Blue Team

The Hitchhiker’s Guide to DFIR: Experiences From Beginners and Experts
A crowdsourced Digital Forensics and Incident Response (DFIR) book by the members of the Digital Forensics Discord Server.

ORKL

Sigma-Rules/2022_RedCanary_ThreatDetectionReport at main · mbabinski/Sigma-Rules

Section 52 Releases an Open Source Forensics Tool for Siemens PLCs - Microsoft Community Hub

microsoft/ics-forensics-tools

Katie Nickels untangled MITRE ATT&CK for cybersecurity teams - Protocol

EDR: Detections, Bypassess and other Shenanigans - FourCore

YARI: A New Era of YARA Debugging – Avast Engineering

[UNLEASH THE BEAST

THE FUTURE

H O M E](https://devilinside.me/blogs/configuration-extraction-yara)

nccgroup/typofinder: A finder of domain typos showing country of IP address

About Detection Engineering. In recent months I’ve noticed several… | by Florian Roth | Sep, 2022 | Medium AUTHOR

A Fool’s Game: D-Generating EDR Internals, Part 1 AUTHOR

ihebski/DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

Introducing Sandbox Scryer: A Free Threat Hunting Tool | CrowdStrike

Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling indicators of compromise (IOCs), understanding attack movement and hunting threats By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale The tool is intended for cybersecurity professionals who are interested in threat hunting and attack analysis leveraging sandbox output data Sandbox Scryer consumes output from the free and public Hybrid Analysis malware analysis service to help analysts expedite and scale threat hunting as part of security operations center (SOC) operations

Data-Centric Security: Threat Hunting based on Zipf’s Law | by Dmitrijs Trizna | Aug, 2022 | Medium https://twitter.com/ditrizna

Sensitive Command Token - So much offense in my defense

Avoiding Memory Scanners

target/mmk-ui-api: UI, API, and Scanner (Rules Engine) services for Merry Maker

stuxnet999/MemLabs: Educational, CTF-styled labs for individuals interested in Memory Forensics https://twitter.com/_abhiramkumar

Going Atomic The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach
https://twitter.com/ajpc500

Detection Engineering Maturity Matrix

Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks - Microsoft Security Blog

[A Cyber Threat Intelligence Self-Study Plan: Part 2

by Katie Nickels

Katie’s Five Cents

Aug, 2022

Medium](https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36)

Detection Engineering with MITRE Top Techniques & Atomic Red Team - FourCore

evilsocket/sauron: A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.

OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC | OASIS
https://github.com/fovea-research/cacao-json-schemas

Scaling our security detection pipeline with Sigma ompletely changed the way we write detection rules at Monzo to better understand our coverage and increase the speed we can respond to new threats. igma-go sigma-test sigmafmt

https://twitter.com/bradleyjkemp/status/1555551827114053632

Richer Typing in Sigma
pBy Tenzir GmbH’s Matthias Vallentin: “VAST’s Sigma frontend now supports more modifiers… Think of it as a parser that processes the YAML and translates it into an expression tree, where the leaves are predicates with typed operands according to VAST’s data model.”

[SSH tips and tricks

Carlos Becker](https://carlosbecker.dev/posts/ssh-tips-and-tricks/)

[Automated Incident Management Through Slack

by Vlad Vassiliouk

The Airbnb Tech Blog

Jul, 2022

Medium](https://medium.com/airbnb-engineering/incident-management-ae863dc5d47f)

aquasecurity/postee: Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.

[SIEMCraft - Security detection monitoring using Minecraft

pat_h/to/file](https://blog.tofile.dev/2022/06/10/siemcraft.html)

[abuse.ch

Introducing YARAify](https://abuse.ch/blog/introducing-yaraify/)

[Mind your metrics to achieve better Autonomic Security Operations

Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/mind-your-metrics-to-achieve-better-autonomic-security-operations)

Identify Google Groups vulnerable to spam and spoofing

Cost of a Data Breach Report 2022

The Strategic Impact of Verizon’s 2022 Data Breach Investigations Report

[The real reason why malware detection is hard

G DATA](https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard)

[Threat Hunting Series: The Basics

by Kostas

Jun, 2022

Medium](https://kostas-ts.medium.com/threat-hunting-series-the-basics-cccadac830c6)

Part 2: https://kostas-ts.medium.com/threat-hunting-series-what-makes-a-good-threat-hunter-e2b1d0d07e8c

Part 3: https://kostas-ts.medium.com/threat-hunting-series-the-threat-hunting-process-f76583f2475b

[How to overcome 5 common SecOps challenges

Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/how-to-overcome-5-common-secops-challenges)

[Suspecting the Unsuspected. Extracting and Analyzing Log Anomalies

Mercari Engineering](https://engineering.mercari.com/en/blog/entry/20220527-suspecting-the-unsuspected-extracting-and-analyzing-log-anomalies/)

Painting a Threat Detection Landscape

Security for growth companies · Bessemer Venture Partners TODO

(16) Bessemer on Twitter: “Here are our 5️⃣ cybersecurity lessons for cloud-native growth companies: 🏗 Build a cybersecurity culture 🧾 Invest in identity 🔒 Secure your cloud & dev environment 🧑‍💻 Manage your data assets & environment 👀 Monitor your third-party risk More here ➡ https://t.co/cIC6CA7j6P” / Twitter

it’s important to avoid a culture of the ‘security team vs. everyone else.’ Security is a company-wide priority and enables better product innovation and customer satisfaction; it’s not a blocker of it. For example, strong security tools and processes drive revenue and support the sales team, as security regulatory compliance is a core procurement requirement. Security ultimately aids the operations team to work more smoothly and the engineering teams to avoid distractions and fire-drills.

Talks/STLF - Vulnerability Management in the Real World 2022 FINAL2.pptx at main · northvein/Talks

Netflix/dispatch: All of the ad-hoc things you’re doing to manage incidents today, done for you, and much more!

tap-ir/tapir: TAPIR is a multi-user, client/server, incident response framework

tap-ir/bin2json: bin2json extract recursively file, directory of files (or disk dump) metadata to json

[View from the NSA with Rob Joyce, Director of Cybersecurity

Cyber Initiatives Group - YouTube](https://www.youtube.com/watch?v=e-Sko0Kersc)

Detectree – data visualization for threat hunting, presented by Tom Barrow & Giulio Ginesi - YouTube

A Simple SOAR Adoption Maturity Model | by Anton Chuvakin | Anton on Security | Jun, 2022 | Medium TODO https://chronicle.security/blog/posts/SOAR-adoption-maturity-model/?utm_source=substack&utm_medium=email

digininja/scanner_user_agents: A list of user agents belonging to common web scanners.

[Purpose-based access controls at Palantir

Palantir Blog](https://blog.palantir.com/purpose-based-access-controls-at-palantir-f419faa400b3)

ATT&CK® Evaluations

[12 steps to building a top-notch vulnerability management program

CSO Online](https://www.csoonline.com/article/3659838/12-steps-to-building-a-top-notch-vulnerability-management-program.html)

I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For

[Building a Threat Intelligence Feed using the Twitter API and a bit of code

by Stefan Grimminck

May, 2022

Medium](https://grimminck.medium.com/building-a-threat-intelligence-feed-using-the-twitter-api-and-a-bit-of-code-5787808e32ef)

Detection and Response

Detection and Response: Cross-platform file analysis framework, breaking a crypter with Z3, Linux distro for investigations and OSINT, making data-driven incident response decisions, free malware analysis course from the University of Cincinnati

0xsha / florentino
A cross-platform file analysis framework useful for extracting static resources from malware and unknown file analysis.

Breaking TA505’s Crypter with an SMT Solver
“We know the output for the first iteration being a compressed binary will be ‘M8Z\x90’ so we can construct our problem in Z3 and let it solve what the XOR key should be. After solving for the XOR key we just decode the data and write out the decompressed file.”

Meet CSI Linux: A Linux Distro For Cyber Investigation And OSINT A part of me read this title and immediately thought CSI Cyber, a modern CBS classic in which computer security is represented accurately and never over-hyped, a show devastingly canceled after only 2 seasons. See CSI Linux’s full tool list here.

How to Make Data-Based Decisions During Incident Response: OODA for DFIR 2020
The talk focuses on the “D” in OODA, and presents some nice ideas around having the right framework and mental model for making decisions. Lately I’ve been really appreciating “teaching you how to fish” posts like this, as they help you generalize, rather than posts that are, “I did X and got Y result.”

CS6038/CS5138 Malware Analysis
As someone who mostly grew up in Cincinnati, it’s neat to see the University of Cincinnati releasing some cool security curriculum for free online. This class aims to introduce attendees to malware concepts, types of malware, common attack recipes, and black-box reverse engineering techniques.