Blue Team

Building the Threat Detection Ecosystem at Brex | by Julie Agnes Sparks | Brex Tech Blog | Dec, 2022 | Medium https://twitter.com/JulieASparks

[HTML Smuggling: Recent observations of threat actor techniques by delivr.to Jan, 2023 Medium](https://blog.delivr.to/html-smuggling-recent-observations-of-threat-actor-techniques-74501d5c8a06)

FFRI/JSAC2023-GolangMalwareAnalysis: Scripts introduced in JSAC2023 presentation on analysis of Go language malware

michelcrypt4d4mus/yaralyzer: Visually inspect and force decode YARA and regex matches found in both binary and text data. With Colors.

Detecting credential access without losing cred

Hunting Opaque Predicates with YARA - Malware Hell

(20) Paul Schwarzenberger on Twitter: “I’m excited to announce that @domain_protect is now an @owasp project! Thanks to @securestep9 for the idea, and to @CyberGoldsmith and others at @OVOEnergy for their support of the #opensource community https://t.co/JaeN8Up2sC” / Twitter

kitabisa/teler: Real-time HTTP Intrusion Detection

Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 1 – Setting up Msticpy with MDE – 0xRob

Tracking an adversary in real-time using Velociraptor :: Velociraptor - Digging deeper!

ZeroMemoryEx/C2-Hunter: Extract C2 Traffic

[Prioritization of the Detection Engineering Backlog by Joshua Prager Posts By SpecterOps Team Members](https://posts.specterops.io/prioritization-of-the-detection-engineering-backlog-dcb18a896981)

THREAT-crawl / THREATcrawl · GitLab

wazuh/wazuh: Wazuh - The Open Source Security Platform

[Automating Malware Analysis Operations (MAOps) - JPCERT/CC Eyes JPCERT Coordination Center official Blog](https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html?utm_medium=email)

Hardware Selection and Logistics (Passwordless Authentication Series, #1)

[Palantir FIDO2 secure implementation rollout Palantir Blog](https://blog.palantir.com/technical-controls-rollout-and-edge-cases-passwordless-authentication-series-2-c9b6dcd349e)
[System Integrity Protection: The misunderstood setting Mykola’s blog](https://khronokernel.github.io/macos/2022/12/09/SIP.html)

2022 Adversary Infrastructure Report

Ransomware Business Models: Future Pivots and Trends

How to Detect Malicious OAuth Device Code Phishing

certsocietegenerale/IRM: Incident Response Methodologies 2022

FIN7 Unveiled: A deep dive into notorious cybercrime gang Include the structure of the group diagram

Passkeys are great but are they suitable for the enterprise? – Mikail’s Blog

https://blog.aquasec.com/tracee-rules-detect-attackers-out-of-the-box

The Hitchhiker’s Guide to DFIR: Experiences From Beginners and Experts
A crowdsourced Digital Forensics and Incident Response (DFIR) book by the members of the Digital Forensics Discord Server.

ORKL

Sigma-Rules/2022_RedCanary_ThreatDetectionReport at main · mbabinski/Sigma-Rules

Section 52 Releases an Open Source Forensics Tool for Siemens PLCs - Microsoft Community Hub

microsoft/ics-forensics-tools

Katie Nickels untangled MITRE ATT&CK for cybersecurity teams - Protocol

EDR: Detections, Bypassess and other Shenanigans - FourCore

YARI: A New Era of YARA Debugging – Avast Engineering

[UNLEASH THE BEAST THE FUTURE H O M E](https://devilinside.me/blogs/configuration-extraction-yara)

nccgroup/typofinder: A finder of domain typos showing country of IP address

About Detection Engineering. In recent months I’ve noticed several… | by Florian Roth | Sep, 2022 | Medium AUTHOR

A Fool’s Game: D-Generating EDR Internals, Part 1 AUTHOR

ihebski/DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

Introducing Sandbox Scryer: A Free Threat Hunting Tool | CrowdStrike

Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling indicators of compromise (IOCs), understanding attack movement and hunting threats By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale The tool is intended for cybersecurity professionals who are interested in threat hunting and attack analysis leveraging sandbox output data Sandbox Scryer consumes output from the free and public Hybrid Analysis malware analysis service to help analysts expedite and scale threat hunting as part of security operations center (SOC) operations

Data-Centric Security: Threat Hunting based on Zipf’s Law | by Dmitrijs Trizna | Aug, 2022 | Medium https://twitter.com/ditrizna

Sensitive Command Token - So much offense in my defense

Avoiding Memory Scanners

target/mmk-ui-api: UI, API, and Scanner (Rules Engine) services for Merry Maker

stuxnet999/MemLabs: Educational, CTF-styled labs for individuals interested in Memory Forensics https://twitter.com/_abhiramkumar

Going Atomic The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach
https://twitter.com/ajpc500

Detection Engineering Maturity Matrix

Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks - Microsoft Security Blog

[A Cyber Threat Intelligence Self-Study Plan: Part 2 by Katie Nickels Katie’s Five Cents Aug, 2022 Medium](https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36)

Detection Engineering with MITRE Top Techniques & Atomic Red Team - FourCore

evilsocket/sauron: A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.

OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Security TC | OASIS
https://github.com/fovea-research/cacao-json-schemas

Scaling our security detection pipeline with Sigma ompletely changed the way we write detection rules at Monzo to better understand our coverage and increase the speed we can respond to new threats. igma-go sigma-test sigmafmt

https://twitter.com/bradleyjkemp/status/1555551827114053632

Richer Typing in Sigma
pBy Tenzir GmbH’s Matthias Vallentin: “VAST’s Sigma frontend now supports more modifiers… Think of it as a parser that processes the YAML and translates it into an expression tree, where the leaves are predicates with typed operands according to VAST’s data model.”

Vast Sigma Query Frontend
[SSH tips and tricks Carlos Becker](https://carlosbecker.dev/posts/ssh-tips-and-tricks/)
[Automated Incident Management Through Slack by Vlad Vassiliouk The Airbnb Tech Blog Jul, 2022 Medium](https://medium.com/airbnb-engineering/incident-management-ae863dc5d47f)

aquasecurity/postee: Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.

[SIEMCraft - Security detection monitoring using Minecraft pat_h/to/file](https://blog.tofile.dev/2022/06/10/siemcraft.html)
[abuse.ch Introducing YARAify](https://abuse.ch/blog/introducing-yaraify/)
[Mind your metrics to achieve better Autonomic Security Operations Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/mind-your-metrics-to-achieve-better-autonomic-security-operations)

Identify Google Groups vulnerable to spam and spoofing

Cost of a Data Breach Report 2022

The Strategic Impact of Verizon’s 2022 Data Breach Investigations Report

[The real reason why malware detection is hard G DATA](https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard)
[Threat Hunting Series: The Basics by Kostas Jun, 2022 Medium](https://kostas-ts.medium.com/threat-hunting-series-the-basics-cccadac830c6)

Part 2: https://kostas-ts.medium.com/threat-hunting-series-what-makes-a-good-threat-hunter-e2b1d0d07e8c

Part 3: https://kostas-ts.medium.com/threat-hunting-series-the-threat-hunting-process-f76583f2475b

[How to overcome 5 common SecOps challenges Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/how-to-overcome-5-common-secops-challenges)
[Suspecting the Unsuspected. Extracting and Analyzing Log Anomalies Mercari Engineering](https://engineering.mercari.com/en/blog/entry/20220527-suspecting-the-unsuspected-extracting-and-analyzing-log-anomalies/)

Painting a Threat Detection Landscape

Security for growth companies · Bessemer Venture Partners TODO

(16) Bessemer on Twitter: “Here are our 5️⃣ cybersecurity lessons for cloud-native growth companies: 🏗 Build a cybersecurity culture 🧾 Invest in identity 🔒 Secure your cloud & dev environment 🧑‍💻 Manage your data assets & environment 👀 Monitor your third-party risk More here ➡ https://t.co/cIC6CA7j6P” / Twitter

it’s important to avoid a culture of the ‘security team vs. everyone else.’ Security is a company-wide priority and enables better product innovation and customer satisfaction; it’s not a blocker of it. For example, strong security tools and processes drive revenue and support the sales team, as security regulatory compliance is a core procurement requirement. Security ultimately aids the operations team to work more smoothly and the engineering teams to avoid distractions and fire-drills.

Talks/STLF - Vulnerability Management in the Real World 2022 FINAL2.pptx at main · northvein/Talks

Netflix/dispatch: All of the ad-hoc things you’re doing to manage incidents today, done for you, and much more!

tap-ir/tapir: TAPIR is a multi-user, client/server, incident response framework

tap-ir/bin2json: bin2json extract recursively file, directory of files (or disk dump) metadata to json

[View from the NSA with Rob Joyce, Director of Cybersecurity Cyber Initiatives Group - YouTube](https://www.youtube.com/watch?v=e-Sko0Kersc)

Detectree – data visualization for threat hunting, presented by Tom Barrow & Giulio Ginesi - YouTube

A Simple SOAR Adoption Maturity Model | by Anton Chuvakin | Anton on Security | Jun, 2022 | Medium TODO https://chronicle.security/blog/posts/SOAR-adoption-maturity-model/?utm_source=substack&utm_medium=email

digininja/scanner_user_agents: A list of user agents belonging to common web scanners.

[Purpose-based access controls at Palantir Palantir Blog](https://blog.palantir.com/purpose-based-access-controls-at-palantir-f419faa400b3)

ATT&CK® Evaluations

[12 steps to building a top-notch vulnerability management program CSO Online](https://www.csoonline.com/article/3659838/12-steps-to-building-a-top-notch-vulnerability-management-program.html)

I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For

[Building a Threat Intelligence Feed using the Twitter API and a bit of code by Stefan Grimminck May, 2022 Medium](https://grimminck.medium.com/building-a-threat-intelligence-feed-using-the-twitter-api-and-a-bit-of-code-5787808e32ef)

Detection and Response

  • Detection and Response: Cross-platform file analysis framework, breaking a crypter with Z3, Linux distro for investigations and OSINT, making data-driven incident response decisions, free malware analysis course from the University of Cincinnati

0xsha / florentino
A cross-platform file analysis framework useful for extracting static resources from malware and unknown file analysis.

Breaking TA505’s Crypter with an SMT Solver
“We know the output for the first iteration being a compressed binary will be ‘M8Z\x90’ so we can construct our problem in Z3 and let it solve what the XOR key should be. After solving for the XOR key we just decode the data and write out the decompressed file.”

Meet CSI Linux: A Linux Distro For Cyber Investigation And OSINT A part of me read this title and immediately thought CSI Cyber, a modern CBS classic in which computer security is represented accurately and never over-hyped, a show devastingly canceled after only 2 seasons. See CSI Linux’s full tool list here.

How to Make Data-Based Decisions During Incident Response: OODA for DFIR 2020
The talk focuses on the “D” in OODA, and presents some nice ideas around having the right framework and mental model for making decisions. Lately I’ve been really appreciating “teaching you how to fish” posts like this, as they help you generalize, rather than posts that are, “I did X and got Y result.”

CS6038/CS5138 Malware Analysis
As someone who mostly grew up in Cincinnati, it’s neat to see the University of Cincinnati releasing some cool security curriculum for free online. This class aims to introduce attendees to malware concepts, types of malware, common attack recipes, and black-box reverse engineering techniques.