Without (log)data you’re just another person with an opinion. 4688+cmdLine, or it Did’nt happen. The IT Security guy @meethumio tweets are mine

Joined June 2008
Nancy Pelosi is next in the line of succession to play QB for the 49ers.
1
40
4
360
What to expect for PingCastle 3.0 ? 1) UI re-design 2) migration to .net 4 3) AzureAD scan 4) usual bug fixes and improvements 5) major AzureAD additions for paid customers (Pro, Enterprise) Sadly this is too short to add the AzureAD rules I wanted Beta to be released soon
4
48
4
168
simon simonsen retweeted
OK, honestly, how many of you treat a blanket "we have seen no evidence that this has been exploited” as "WE REALLY DO SUCK AT LOGGING, DON'T WE!" #random
22
4
54
Just released v0.5.1 of Laurel, the #linux #auditd plugin event post-processing plugin that generates useful, enriched JSON-based audit logs suitable for modern security monitoring setups. github.com/threathunters-io/…
1
33
2
97
simon simonsen retweeted
Can confirm. If you're one of those weirdos who prefers to not be vulnerable to CVEs, and you've enabled the OPT-IN (🤔) fix that Microsoft released for CVE-2013-3900, you'll find that it's gone after upgrading to Win11. EnableCertPaddingCheck is gone, along with the parent keys.
PSA: Upgrading to #Windows11 wipes out security mitigations for CVE-2013-3900, meaning that if you upgrade you must re-apply said mitigations.
3
27
2
92
simon simonsen retweeted
Defense Against the Lateral Arts: Detecting and Preventing Impacket Wmiexec crowdstrike.com/blog/how-to-… >> Super cool artifacts presented for Impacket detection. Note that other tools from the suite can leave similar, but slightly different artifacts.
1
56
140
simon simonsen retweeted
I was pointed to a very cool resource in the Microsoft 365 admin center today which I had never seen before. The 'advanced deployment guides', which cover security, productivity etc. They are available on the admin.microsoft.com homepage or direct - admin.microsoft.com/Adminpor….
6
71
2
318
simon simonsen retweeted
If NetNTLMv1 is disabled but LDAP signing is not enforced on DC, and there is WebClient service enabled on the target, pwn is similar (~RBCD abuse). NTLM relay should be HTTP->LDAP instead of SMB->LDAP (WebClient does not set signature requirement on the client side).
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
Show this thread
11
196
2
614
Show this thread
simon simonsen retweeted
A good reminder that any launch of an executable or script from C:\Users\Public\ should be investigated thoroughly. mandiant.com/resources/blog/… #CyberSecurity
67
232
simon simonsen retweeted
'if a detection hasn't been tested, does it work?' 'focus on high benefit/low regret response automation' 'no one (even the most senior) is above SOPs' -Carson Zimmerman #shmoocon 💙🐝💪 mitre.org/news-insights/publ…
4
18
91
simon simonsen retweeted
YouTube university: - From Zero to Cloud Security Hero in 2023 inv.warpnine.de/5M7HZJxunQc - DevOps Engineer Roadmap 2023: inv.warpnine.de/jsC0Iqb679M - Cloud Engineer 2023 6-month study plan: inv.warpnine.de/8K_GZYaWG3w
18
323
6
1,078
Show this thread
simon simonsen retweeted
If you're doing #dfir on a machine that has a WSL distro installed. Don't forget the check the "ext4.vhdx" for any susp activity intiated from there. Even on a live system you can open the file using 7Zip for example and check the ".bash_history" among other things :) #detection
2
65
1
183
simon simonsen retweeted
2nd meme of the day.
2
7
44
simon simonsen retweeted
1
5
simon simonsen retweeted
12/ On the detection site: appcmd.exe created a rewrite rule. Is anyone monitoring this? 🤔 appcmd.exe set config -section:system.webServer/rewrite/globalRules /+"[name='xoso']" /commit:apphost
1
6
1
37
Show this thread
simon simonsen retweeted
LET'S GOOOOOOO!!!!
My 22 year old cousin met his dream girl at a bar and it's going pretty well
Show this thread
1,236
23,218
2,223
352,941
Show this thread
simon simonsen retweeted
When using the Microsoft-Windows-VHDMP Eventlog. Remember that it doesn't log only ISOs but other types. Using EID 11 you can filter on the following VhdType values (that I encountered) to be more accurate. Type 1: VMGS/VHD (Ex: HyperV) Type 2: VHDX (Ex: WSL) Type 3: ISO
2
23
90
Show this thread