home.social

#cloudforensics — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cloudforensics, aggregated by home.social.

  1. "I SPy" Entra ID Global Admin Escalation Technique

    Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.

    🚨 Alert on new credentials added to SPs.
    🔥 Monitor changes to federated domains (federationConfiguration).
    🕵🏼‍♂️ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.

    🔗 securitylabs.datadoghq.com/art

    #DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection

  2. #Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

    🕵 Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

    halcyon.ai/blog/abusing-aws-na

    #CloudForensics #FOR509 #AWS

  3. #Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

    🕵 Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

    halcyon.ai/blog/abusing-aws-na

    #CloudForensics #FOR509 #AWS

  4. #Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

    🕵 Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

    halcyon.ai/blog/abusing-aws-na

    #CloudForensics #FOR509 #AWS

  5. #Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

    🕵 Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

    halcyon.ai/blog/abusing-aws-na

    #CloudForensics #FOR509 #AWS

  6. #Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

    🕵 Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

    halcyon.ai/blog/abusing-aws-na

    #CloudForensics #FOR509 #AWS

  7. With a rise in Adversary in the Middle (AiTM) phishing, we've seen attackers leverage trusted compromised accounts to launch multi-stage attacks and follow-on BEC activity. Too often, investigations end with "If only this data had been available!"

    We are kicking off our 3-part series on handling Business Email Compromise (BEC) incidents in Microsoft 365! 📧 In Part 1, Rachel dives into the key artefacts for investigating a BEC in M365 and where to find them.

    👉 pentestpartners.com/security-b

    This includes:

    Why enabling Unified Audit Logging is essential for tracking attackers.

    How to use Purview Content Search to analyse compromised mailboxes.

    Pro tips for using Defender's Advanced Hunting to quickly scope the scale of an attack.

    Stay tuned for more actionable insights in Parts 2 & 3!

    #CyberSecurity #BusinessEmailCompromise #M365 #IncidentResponse
    #MicrosoftDefender #EmailSecurity #DigitalForensics #DataRetention #ThreatHunting #CloudForensics

  8. Cado Security releases its H2 2023 Cloud Threat Findings Report to help security teams secure against cloud-focused threat actors. forensicfocus.com/news/cado-se #CadoSecurity #cloudforensics

  9. If you're using any Enterprise licence with #M365 your log retention should now be 180 days by default, at a minimum, plus you now get the "MailItemsAccessed" events to track individual email access.

    No news on those using the Business Standard licence types 🙄

    #DFIR #CloudForensics #FOR509
    microsoft.com/en-us/security/b

  10. If you're using any Enterprise licence with #M365 your log retention should now be 180 days by default, at a minimum, plus you now get the "MailItemsAccessed" events to track individual email access.

    No news on those using the Business Standard licence types 🙄

    #DFIR #CloudForensics #FOR509
    microsoft.com/en-us/security/b

  11. If you're using any Enterprise licence with #M365 your log retention should now be 180 days by default, at a minimum, plus you now get the "MailItemsAccessed" events to track individual email access.

    No news on those using the Business Standard licence types 🙄

    #DFIR #CloudForensics #FOR509
    microsoft.com/en-us/security/b

  12. Looks like Pizza Hut Australia have started to notify impacted customers of their recent cyber breach.
    The threat actor's initial compromise was via an AWS account, are you ready to investigate an AWS Breach?
    #CloudForensics #DFIR #FOR509

    databreaches.net/pizza-hut-aus

  13. Looks like Pizza Hut Australia have started to notify impacted customers of their recent cyber breach.
    The threat actor's initial compromise was via an AWS account, are you ready to investigate an AWS Breach?
    #CloudForensics #DFIR #FOR509

    databreaches.net/pizza-hut-aus

  14. Looks like Pizza Hut Australia have started to notify impacted customers of their recent cyber breach.
    The threat actor's initial compromise was via an AWS account, are you ready to investigate an AWS Breach?
    #CloudForensics #DFIR #FOR509

    databreaches.net/pizza-hut-aus

  15. Looks like Pizza Hut Australia have started to notify impacted customers of their recent cyber breach.
    The threat actor's initial compromise was via an AWS account, are you ready to investigate an AWS Breach?
    #CloudForensics #DFIR #FOR509

    databreaches.net/pizza-hut-aus

  16. Congratulations to our #FOR509 Day 6 Capstone winners in #Singapore last week.
    It was one of the closest challenges between the competing teams I've seen.

    #CloudForensics
    #DFIR @sansapac

  17. Congratulations to our #FOR509 Day 6 Capstone winners in #Singapore last week.
    It was one of the closest challenges between the competing teams I've seen.

    #CloudForensics
    #DFIR @sansapac

  18. Congratulations to our #FOR509 Day 6 Capstone winners in #Singapore last week.
    It was one of the closest challenges between the competing teams I've seen.

    #CloudForensics
    #DFIR @sansapac

  19. Congratulations to our #FOR509 Day 6 Capstone winners in #Singapore last week.
    It was one of the closest challenges between the competing teams I've seen.

    #CloudForensics
    #DFIR @sansapac

  20. Congratulations to our #FOR509 Day 6 Capstone winners in #Singapore last week.
    It was one of the closest challenges between the competing teams I've seen.

    #CloudForensics
    #DFIR @sansapac

  21. I've been presenting with @megan@infosec
    .exchange about #DFIR evidence collection at a few conferences now, but I still get people asking for the presentation, so here's one of the better recordings from the 2023 RSA Conference.
    #CloudForensics

    youtu.be/jJ0GFkh6GjI

  22. #DEFCONTraining Las Vegas Spotlight: Join #KerryHazelton

    Aug 14-15 for a 2-day hands-on training called "Cloud Forensics Workshop & CTF Challenge: Lab Rat Edition"

    training.defcon.org for more info

    From the abstract: "Now in its sixth iteration since its initial launch at BSides DC in October 2017, the Cloud Forensics Workshop and CTF Challenge have been a regular feature at multiple security conferences across the country where security professionals learn the core concepts of digital forensics and incident response in a Cloud computing environment."

    #defcon #defcontraining #defcon31 #cloudforensics #ctf #kerryhazelton

  23. I'm running the #FOR509 #CloudForensics course in 🇦🇺Sydney this May, both in-person and virtual.
    The new class version includes a #GCFR certification and our Day 6 Capstone Challenge with a multi-cloud #DFIR incident to investigate.

    To Register: sans.org/u/1prs
    FOR509 Course Info: for509.com/course

  24. I'm running the #FOR509 #CloudForensics course in 🇦🇺Sydney this May, both in-person and virtual.
    The new class version includes a #GCFR certification and our Day 6 Capstone Challenge with a multi-cloud #DFIR incident to investigate.

    To Register: sans.org/u/1prs
    FOR509 Course Info: for509.com/course

  25. I'm running the #FOR509 #CloudForensics course in 🇦🇺Sydney this May, both in-person and virtual.
    The new class version includes a #GCFR certification and our Day 6 Capstone Challenge with a multi-cloud #DFIR incident to investigate.

    To Register: sans.org/u/1prs
    FOR509 Course Info: for509.com/course

  26. This is one the most comprehensive collection of log sources for #AWS #CloudForensics, along with a summary of each log source, and some simple details on storage and searching data.

    If you regularly do #DFIR in #AWS this is a perfect resource.

    aws.amazon.com/blogs/security/

  27. One of my brilliant coauthors Megan Roddie did a write up from our SANS #FOR509 #CloudForensics class on how to extract #AWS logs for analysis.

    #DFIR #CSIRT #CERT
    sans.org/blog/aws-cloud-log-ex

  28. One of my brilliant coauthors Megan Roddie did a write up from our SANS #FOR509 #CloudForensics class on how to extract #AWS logs for analysis.

    #DFIR #CSIRT #CERT
    sans.org/blog/aws-cloud-log-ex

  29. One of my brilliant coauthors Megan Roddie did a write up from our SANS #FOR509 #CloudForensics class on how to extract #AWS logs for analysis.

    #DFIR #CSIRT #CERT
    sans.org/blog/aws-cloud-log-ex

  30. One of my brilliant coauthors Megan Roddie did a write up from our SANS #FOR509 #CloudForensics class on how to extract #AWS logs for analysis.

    #DFIR #CSIRT #CERT
    sans.org/blog/aws-cloud-log-ex

  31. One of my brilliant coauthors Megan Roddie did a write up from our SANS #FOR509 #CloudForensics class on how to extract #AWS logs for analysis.

    #DFIR #CSIRT #CERT
    sans.org/blog/aws-cloud-log-ex