David Szili
@davidszili.bsky.social
AlzetteInfoSec Managing Partner | BSidesLux Ex-Organizer | SANS Principal Instructor | Posts are mine, all mine!
Reposted by David Szili
Detection for Microsoft Recommended Driver Block List
github.com/Cyb3r-Monk/T...
#ThreatHunting #DetectionEngineering
github.com/Cyb3r-Monk/T...
#ThreatHunting #DetectionEngineering
Threat-Hunting-and-Detection/Defense Evasion/Microsoft Recommended Driver Block List.md at main · Cyb3r-Monk/Threat-Hunting-and-Detection
Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language). - Cyb3r-Monk/Threat-Hunting-and-Detection
github.com
December 13, 2024 at 12:06 PM
Detection for Microsoft Recommended Driver Block List
github.com/Cyb3r-Monk/T...
#ThreatHunting #DetectionEngineering
github.com/Cyb3r-Monk/T...
#ThreatHunting #DetectionEngineering
Reposted by David Szili
#DFIR Thought of the day: Open Source tools are evolving and are incredibly valuable in investigations
OS tools are often developed to fill gaps in commercial tools. One is the LEAPP project by @abrignoni.com. Incredible new functionality with LAVA LEAPPs.org
OS tools are often developed to fill gaps in commercial tools. One is the LEAPP project by @abrignoni.com. Incredible new functionality with LAVA LEAPPs.org
LEAPPs.org
LEAPPs.org
December 11, 2024 at 11:55 AM
#DFIR Thought of the day: Open Source tools are evolving and are incredibly valuable in investigations
OS tools are often developed to fill gaps in commercial tools. One is the LEAPP project by @abrignoni.com. Incredible new functionality with LAVA LEAPPs.org
OS tools are often developed to fill gaps in commercial tools. One is the LEAPP project by @abrignoni.com. Incredible new functionality with LAVA LEAPPs.org
11 days. That’s how long I survived #whamageddon this year… it was a good run.
December 11, 2024 at 10:07 PM
11 days. That’s how long I survived #whamageddon this year… it was a good run.
Reposted by David Szili
2024-12-06 (Friday): jewishatlanta[.]org compromised and showing a #ClickFix style notification to copy/paste PowerShell script. The resulting #malware infection uses the #BOINC project with some (not all) of the same indicators as noted in July 2024 at www.huntress.com/blog/fake-br... and elsewhere
![jewishatlanta[.]org showing a "verify you are human" notification with a box to check/click on.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:v3kgm6hujff4gbxies5vwbnb/bafkreidr76ktqov4tohqezcbiimurbcswdd44vf7xvzxpxt55ux5qhpwpy@jpeg)
![The copy/paste PowerShell script that downloads and runs more malicious script hosted on gardenworksproject[.]org.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:v3kgm6hujff4gbxies5vwbnb/bafkreidouqehlcbfwgkgizspxst2atmatcza7mnuo2eqmqwqvirjlzuwnq@jpeg)
December 7, 2024 at 8:30 AM
2024-12-06 (Friday): jewishatlanta[.]org compromised and showing a #ClickFix style notification to copy/paste PowerShell script. The resulting #malware infection uses the #BOINC project with some (not all) of the same indicators as noted in July 2024 at www.huntress.com/blog/fake-br... and elsewhere
Reposted by David Szili
Soo... A little bit of awareness is probably a good idea :p
We can delete MDI sensors from the Defender portal and do so in bulk via the internal API
It might be a good idea to set up a detection for this:
CloudAppEvents
| where ActionType == "SensorDeleted"
We can delete MDI sensors from the Defender portal and do so in bulk via the internal API
It might be a good idea to set up a detection for this:
CloudAppEvents
| where ActionType == "SensorDeleted"
December 7, 2024 at 12:05 AM
Soo... A little bit of awareness is probably a good idea :p
We can delete MDI sensors from the Defender portal and do so in bulk via the internal API
It might be a good idea to set up a detection for this:
CloudAppEvents
| where ActionType == "SensorDeleted"
We can delete MDI sensors from the Defender portal and do so in bulk via the internal API
It might be a good idea to set up a detection for this:
CloudAppEvents
| where ActionType == "SensorDeleted"
Reposted by David Szili
2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...
December 5, 2024 at 1:15 AM
2024-12-04 (Wednesday): #AgentTesla variant using #FTP for data exfiltration. A sanitized copy of the email distributing the malware, a #pcap from an infection run, the associated malware samples, and a list of indicators are available at www.malware-traffic-analysis.net/2024/12/04/i...
Reposted by David Szili
Hey hey, a No Starch Bundle that supports the ACLU and the EFF. You know what to do.
www.humblebundle.com...
www.humblebundle.com...
Humble Tech Book Bundle: Hacking 2024 by No Starch (pay what you want and help charity)
Level up your hacking and skills with this tech bundle from No Starch. Learn to protect yourself and others! Pay what you want & support charity!
www.humblebundle.com
December 4, 2024 at 6:30 AM
Hey hey, a No Starch Bundle that supports the ACLU and the EFF. You know what to do.
www.humblebundle.com...
www.humblebundle.com...
Reposted by David Szili
DownDetector has published a summary of the largest IT outages of the year. Believe it or not, CrowdStrike is not on top.
www.ookla.com/articles/lar...
www.ookla.com/articles/lar...
December 3, 2024 at 1:43 PM
DownDetector has published a summary of the largest IT outages of the year. Believe it or not, CrowdStrike is not on top.
www.ookla.com/articles/lar...
www.ookla.com/articles/lar...
Reposted by David Szili
Our SIEGECAST: "Be Your Enemy", dives into actionable strategies that take your Blue Team operations to the next level.
Dive in: redsiege.com/be-your-enemy
Video breakdown Included.
Which of these tactics are you already using?
#hacking #Infosec #cybersecurity
Dive in: redsiege.com/be-your-enemy
Video breakdown Included.
Which of these tactics are you already using?
#hacking #Infosec #cybersecurity
December 3, 2024 at 6:14 PM
Our SIEGECAST: "Be Your Enemy", dives into actionable strategies that take your Blue Team operations to the next level.
Dive in: redsiege.com/be-your-enemy
Video breakdown Included.
Which of these tactics are you already using?
#hacking #Infosec #cybersecurity
Dive in: redsiege.com/be-your-enemy
Video breakdown Included.
Which of these tactics are you already using?
#hacking #Infosec #cybersecurity
Reposted by David Szili
Security researcher OSINT Matter has released RequestShield, an open-source tool to analyze HTTP access.logs and identify suspicious HTTP requests and potential security threats
github.com/osintmatter/...
github.com/osintmatter/...
GitHub - osintmatter/RequestShield: RequestShield is a 100% Free and OpenSource tool designed to analyze HTTP access.logs and identify suspicious HTTP requests and potential security threats. It uses ...
RequestShield is a 100% Free and OpenSource tool designed to analyze HTTP access.logs and identify suspicious HTTP requests and potential security threats. It uses factors like geolocation, abuse h...
github.com
December 3, 2024 at 9:46 AM
Security researcher OSINT Matter has released RequestShield, an open-source tool to analyze HTTP access.logs and identify suspicious HTTP requests and potential security threats
github.com/osintmatter/...
github.com/osintmatter/...
Reposted by David Szili
🚨 Time’s Running Out! 🚨
Take your DFIR skills to the next level with 35% OFF all our DFIR Labs! 🔥
⏰ Hurry—this deal ends 11/30 at 0500 UTC!
store.thedfirreport.com/collections/...
Take your DFIR skills to the next level with 35% OFF all our DFIR Labs! 🔥
⏰ Hurry—this deal ends 11/30 at 0500 UTC!
store.thedfirreport.com/collections/...
November 29, 2024 at 2:21 PM
🚨 Time’s Running Out! 🚨
Take your DFIR skills to the next level with 35% OFF all our DFIR Labs! 🔥
⏰ Hurry—this deal ends 11/30 at 0500 UTC!
store.thedfirreport.com/collections/...
Take your DFIR skills to the next level with 35% OFF all our DFIR Labs! 🔥
⏰ Hurry—this deal ends 11/30 at 0500 UTC!
store.thedfirreport.com/collections/...
Reposted by David Szili
Don't miss out! All of my Applied Network Defense courses are now 25% off until December 3rd at midnight ET. Use the code MAKEMOREBISCUITS to claim your discount. It's our only sale like this all year!
November 29, 2024 at 2:04 PM
Don't miss out! All of my Applied Network Defense courses are now 25% off until December 3rd at midnight ET. Use the code MAKEMOREBISCUITS to claim your discount. It's our only sale like this all year!
Reposted by David Szili
Censys has released Censeye, a tool to identify hosts with characteristics similar to a given target
github.com/Censys-Resea...
github.com/Censys-Resea...
GitHub - Censys-Research/censeye
Contribute to Censys-Research/censeye development by creating an account on GitHub.
github.com
November 28, 2024 at 7:24 PM
Censys has released Censeye, a tool to identify hosts with characteristics similar to a given target
github.com/Censys-Resea...
github.com/Censys-Resea...
Reposted by David Szili
🚨 #DFIR Tool update 🚨
I’ve updated parseUSBs (again!):
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem
- Parses alternate S/Ns
- Parses WPDBUSENUM key
github.com/khyrenz/pars...
I’ve updated parseUSBs (again!):
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem
- Parses alternate S/Ns
- Parses WPDBUSENUM key
github.com/khyrenz/pars...
GitHub - khyrenz/parseusbs: Parses USB connection artifacts from offline Registry hives
Parses USB connection artifacts from offline Registry hives - khyrenz/parseusbs
github.com
November 25, 2024 at 10:19 PM
🚨 #DFIR Tool update 🚨
I’ve updated parseUSBs (again!):
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem
- Parses alternate S/Ns
- Parses WPDBUSENUM key
github.com/khyrenz/pars...
I’ve updated parseUSBs (again!):
- Now supports mounted #KAPE images
- Improved deduplication of events within secs of each other
- Added extraction of partition style (MBR/GPT) & Filesystem
- Parses alternate S/Ns
- Parses WPDBUSENUM key
github.com/khyrenz/pars...
Reposted by David Szili
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
November 22, 2024 at 7:42 PM
2024-11-22 (Friday) #XLoader / #Formbook: I've been fired by my non-existent HR department. At least I got a "salary-receipt.exe" bazaar.abuse.ch/sample/003b5...
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Tria.ge and Any.Run don't identify the malware, but Joe Sandbox does: www.joesandbox.com/analysis/156...
Also runs in my lab just fine
Reposted by David Szili
www.zscaler.com/blogs/securi.... This is very interesting :) Nice work Nik!
Unraveling Raspberry Robin's Layers: Analyzing Obfuscation Techniques and Core Mechanisms
A comprehensive analysis of the inner workings of Raspberry Robin | Multiple layers that use numerous techniques to evade detection & analysis
www.zscaler.com
November 20, 2024 at 2:30 AM
www.zscaler.com/blogs/securi.... This is very interesting :) Nice work Nik!
Reposted by David Szili
Since I'm trying out #Bluesky, I figured I should add in support for it in Unfurl!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
November 21, 2024 at 4:19 AM
Since I'm trying out #Bluesky, I figured I should add in support for it in Unfurl!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
Reposted by David Szili
Here is a starter pack of SANS Instructors for all kinds of good infosec stuff.
I’m still collecting more names and will update this list as updated as possible.
go.bsky.app/Q7Sh3W1
I’m still collecting more names and will update this list as updated as possible.
go.bsky.app/Q7Sh3W1
November 17, 2024 at 6:38 PM
Here is a starter pack of SANS Instructors for all kinds of good infosec stuff.
I’m still collecting more names and will update this list as updated as possible.
go.bsky.app/Q7Sh3W1
I’m still collecting more names and will update this list as updated as possible.
go.bsky.app/Q7Sh3W1
Hi everyone! What is this BlueSky thing all about? I still think 300 characters is way too much for ppl, but I will give the benefit of the doubt. What are you folks up to? 😁
November 23, 2024 at 1:42 AM
Hi everyone! What is this BlueSky thing all about? I still think 300 characters is way too much for ppl, but I will give the benefit of the doubt. What are you folks up to? 😁