Lets Talk About Security

In 2023, I set out to write a personal blog every four months but didn't quite meet that goal. Reflecting on the year, it's amusing to think I attributed this to writer's block. My role in threat intelligence and working with an advanced pursuit team involves crafting internal reports and advisories. Realizing this could have been a goldmine for blog content, I'm reminded of one of my favorite quotes, "I'm going to make this way harder than it needs to be." So, let's dive in. I frequently utilize what I term 'open source databases' – resources like Shodan, Censys, VirusTotal, and AbuseIPDB. These databases provide intelligence on various artifacts, with limitations typically based on the account type (free, verified, or paid). Today, I want to focus on how I leverage VirusTotal Enterprise in my daily workflow. Before we delve deeper, a quick tip: check the VT Enterprise Group tab under your profile to monitor your monthly usage. These resources

I wasn't actually planning on writing up a blog about passing the CRTO, but here I am about two months since passing and felt like writing down some after-thoughts. Now that all the information has had time to simmer, there have been some key takeaways I've noticed in my day to day working in threat research. If you're not familiar with the CRTO, a TLDR is this focuses on using the C2 framework CobaltStrike from a red team perspective created by RastaMouse at Zero Point Security .    If you've ever worked in a SOC before, you've maybe heard the long standing joke 'it's an admin, false positive'. It used to make me laugh, until I moved in threat hunting and intelligence. Now hearing this just gives me anxiety. Elevating privileges typically isn't that difficult to accomplish but, detecting and preventing it before it has a negative impact is challenging. This is even more difficult when going against a skilled attacker that understands elevating privi

Something interesting I've come across, admittedly only a handful of times, is that the `MpPreference` cmdlet is being used in nefarious ways. Specifically, this involves instances where Domain Admin accounts have been compromised, and they are being to create exclusions that bypass Windows Defender detections.  The `MpPreference` cmdlet family is related to Windows Defender. There are 12 different cmdlets in this family, but I've really only encountered `Add-MpPreference` in the wild. On that note, this is not referring to Windows Defender for Endpoint, ATP, or whatever it was called before that. One important aspect of using MpPreference is that it requires some form of an elevated account to create the exclusions. I first came across this technique when I observed a script being executed after a DA pushed a GPO that did a few interesting things. This script disabled AVs, EDRs, backups, grabbed a malicious executable from a network share, and cleared audit logs. The fact that