Truls 🐱‍👤

Back in 2018 I attended a hacking courses by a colleague that pretty much put me on the path I am today with work. I got to help teach and in the end write a book on getting started with hacking - I still recommend it to everyone that wants to get into practical security: infernux.no/practical-ha...

Could you build a simple C2-framework using World of Warcraft | infernux Yes. Sort of, at least. Join me to explore how we can potentially use WoW and it's ecosystem as a C2

Is it possible to make a C2-framework using World of Warcraft? Of course, if you put in some goodwill. If you want you can read about it here:

infernux.no/blog/wowc2/

Fair warning - It's purely for my own sake that I wrote this, you likely won't learn anything exciting by reading.

GitHub - lnfernux/DarkLighthouse: Welcome to the jungle. This is just a simple tool to ease detection of Azure Lighthouse delegations from your current tenant/user/spn access, and to help you add pers... Welcome to the jungle. This is just a simple tool to ease detection of Azure Lighthouse delegations from your current tenant/user/spn access, and to help you add persistence by automating setup of ...

I made a thing. Basically just lighthouse access enum and persistence creation made simple for you.

github.com/lnfernux/Dar...

Today's unfortunate discovery: Microsoft Sentinel summary rules is not supported by Azure Lighthouse.

You need Sentinel Contributor (on the workspace/RG) and log analytics contributor directly on the workspace, which is not supported.

A tiny bit annoying.

Looking forward to next week - I'm speaking at @wpninjas.no on one of my favorite topics, configuring Microsoft Sentinel (and making a couple of mistakes along the way).

- Using Invoke-RestMethod works with an access token for everything
- If you create detection rules in the UI and pull them as code, impacted assets are empty (this is a required field for pushing)
- If you create the rule from the API, impacted assets is returned normally

2/2

Finally got out of not writing anything - decided to spend a few hours to play with the custom detection rule api in Defender XDR.

www.infernux.no/DefenderXDR-...

Some funny things I noticed:

- GET works using Invoke-MgGraphRequest
- POST/PATCH throws internal error 500 no matter what

1/2

🎉 Season 2 of #TalkingSecurity MVP Security Insights is LIVE! 🎙️🔥

We’re kicking off with a bang and who better to launch the new season than the brilliant @truls.infernux.no, Microsoft Security MVP and master of all things cloud security, SIEM, and EDR! 🚀

talkingsecurity.nl/podcast/secu...

pwshuploadindicatorsapi 1.0.2 This module helps convert MISP events and attributes to the Upload Indicators API format, and then uploads the indicators to the API.

Working on a new #MISP - #Sentinel function app flow using powershell and had to update my pwshuploadindicatorsapi function at the same time - now v1.0.2. Added support for the new Stix Object API (new default) and the old upload indicators API.

www.powershellgallery.com/packages/pws...

#MVPBuzz

pwshmisp 1.0.3 This module is a collection of functions to help with communication with the MISP API.

Just updated #pwshmisp to version 1.0.3.

Releasenotes:
- Fixed typo in Invoke-MISPAttributeSearch
- Added support for enforceWarninglist in filters
- Removed notTags and notOrgs (not supported)

www.powershellgallery.com/packages/pws...

New blog post - writing a bit about using CTI not only as a data point but as information and context for information in our processes, such as detection engineering (as an example).
www.infernux.no/Expanding-on...

I think the learning points can be transferred to any discipline in security!

Some thoughts on using Threat Intelligence for detection purposes.

www.infernux.no/TI-Detection/

GitHub - lnfernux/pwshuploadindicatorsapi: PowerShell module for connecting to and sending indicators of compromise to the Upload Indicators API (Microsoft Sentinel) PowerShell module for connecting to and sending indicators of compromise to the Upload Indicators API (Microsoft Sentinel) - lnfernux/pwshuploadindicatorsapi

It's also up on github with a readme github.com/lnfernux/pws... :)

pwshuploadindicatorsapi 1.0.1 This module helps convert MISP events and attributes to the Upload Indicators API format, and then uploads the indicators to the API.

Following up my last module pwshmisp with another one, www.powershellgallery.com/packages/pws... - it's a function built to work with pwshmisp to convert data from MISP to the upload indicators API that is used for ingesting TI into MS Sentinel.

#MISP #MicrosoftSentinel #ThreatIntelligence

pwshmisp 1.0.2 This module is a collection of functions to help with communication with the MISP API.

Just released a new tool, pwshmisp - a powershell module for communicating with a #MISP server.

Grab it on www.powershellgallery.com/packages/pws... and contribute over on Github if you find any issues github.com/lnfernux/pws...

I'm also in the process of publishing another module so stay tuned!

A little feedback request. I've written mostly non-technical lately, tried to focus on how to do something rather than giving out scripts and templates.

Example being this article:
www.infernux.no/SecurityMoni...

My question; what do you like to read, when it comes to tech-related blogs?

Do you need AI for Security? Maybe. Still need to protect it if the rest of org has Copilot.

Exposure Management is now GA, which is really neat and a great tool for everyone. One presentation called DFC a CISO dashboard which is wild.

I'll rate it 👏/10, not quite 🔥/10 but still alright. 2/2

My initial thoughts after attending #MSIgnite this past week; a lot of cool stuff regarding AI. The implications are basically that AI will be more available (create your own agent using natural language), so securing our AI deployments will be more important than ever. 1/2

a man in a suit and tie is talking to another man in a green light . ALT: a man in a suit and tie is talking to another man in a green light .

hey it's me 🦥