Added a couple of short entries today
Collection of various answers I've given online
#misp - Malware Information Sharing Platform & Threat Sharing - Training Materials
Is Threat Hunting the new Fad? https://isc.sans.edu/diary/25746
Interesting item to think about, knowing your 'enemy'...
does 'knowing your enemy' involve ...
- a list of bad IPs
- a set of event ids
- different entropy (ie when obscuring potentially malicious powershell commands like disabling an etw provider)
"In fact, many observations of past badness — the indicators — may in fact be essentially random and present no useful knowledge about the future badness or about the nature of the enemy, their intents and capabilities."
Me: posts something positive and wholesome that is #infosec parallel on Twitter
Twitter: *fights amongst themselves over Thing*
Me: *feels awkward*
List of various Windows ETW tools
Windows Performance Toolkit - Xperf - https://docs.microsoft.com/en-us/archive/blogs/ntdebugging/windows-performance-toolkit-xperf
Concurrency Visualizer - https://docs.microsoft.com/en-us/visualstudio/profiling/concurrency-visualizer?view=vs-2019
Tracefmt - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/understanding-tracefmt
PerfView - https://github.com/Microsoft/perfview
Developer own ETW tools:
I signed up to preview Amazon Detective https://aws.amazon.com/detective/
"Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations."
Just published by my colleague: how to do Windows USB Auditing using modules available on free/paid versions of this log collector
“In essence, people write stupid string-matching and regex-based content because they trust it. They do not — en masse — trust the event taxonomies if their lives and breach detections depend on it. And they do.” — Chronicle
auspol, windows 7, server 2008
The Department of Defence and the Australian Taxation Office recently entered into contracts with the government’s exclusive Microsoft licence reseller, Data#3, to extend support until at least 2021 https://www.itnews.com.au/news/defence-ato-fork-out-millions-to-keep-windows-7-secure-for-another-year-536572
Just published: Windows Event IDs to collect based on top Windows Security Events, JP/CERT Lateral Movements and also on other guidance from NSA and Palantir. https://nxlog.co/documentation/nxlog-user-guide/eventlog-eventids.html - You can use the Community Edition for these and adapt on your own systems. #nxlog #infosec
"CIS Controls Implementation Guide for SMEs" https://www.cisecurity.org/wp-content/uploads/2017/09/CIS-Controls-Guide-for-SMEs.pdf
Published: Work I have done around Rapid7 Integration to collect and rewrite logs to the Universal Event Format (UEF) which offers another alternative to what is in their documentation https://nxlog.co/documentation/nxlog-user-guide/rapid7.html
A Mastodon instance for info/cyber security-minded people.