Practice threat hunting & detection engineering in a real SIEM with real attacks. Join us and become the best.
Joined August 2022
- Tweets 426
- Following 232
- Followers 3,271
- Likes 961
New challenge on ACEResponder.com !
Could you identify a modern phishing attack? You think you can, but can you?
This challenge features a large domain with lots of fresh malware samples. Investigate, scope, write detections.
Real SIEM, Real Attacks, Real Experience… tweeter.jakobs.systems/i/web/status/166…
11
53
If you somehow don't detect:
1. the PDF/URL in the phishing message
2. .js/.wsf/etc. execution, or
3. WMI execution
You can bet on rundll32 spawning a sacrificial process.
btw, new Qakbot challenge coming soon on ACEResponder.com
#ThreatHunting #DFIR
this sample… tweeter.jakobs.systems/i/web/status/166…
2
47
1
216
We dream of a world where "We got the alert but dismissed it after analysis" doesn't happen. 🙅♂️
2
10
This technique is not easy to detect.
In this example the attacker places a crafted .lnk file on a common file server. Any user that browses the folder will surrender their NetNTLM hash without ever clicking on the file.
#ThreatHunting #DFIR
1
35
119
2,636
✉️ An example of #qakbot -esque HTML smuggling.
The .wsf payload is delivered in an <a> tag which is downloaded and executed by the victim.
#ThreatHunting #DFIR
3
21
78
2,027
LLMNR/NBT-NS poisoning.
After receiving the authentication attempt, the attacker can either:
1. Relay the credentials to a victim with insecure SMB configuration, or
2. Attempt to crack the NetNTLMv2 hash
#DFIR #ThreatHunting
28
92
2,602
Are you interested in detection engineering? Just getting started? Maybe looking to make a change from the “red” side? 😈
I am giving away 1 voucher to @ACEResponder’s Intro to Detection Engineering course!
1
14
1
35
Highlights from the @MsftSecIntel and joint CSA reports animated.
#ThreatHunting #DetectionEngineering
1
19
1
84
2,795
🎬An extended version of the Kerberoasting animation is now available on ACEResponder.com.
Extended animations contain additional attack details, artifacts, and detection opportunities.
#cybersecurity #DFIR
12
56
🚨New Module on ACEResponder.com!
Want to get started with detection engineering? Why not jump in and build some?🕵️♂️🔎
In this module we cover the core principles and put them to use making kerberoasting detections. Let's do it!
#DetectionEngineering #DFIR
3
33
2
130
Some password spraying examples 🔑💦
• External
• Internal
• Local Account
#ThreatHunting #DFIR
2
26
1
93
2,569
🎬 New extended animations up on ACEResponder.com:
• Remote Service Creation (PsExec)
• DCOM Lateral Movement
• WMI Lateral Movement
Extended animations have additional attack details and key artifacts you could expect to see in your SIEM.
#ThreatHunting #DFIR
1
37
85
WMI Lateral Movement Demonstration:
SMB file transfer with Win32_Process execution
#ThreatHunting #DFIR
3
75
2
263
8,203
An example of DCOM lateral movement -
MMC20.Application with a mshta payload
#ThreatHunting #DFIR
1
62
1
218
7,386
Was fun and challenging!
Can only recommend @ACEResponder if you want to learn how to defend like never before.
Just completed another challenge on Ace Responder. aceresponder.com/challenge/r… #aceresponder #threathunting #incidentresponse #cybersecurity #DFIR
1
3
9
Big Platform Update 📣
You can now watch attack animations on aceresponder.com! We also have exclusive videos coming out soon for those of you that are completing the modules. 👀
#DFIR #Cybersecurity
12
42
Attackers can combine DLL hijacking with remote service execution to achieve lateral movement.
#DFIR #ThreatHunting
1
53
190
4,605
Some Sysmon events and how they can supplement your telemetry.
#CyberSecurity #ThreatHunting
69
1
198