#SecurityOnion 2.4 Beta 1 release is now available!

Featuring:
✅New Grid Configuration interface
✅Enhanced Grid Status interface
✅New Grid Members interface
✅Improved health metric visualizations
✅New Elastic Agent integration
and much more!

https://blog.securityonion.net/2023/03/security-onion-24-beta-release-now.html

Did anyone else play '"Pass the Pigs" as a child, or should I just go crawl into a corner 😅​? https://www.amazon.com/Winning-Moves-Games-Pass-Pigs/dp/B00005JG3Y

@femaven all while trying to cram pogs into their place.

@femaven I remember the vienetta as well! 😅​👌​

@shortstack Don't forget the dunkaroos

@shortstack I don't remember Elios, but fully recall Totino's pizza on a cracker, Flintstones push pops, fruit by the foot, Gushers, fruit roll-ups, Kudos bars, and Hi-C Fruit Punch 😅​. 90s kids = 90 grams sugar/day kids.

With regard to enterprise security monitoring, many folks agree that it's best to be able to monitor from the top down, passively gathering network telemetry from a SPAN port or network TAP.

While there is ETW, Sysmon DNS and network connection logs, and more, how much of an impact has it been to not have more verbose network telemetry available during your investigations?

#DFIR
#IncidentResponse
#SecurityMonitoring
#SOC

I've updated the wlambert/velociraptor
@velocidex
#velociraptor Docker image to the latest release version.

https://github.com/weslambert/velociraptor-docker

This refers to the pre-built image.
If building locally, you'll always use the latest version.

Enjoy, and please let me know of any issues!

We are stoked to announce our return to #BlackHat 2023 with our live-fire training taught by @eric_capuano and Matt Bromiley!

Sign up now: Adversary Detection & Incident Response - Network Defense Range Operations
#BHUSA #BH23 #BlackHat2023

@cR0w Unfortunately, I don't think that would work for this individual, but I appreciate your response! Thanks!

I have a contact looking for remote work:

- 3 years experience in/leading a #SOC
- Experience w/ multiple #EDR and log management/ #SIEM platforms
- Open to security/SOC analyst/ #GRC/Vuln mgmt roles

If you would like to chat or share an opportunity, please let me know!

#infosec
#infosecjobs

Taught @velocidex a new trick!

https://github.com/Velocidex/velociraptor-docs/blob/master/content/exchange/artifacts/Windows.System.AppCompatPCA.yaml #DFIR

@mttaggart @huskyhacks Awesome! Thanks for sharing!

What are the sneaky #C2 frameworks most folks don't know about?

What do y'all think about a #C2 detection series including #SecurityOnion and #Velociraptor, illustrating the compliments and differences of host and network-based detection and response?

#BruteRatel
#CobaltStrike
#DFIR
#ESM
#Havoc
#Infosec
#NSM
#Sliver
#Sysmon

@velocidex Thanks, and agreed! I'm planning on getting the posts into a central location soon. Right now, folks can find them via the #ArtifactsOfAutumn tag.

stoked about this talk with @eric_capuano 🤓💙🌵

join us for some @velocidex nerdery in january at @cactuscon!

and more of our @recon_infosec team will also be presenting 🔥

#cactuscon11 #cc11

🦖Day 92 (THE LAST DAY!) of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange\.Windows.EventLogs.WonkaVision

Link: https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.wonkavision

----

WonkaVision is a proof of concept (POC) tool to analyze Kerberos tickets and attempt to determine if they are forged (ex. #GoldenTicket), created by @exploitph and @4ndr3w6S.

https://github.com/0xe7/WonkaVision

Presentation:
https://github.com/0xe7/Talks/blob/main/Andrew_Charlie_SANS_Hackfest_2022_revised.pdf

----

This artifact can run WonkaVision, then collect its generated Windows event logs. From the event logs, we can detect potentially forged Kerberos tickets.

----

This concludes the #ArtifactsOfAutumn. Hope you enjoyed it, and thanks for all of the support!

#DFIR
#Forensics
#GoldenTicket
#infosec
#ThreatHunting
#WonkaVision

🦖Day 91 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.IRIS.Sync.Asset

Author: @StephMikiss

Link: https://docs.velociraptor.app/exchange/artifacts/pages/iris.sync.asset

----

This artifact synchronizes clients from Velociraptor to DFIR-IRIS (https://dfir-iris.org/). It will parse available information of clients such as network interfaces, IP addresses, asset type and applied labels.

----

For those unfamiliar with DFIR-IRIS (@dfir_iris), it is a free, open source incident response platform that includes a host of useful and innovative features even many commercial platforms don't possess. Check it out here using the link below!

https://dfir-iris.org/

----

Once a client has been added to DFIR-IRIS, the asset ID from DFIR-IRIS will be added as client metadata and ‘IRIS’ will be added as label.

If a client already possesses an asset ID, it will be updated; in general, labels and the compromised status will by synchronized.

----

This artifact is very powerful due to the fact that we can quickly add clients to DFIR-IRIS from Velociraptor with very little effort.

This means that we can spend less time on managerial tasks, and more time on investigating and remediating the hosts we deem compromised.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#IRIS
#ThreatHunting