hunts is hard when you're on a long streak of nothing found or simply can't do because of "limitations." It might be easier to flip the scope to what do "I" want to learn and turn that into a hunt.
#ThreatHunting

Taylor Parizo boosted:

🚨 Big News: our new website is now live at https://CyberCanon.org! 🚨

Explore our curated library of must-read cybersecurity books, suggest new titles, and support our mission to share the essential knowledge every InfoSec professional needs to learn, apply, and master.

The CyberCanon leadership team would like to thank the Institute for Cybersecurity & Digital Trust at the Ohio State University (https://icdt.osu.edu) for their incredible support and stewardship throughout the years.

Join the CyberCanon community today. No commitments, just a shared passion for cybersecurity and lifelong learning. 👉 https://CyberCanon.org

Client Info