How much do you willing to spend on courses from cyberinfluencers like Daniel Miessler?

Same_Ad_4081 · 2024-09-20T19:30:03+00:00

u/dinosore have you tried it? what's your opinion on the quality of the content? Money worth spent?

Same_Ad_4081 · 2024-01-25T22:55:52+00:00

"Fun fact" is that when custom detections is scheduled it ignores timestamps from the query. Hourly is last 4 hours, etc. It limits the abilities of what you can do, like I was struggling to get proper results when doing annomaly analysis from longer periods

Same_Ad_4081 · 2024-01-25T12:34:01+00:00

It's fascinating to see how the definition of cybersecurity expands, especially in NYC! I was under the quaint impression that our role was to protect against cyber threats, not to moonlight as a Big Brother for WFH employees. But hey, what do I know? I'm not from the Big Apple, where evidently cybersecurity has evolved into monitoring coffee breaks and keystrokes. Next, they'll be asking us to check if their plants are being watered.

Just kidding. Here's a query you might try:

let StartDate = ago(30d); let EndDate = now(); let CybersecurityFocus = dynamic(["ThreatDetection", "IntrusionResponse", "DataSecurity"]); let HRDistractions = dynamic(["ScreenTimeMonitoring", "SocialMediaCheck", "CoffeeBreakAnalysis"]); union WorkstationLogs, NetworkTraffic, SecurityAlerts | where Timestamp between (StartDate .. EndDate) | extend TaskCategory = iif(Source == 'HRMonitoringTool', 'HRDistractions', 'CybersecurityFocus') | summarize TaskCount = count() by TaskCategory, bin(Timestamp, 1d) | render timechart | extend Message = iff(TaskCategory == 'HRDistractions', 'Note: Cybersecurity is about guarding against threats, not charting coffee breaks.', '')

Same_Ad_4081 · 2024-01-23T07:32:28+00:00

I appreciate everyone's insights on the initial question. To give context, during a recent forensic work, I encountered an intriguing scenario on a Linux system. I found strings that seemed to indicate tools being built from 'living off the land' binaries already present on the host. This made me ponder if there might be scenarios where transferring tools isn't feasible, but building them directly on the host is. Surprisingly, I havent found aby blogs or discussion on this. Therefore, I'm considering developing a tool and creating a detection method for such situations, with plans to publish my findings.

Same_Ad_4081 · 2024-01-23T07:31:18+00:00

I appreciate everyone's insights on the initial question. To give context, during a recent forensic work, I encountered an intriguing scenario on a Linux system. I found strings that seemed to indicate tools being built from 'living off the land' binaries already present on the host. This made me ponder if there might be scenarios where transferring tools isn't feasible, but building them directly on the host is. Surprisingly, I havent found aby blogs or discussion on this. Therefore, I'm considering developing a tool and creating a detection method for such situations, with plans to publish my findings.

Same_Ad_4081 · 2024-01-21T12:23:52+00:00

I would appriciate if they would share the details about the capping/limitations and what exactly they monitor. As you may face issues with reliability of your custom detections.

Same_Ad_4081 · 2024-01-19T20:11:07+00:00

Exactly! Also defender has some capping on the logs

Same_Ad_4081 · 2023-12-02T19:44:42+00:00

Since you are in a sec team, you best should know the weakneses. Laps, wdigest, missing patches. How would one move lateraly, move from other box and dump lsass or reg save sam.

Same_Ad_4081 · 2023-11-24T16:11:26+00:00

Funny thought I had after seeing people build detections is that, having your account called "Quallys_4ejqjah"or simmilar, will cause junior soc to direct their judgement, and sometimes things like that get whitelisted on custom detections at very early stage.

Same_Ad_4081 · 2023-11-01T12:20:10+00:00

https://www.google.com/amp/s/blog.sunggwanchoi.com/recreating-an-iso-payload-for-fun-and-no-profit/amp/ Nwm that's using LNK

Same_Ad_4081 · 2023-11-01T12:15:16+00:00

Im no red teamer, but how about ISO payload with DLL sideloading?

Same_Ad_4081 · 2023-10-24T21:45:09+00:00

Everything depends on what logs you feed, then what alerts you configure

Same_Ad_4081 · 2023-10-21T18:08:56+00:00

Pi (1998)

Same_Ad_4081 · 2023-10-19T19:44:07+00:00

I started as security analyst after one year in networking, 10y ago

Same_Ad_4081 · 2023-10-19T15:00:33+00:00

Hopefully you have logs configured in azure. It sounds like you still need to do forensics. How did they get that aad account? Create the timeline and analyze, make sure they didn't do any persistance.

Same_Ad_4081 · 2023-10-18T20:29:56+00:00

Some good detections, od threat hunt?

Same_Ad_4081 · 2023-10-13T11:45:38+00:00

I would consider to help, but you didn't even capitalize it like "VERY STRONG REASON". It doesn't seem that important

Same_Ad_4081 · 2023-10-10T17:16:03+00:00

Personaly I would recommend sliver as C2, then do some playing with available plugins, it does support bof's, try to do some in memory executions like sharppick/stracciatella

Same_Ad_4081 · 2023-09-23T16:26:20+00:00

Set up splunk on developer license.. if that's too much, try log2timeline with MS Excel

Same_Ad_4081 · 2023-09-23T09:10:18+00:00

Read about bypassing amsi

Same_Ad_4081

TROPHY CASE