Christopher Peacock @SecurePeacock

Principal Detection Engineer | Ex @RaytheonIntel @GD_OTS | BlackHat Course Author & Instructor | DEFCON Red & Adversary Village Purple Team Workshops

 Tampa Bay
Joined May 2020
  • Tweets 4,787
  • Following 1,691
  • Followers 4,938
1,594 Photos and videos
My SANS Purple Team Series: Threat-Informed Detection Engineering Webinar with @jorgeorchilles is on YouTube! Video: inv.warpnine.de/2czm8dhziX8 Blog post: sans.org/blog/purple-teaming…

Threat-Informed Detection Engineering

Relevant Courses: https://www.sans.org/sec599, https://www.sans.org/sec699Presented by: Jorge Orchilles and Chris PeacockFollow here: https://twitter.com/jor...

youtube.com
27
77
Back from vacation, and that means day 79 of #100DaysofSigma. In honor of WWDC23, we're going MacOS with the Startup Items rule by Alejandro Ortuno. Check out the rule and hunt for rare Plist files inside /Library/StartupItems/ in your environment that may indicate persistence.… tweeter.jakobs.systems/i/web/status/166…
1
8
Leaders need hands-on experience not just doctrine and training 👀 usni.org/magazines/proceedin…
2
1
8
I hope everyone has a great week. I’ll be back at the end of it.
1
12
321
OSINT Challenge 🕵️‍♂️
3
1
2
To all those going to #x33fcon, have a blast and safe travels! tweeter.jakobs.systems/i/web/status/166…
8
Thanks to everyone who attended today's workshop!
1
5
Instagram is down. Who wants to place bets on if it’s DNS or not?
6
1
1
20
Always question what could be better and never accept the status quo.
2
6
Frustrating Friday Rant: Simulation and emulation is not blindly running atomic tests with matching ATT&CK Technique IDs. The odds of actually replicating the behaviors and procedures are a crapshoot then.
3
7
2
19
GIF
"Write your obituary and figure out how to live up to it." -Warren Buffett
Should you still be emulating APT1?
51% Yes
49% No
75 votes • Final results
5
1
3
I know an outstanding young woman starting a female tech club at the University of Florida. Is there anyone who’d be willing to help mentor members or give a talk to the group?
8
9
2
13
1. It's great to see CISA publishing observed procedures! 2. I can't stress it enough, make a critical level alert for net enumeration of domain admins. This activity and other net commands are pervasive across different ransomware actors. 3. Seriously, test it ASAP. See if…
CISA Cyber @CISACyber
May 16
📢@CISAgov published a 🆕 joint cybersecurity advisory w/@FBI & @CyberGovAU containing #TTPs and #IOCs on #BianLian ransomware & data extortion group targeting private enterprises & critical infrastructure organizations. More at cisa.gov/news-events/cyberse… #StopRansomware
3
30
1
137
If a high fidelity indicator of legacy malware is removed from NGFW DNS Sinkhole and/or alerts due to a telemetry collector purchasing the domain and requesting it be recategorized, who's to blame?
33% Telemetry Collector
38% NGFW Company
14% Your own custom IOC list
14% Other
21 votes • Final results
#100DaysofSigma Number 78 is DLL Load By System Process From Suspicious Locations by @nas_bench. There's a lot going on in this infection chain, but today we're highlighting a detection opportunity in the bottom right image where the Qakbot DLL is executed from…
Unit 42 @Unit42_Intel
May 12
2023-05-10 (Wednesday): obama262 #Qakbot (#Qbot) infection led to #BackConnect activity on 46.151.30[.]109:443 with #DarkCatVNC. Also saw #CobaltStrike from this infection using HTTPS traffic to floatfil[.]com. IOCs available at bit.ly/3nWvIDo
14
21
Who's heading to Hack Miami?
7
4
8
Oh, @_josehelps and @M_haggis!
2
@SubTee, you’re coming down?!?! 👀
3
Show this thread
It amazes me that some EDRs don’t even trigger an alert on common discovery commands observed by IceID, BumbleBee, Qbot, and Ursnif. Example activity from @TheDFIRReport: thedfirreport.com/2022/09/26…
9
29
121
Load more