Christopher Peacock
@securepeacock.bsky.social
I find weird things on networks.
#PurpleTeam | Ex Raytheon MSSP, SCYTHE, & GD | Taught at BlackHat & DEFCON | #100DaysofSigma | Keep exploring, keep learning, and stay curious.
#PurpleTeam | Ex Raytheon MSSP, SCYTHE, & GD | Taught at BlackHat & DEFCON | #100DaysofSigma | Keep exploring, keep learning, and stay curious.
Update: looks like the link on the page is a drive by compromise.
Cancer(.)gov, which is registered to the NIH, is hosting a page that lets you illegally stream the new F1 Movie 🧐
events.cancer.gov/sites/defaul...
events.cancer.gov/sites/defaul...
June 29, 2025 at 8:46 PM
Update: looks like the link on the page is a drive by compromise.
Cancer(.)gov, which is registered to the NIH, is hosting a page that lets you illegally stream the new F1 Movie 🧐
events.cancer.gov/sites/defaul...
events.cancer.gov/sites/defaul...
June 29, 2025 at 8:24 PM
Cancer(.)gov, which is registered to the NIH, is hosting a page that lets you illegally stream the new F1 Movie 🧐
events.cancer.gov/sites/defaul...
events.cancer.gov/sites/defaul...
Reposted by Christopher Peacock
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
June 24, 2025 at 3:11 AM
New Octowave Loader sample is leading to Amatera Stealer deployment over the past week.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
0 VT detections on any component of the malware loader.
Proofpoint rules detect the outbound C2 traffic.
My Yara rule detects the installer.
This seems like a project to watch 👀
i published a tech preview of a side project. not announcing it anywhere else aside from here for now since it still needs a lot of work. it's buggy and will ruin your computer (intentionally... because cybersecurity adversary simulation). closed source for now, might change later. www.macat.io
MACAT - Adversary Simulation
www.macat.io
April 4, 2025 at 11:52 PM
This seems like a project to watch 👀
How to properly evaluate a CVE score:
1. Is Gossi freaking out?
2. Is Florian freaking out?
3. Does SANS have an emergency webcast?
4. Are all your red team friends losing their minds over how crazy easy it is to give them awesome access.
1. Is Gossi freaking out?
2. Is Florian freaking out?
3. Does SANS have an emergency webcast?
4. Are all your red team friends losing their minds over how crazy easy it is to give them awesome access.
March 26, 2025 at 1:08 AM
How to properly evaluate a CVE score:
1. Is Gossi freaking out?
2. Is Florian freaking out?
3. Does SANS have an emergency webcast?
4. Are all your red team friends losing their minds over how crazy easy it is to give them awesome access.
1. Is Gossi freaking out?
2. Is Florian freaking out?
3. Does SANS have an emergency webcast?
4. Are all your red team friends losing their minds over how crazy easy it is to give them awesome access.
I can’t make this up. I bought an expired MSSP domain, and set up mail forwarding for all emails. I’ve tried to unsubscribe from getting an ISAC’s TLP Amber emails but they wont stating I must, “email from an email associated with the ISAC account receiving these emails.” 🤦♂️
March 11, 2025 at 11:05 PM
I can’t make this up. I bought an expired MSSP domain, and set up mail forwarding for all emails. I’ve tried to unsubscribe from getting an ISAC’s TLP Amber emails but they wont stating I must, “email from an email associated with the ISAC account receiving these emails.” 🤦♂️
I checked out the #ZeroDay series on Netflix and I think this depiction of events would take too many coordinated attacks. The Russian targeting of Ukraine with Blackenergy and Industroyer is more realistic to what happens. The scenes I saw more resemble an EMP attack.
February 23, 2025 at 1:53 AM
I checked out the #ZeroDay series on Netflix and I think this depiction of events would take too many coordinated attacks. The Russian targeting of Ukraine with Blackenergy and Industroyer is more realistic to what happens. The scenes I saw more resemble an EMP attack.
This is why I think TTP count is a terrible metric. You either detect the procedure adversaries use or you don’t, this count of 4 for whoami /all is meaningless in most cases.
February 14, 2025 at 3:45 AM
This is why I think TTP count is a terrible metric. You either detect the procedure adversaries use or you don’t, this count of 4 for whoami /all is meaningless in most cases.
Before rushing to secure GenAI, make sure your DevSecOps and AppSec foundations are solid. GenAI is just another piece of the application stack. Security fundamentals are crucial. To help understand it, GenAI vulnerabilities are a lot like SQL vulnerabilities.
February 10, 2025 at 6:58 PM
Before rushing to secure GenAI, make sure your DevSecOps and AppSec foundations are solid. GenAI is just another piece of the application stack. Security fundamentals are crucial. To help understand it, GenAI vulnerabilities are a lot like SQL vulnerabilities.
Interesting talk today by @wietzebeukema.nl. Make sure you follow him and check out his GitHub too.
February 6, 2025 at 5:49 PM
Interesting talk today by @wietzebeukema.nl. Make sure you follow him and check out his GitHub too.
🚨 Last day to submit a CFP ‼️
Get yours in ASAP. Last year saw nearly 2,000 registrations. This is one of the best B-Sides in the world. Oh and did I mention you can visit beautiful Florida beaches during your trip in May?
events.bsidestampa.net/BSidesTampa2...
Get yours in ASAP. Last year saw nearly 2,000 registrations. This is one of the best B-Sides in the world. Oh and did I mention you can visit beautiful Florida beaches during your trip in May?
events.bsidestampa.net/BSidesTampa2...
BSides Tampa 2025
TAMPA BAY'S PREMIER IT SECURITY CONFERENCE. BY THE COMMUNITY. FOR THE COMMUNITY.
40+ Speakers | 7 Tracks | 1000+ Participants
events.bsidestampa.net
January 31, 2025 at 4:22 PM
🚨 Last day to submit a CFP ‼️
Get yours in ASAP. Last year saw nearly 2,000 registrations. This is one of the best B-Sides in the world. Oh and did I mention you can visit beautiful Florida beaches during your trip in May?
events.bsidestampa.net/BSidesTampa2...
Get yours in ASAP. Last year saw nearly 2,000 registrations. This is one of the best B-Sides in the world. Oh and did I mention you can visit beautiful Florida beaches during your trip in May?
events.bsidestampa.net/BSidesTampa2...
Who’s going to WWHF Denver?
January 30, 2025 at 2:59 PM
Who’s going to WWHF Denver?
Heard this on a podcast and it really resonated with me.
January 30, 2025 at 1:29 AM
Heard this on a podcast and it really resonated with me.
Contrary to popular belief, piping IOCs to your SIEM does not mean you’re making CTI actionable.
bart simpson is looking at a cake that says at least you tried
ALT: bart simpson is looking at a cake that says at least you tried
media.tenor.com
January 29, 2025 at 9:37 PM
Contrary to popular belief, piping IOCs to your SIEM does not mean you’re making CTI actionable.
One of the best career tips I can share is to care about the people you work with. Not everyone will be receptive, but those who are can become invaluable connections in your career journey—and in life.
January 2, 2025 at 1:16 AM
One of the best career tips I can share is to care about the people you work with. Not everyone will be receptive, but those who are can become invaluable connections in your career journey—and in life.
One piece of advice to give new SOC analysts is to have humor.
Working alerts in a SOC is a high stress environment and the grind never stops, so find ways to laugh and enjoy who you work with.
Working alerts in a SOC is a high stress environment and the grind never stops, so find ways to laugh and enjoy who you work with.
December 17, 2024 at 10:05 PM
One piece of advice to give new SOC analysts is to have humor.
Working alerts in a SOC is a high stress environment and the grind never stops, so find ways to laugh and enjoy who you work with.
Working alerts in a SOC is a high stress environment and the grind never stops, so find ways to laugh and enjoy who you work with.
Just a friendly reminder that you can hunt in datasets that are outside your organization.
December 17, 2024 at 5:13 PM
Just a friendly reminder that you can hunt in datasets that are outside your organization.
Purple Team metrics can be tough and conflated with BAS testing so here’s a few, but feel free to add your own in the comments.
1. Engagements with SOC per year/quarter.
2. Intel leads tested.
3. Custom tests to verify detection logic.
4. Request for testing completed %
1. Engagements with SOC per year/quarter.
2. Intel leads tested.
3. Custom tests to verify detection logic.
4. Request for testing completed %
December 4, 2024 at 12:46 AM
Purple Team metrics can be tough and conflated with BAS testing so here’s a few, but feel free to add your own in the comments.
1. Engagements with SOC per year/quarter.
2. Intel leads tested.
3. Custom tests to verify detection logic.
4. Request for testing completed %
1. Engagements with SOC per year/quarter.
2. Intel leads tested.
3. Custom tests to verify detection logic.
4. Request for testing completed %
One of the quickest GenAI use cases you can do in your SOAR is to auto enrich command lines associated with an alert by adding an explanation of what the command is doing. This boost productivity and situational awareness of the analysts.
December 3, 2024 at 10:49 PM
One of the quickest GenAI use cases you can do in your SOAR is to auto enrich command lines associated with an alert by adding an explanation of what the command is doing. This boost productivity and situational awareness of the analysts.
This is approaching gross negligence, leaving a public facing back door open 🤯 :
“gained initial access through a web shell left from a third party’s previous security assessment”
www.cisa.gov/news-events/...
“gained initial access through a web shell left from a third party’s previous security assessment”
www.cisa.gov/news-events/...
Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization | CISA
www.cisa.gov
November 22, 2024 at 7:32 PM
This is approaching gross negligence, leaving a public facing back door open 🤯 :
“gained initial access through a web shell left from a third party’s previous security assessment”
www.cisa.gov/news-events/...
“gained initial access through a web shell left from a third party’s previous security assessment”
www.cisa.gov/news-events/...
Three fundamental questions you should ask before purchasing a SOC another enterprise tool are:
1. Does it reduce risk by uncovering previously undetected activities?
2. Does it enhance productivity?
3. If the answers to both of the above are no, then where is the potential return on investment?
1. Does it reduce risk by uncovering previously undetected activities?
2. Does it enhance productivity?
3. If the answers to both of the above are no, then where is the potential return on investment?
November 13, 2024 at 2:42 PM
Three fundamental questions you should ask before purchasing a SOC another enterprise tool are:
1. Does it reduce risk by uncovering previously undetected activities?
2. Does it enhance productivity?
3. If the answers to both of the above are no, then where is the potential return on investment?
1. Does it reduce risk by uncovering previously undetected activities?
2. Does it enhance productivity?
3. If the answers to both of the above are no, then where is the potential return on investment?
Three tips to grow a career in cyber:
Keep exploring, keep learning, and stay curious.
Keep exploring, keep learning, and stay curious.
November 5, 2024 at 9:19 PM
Three tips to grow a career in cyber:
Keep exploring, keep learning, and stay curious.
Keep exploring, keep learning, and stay curious.
This is brilliant, everyone always asks for IOCs. So how do you get people to focus on behaviors? Add them to the IOC section!
www.cisa.gov/sites/defaul...
www.cisa.gov/sites/defaul...
November 20, 2023 at 8:10 PM
This is brilliant, everyone always asks for IOCs. So how do you get people to focus on behaviors? Add them to the IOC section!
www.cisa.gov/sites/defaul...
www.cisa.gov/sites/defaul...