Blue Team
Building the Threat Detection Ecosystem at Brex | by Julie Agnes Sparks | Brex Tech Blog | Dec, 2022 | Medium https://twitter.com/JulieASparks
[HTML Smuggling: Recent observations of threat actor techniques | by delivr.to | Jan, 2023 | Medium](https://blog.delivr.to/html-smuggling-recent-observations-of-threat-actor-techniques-74501d5c8a06) |
Detecting credential access without losing cred
Hunting Opaque Predicates with YARA - Malware Hell
kitabisa/teler: Real-time HTTP Intrusion Detection
Tracking an adversary in real-time using Velociraptor :: Velociraptor - Digging deeper!
ZeroMemoryEx/C2-Hunter: Extract C2 Traffic
[Prioritization of the Detection Engineering Backlog | by Joshua Prager | Posts By SpecterOps Team Members](https://posts.specterops.io/prioritization-of-the-detection-engineering-backlog-dcb18a896981) |
THREAT-crawl / THREATcrawl · GitLab
wazuh/wazuh: Wazuh - The Open Source Security Platform
[Automating Malware Analysis Operations (MAOps) - JPCERT/CC Eyes | JPCERT Coordination Center official Blog](https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html?utm_medium=email) |
Hardware Selection and Logistics (Passwordless Authentication Series, #1)
[Palantir | FIDO2 secure implementation rollout | Palantir Blog](https://blog.palantir.com/technical-controls-rollout-and-edge-cases-passwordless-authentication-series-2-c9b6dcd349e) |
[System Integrity Protection: The misunderstood setting | Mykola’s blog](https://khronokernel.github.io/macos/2022/12/09/SIP.html) |
2022 Adversary Infrastructure Report
Ransomware Business Models: Future Pivots and Trends
How to Detect Malicious OAuth Device Code Phishing
certsocietegenerale/IRM: Incident Response Methodologies 2022
FIN7 Unveiled: A deep dive into notorious cybercrime gang Include the structure of the group diagram
Passkeys are great but are they suitable for the enterprise? – Mikail’s Blog
https://blog.aquasec.com/tracee-rules-detect-attackers-out-of-the-box
The Hitchhiker’s Guide to DFIR: Experiences From Beginners and Experts
A crowdsourced Digital Forensics and Incident Response (DFIR) book by the members of the Digital Forensics Discord Server.
Sigma-Rules/2022_RedCanary_ThreatDetectionReport at main · mbabinski/Sigma-Rules
Section 52 Releases an Open Source Forensics Tool for Siemens PLCs - Microsoft Community Hub
Katie Nickels untangled MITRE ATT&CK for cybersecurity teams - Protocol
EDR: Detections, Bypassess and other Shenanigans - FourCore
YARI: A New Era of YARA Debugging – Avast Engineering
[UNLEASH THE BEAST | THE FUTURE | H O M E](https://devilinside.me/blogs/configuration-extraction-yara) |
nccgroup/typofinder: A finder of domain typos showing country of IP address
A Fool’s Game: D-Generating EDR Internals, Part 1 AUTHOR
Introducing Sandbox Scryer: A Free Threat Hunting Tool | CrowdStrike
Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling indicators of compromise (IOCs), understanding attack movement and hunting threats By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale The tool is intended for cybersecurity professionals who are interested in threat hunting and attack analysis leveraging sandbox output data Sandbox Scryer consumes output from the free and public Hybrid Analysis malware analysis service to help analysts expedite and scale threat hunting as part of security operations center (SOC) operations
Data-Centric Security: Threat Hunting based on Zipf’s Law | by Dmitrijs Trizna | Aug, 2022 | Medium https://twitter.com/ditrizna
Sensitive Command Token - So much offense in my defense
target/mmk-ui-api: UI, API, and Scanner (Rules Engine) services for Merry Maker
stuxnet999/MemLabs: Educational, CTF-styled labs for individuals interested in Memory Forensics https://twitter.com/_abhiramkumar
Going Atomic
The Strengths and Weaknesses of a
Technique-centric Purple Teaming Approach
https://twitter.com/ajpc500
Detection Engineering Maturity Matrix
[A Cyber Threat Intelligence Self-Study Plan: Part 2 | by Katie Nickels | Katie’s Five Cents | Aug, 2022 | Medium](https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36) |
Detection Engineering with MITRE Top Techniques & Atomic Red Team - FourCore
OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC | OASIS
https://github.com/fovea-research/cacao-json-schemas
Scaling our security detection pipeline with Sigma ompletely changed the way we write detection rules at Monzo to better understand our coverage and increase the speed we can respond to new threats. igma-go sigma-test sigmafmt
https://twitter.com/bradleyjkemp/status/1555551827114053632
Richer Typing in Sigma
pBy Tenzir GmbH’s Matthias Vallentin: “VAST’s Sigma
frontend now supports more modifiers… Think of it as a parser that processes
the YAML and translates it into an expression tree, where the leaves are
predicates with typed operands according to VAST’s data model.”

[SSH tips and tricks | Carlos Becker](https://carlosbecker.dev/posts/ssh-tips-and-tricks/) |
[Automated Incident Management Through Slack | by Vlad Vassiliouk | The Airbnb Tech Blog | Jul, 2022 | Medium](https://medium.com/airbnb-engineering/incident-management-ae863dc5d47f) |
[SIEMCraft - Security detection monitoring using Minecraft | pat_h/to/file](https://blog.tofile.dev/2022/06/10/siemcraft.html) |
[abuse.ch | Introducing YARAify](https://abuse.ch/blog/introducing-yaraify/) |
[Mind your metrics to achieve better Autonomic Security Operations | Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/mind-your-metrics-to-achieve-better-autonomic-security-operations) |
Identify Google Groups vulnerable to spam and spoofing
Cost of a Data Breach Report 2022
The Strategic Impact of Verizon’s 2022 Data Breach Investigations Report
[The real reason why malware detection is hard | G DATA](https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard) |
[Threat Hunting Series: The Basics | by Kostas | Jun, 2022 | Medium](https://kostas-ts.medium.com/threat-hunting-series-the-basics-cccadac830c6) |
Part 2: https://kostas-ts.medium.com/threat-hunting-series-what-makes-a-good-threat-hunter-e2b1d0d07e8c
Part 3: https://kostas-ts.medium.com/threat-hunting-series-the-threat-hunting-process-f76583f2475b
[How to overcome 5 common SecOps challenges | Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/how-to-overcome-5-common-secops-challenges) |
[Suspecting the Unsuspected. Extracting and Analyzing Log Anomalies | Mercari Engineering](https://engineering.mercari.com/en/blog/entry/20220527-suspecting-the-unsuspected-extracting-and-analyzing-log-anomalies/) |
Painting a Threat Detection Landscape
Security for growth companies · Bessemer Venture Partners TODO
it’s important to avoid a culture of the ‘security team vs. everyone else.’ Security is a company-wide priority and enables better product innovation and customer satisfaction; it’s not a blocker of it. For example, strong security tools and processes drive revenue and support the sales team, as security regulatory compliance is a core procurement requirement. Security ultimately aids the operations team to work more smoothly and the engineering teams to avoid distractions and fire-drills.
Talks/STLF - Vulnerability Management in the Real World 2022 FINAL2.pptx at main · northvein/Talks
tap-ir/tapir: TAPIR is a multi-user, client/server, incident response framework
[View from the NSA with Rob Joyce, Director of Cybersecurity | Cyber Initiatives Group - YouTube](https://www.youtube.com/watch?v=e-Sko0Kersc) |
Detectree – data visualization for threat hunting, presented by Tom Barrow & Giulio Ginesi - YouTube
A Simple SOAR Adoption Maturity Model | by Anton Chuvakin | Anton on Security | Jun, 2022 | Medium TODO https://chronicle.security/blog/posts/SOAR-adoption-maturity-model/?utm_source=substack&utm_medium=email
digininja/scanner_user_agents: A list of user agents belonging to common web scanners.
[Purpose-based access controls at Palantir | Palantir Blog](https://blog.palantir.com/purpose-based-access-controls-at-palantir-f419faa400b3) |
[12 steps to building a top-notch vulnerability management program | CSO Online](https://www.csoonline.com/article/3659838/12-steps-to-building-a-top-notch-vulnerability-management-program.html) |
I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For
[Building a Threat Intelligence Feed using the Twitter API and a bit of code | by Stefan Grimminck | May, 2022 | Medium](https://grimminck.medium.com/building-a-threat-intelligence-feed-using-the-twitter-api-and-a-bit-of-code-5787808e32ef) |
Detection and Response
- Detection and Response: Cross-platform file analysis framework, breaking a crypter with Z3, Linux distro for investigations and OSINT, making data-driven incident response decisions, free malware analysis course from the University of Cincinnati
0xsha / florentino
A cross-platform file analysis framework useful for extracting static resources from malware and unknown file analysis.
Breaking TA505’s Crypter with an SMT Solver
“We know the output for the first iteration being a compressed binary will be
‘M8Z\x90’ so we can construct our problem in
Z3 and let it solve what the XOR key should
be. After solving for the XOR key we just decode the data and write out the
decompressed file.”
Meet CSI Linux: A Linux Distro For Cyber Investigation And OSINT A part of me read this title and immediately thought CSI Cyber, a modern CBS classic in which computer security is represented accurately and never over-hyped, a show devastingly canceled after only 2 seasons. See CSI Linux’s full tool list here.
How to Make Data-Based Decisions During Incident Response: OODA for DFIR 2020
The talk focuses on the “D” in OODA, and presents some nice ideas around having
the right framework and mental model for making decisions. Lately I’ve been
really appreciating “teaching you how to fish” posts like this, as they help you
generalize, rather than posts that are, “I did X and got Y result.”
CS6038/CS5138 Malware Analysis
As someone who mostly grew up in Cincinnati, it’s neat to see the University of
Cincinnati releasing some cool security curriculum for free online. This class
aims to introduce attendees to malware concepts, types of malware, common attack
recipes, and black-box reverse engineering techniques.