@Sec_GroundZero profile picture
-Yiannis- @Sec_GroundZero

Pentester / RnD / developer of the #WarBerryPi and sometimes just ¯\_(ツ)_/¯. offensiveops.io. Opinions and tweets represent me not my company.

Joined October 2013
  • Tweets 1,967
  • Following 519
  • Followers 3,375
472 Photos and videos
Pinned Tweet
-Yiannis-@Sec_GroundZero
22 May 2021
So i polished my KQL notes and ended up with a 70 page long pdf. You can find it here github.com/secgroundzero/KQL… Thx and credits also go to @DebugPrivilege @rpargman @olafhartong as i rely a lot on their insights.

GitHub - secgroundzero/KQL_Reference_Manual

Contribute to secgroundzero/KQL_Reference_Manual development by creating an account on GitHub.

github.com
4
100
236
First post after a long long time. I had the opportunity to present at @EXNESS behind-the-code event at a unique setting. The interaction and networking at a physical event was refreshing.
1
18
8
-Yiannis- retweeted
CloudBreach
@Cloud_Breach
29 Mar 2022
It's Launch Day for #CloudBreach! Register for #BreachingAzure Lab and get 25% discount code using the promo code "LAUNCHDAY25". #BreachingAzure challenges students to utilise the latest offensive techniques in a realistic hybrid environment. Are you ready to breach the cloud?

Discover the latest attack vectors against Azure environments.

cloudbreach.io
21
7
-Yiannis- retweeted
Matt Eidelberg
@Tyl0us
20 Jul 2021
Shoutout to @GeorgePatsias1 for his very cool project github.com/GeorgePatsias/Sca…. #netsec #infosec #redteam

GitHub - GeorgePatsias/ScareCrow-CobaltStrike: Cobalt Strike script for ScareCrow payloads interg...

Cobalt Strike script for ScareCrow payloads intergration (EDR/AV evasion) - GeorgePatsias/ScareCrow-CobaltStrike

github.com
66
101
Quick KQL query to hunt for renamed lolbins not running from c:\windows, \system32 or \syswow64. @olafhartong showed it in a more elegant way for MDE as part of the @falconforceteam FalconFriday. #threathunting (medium.com/falconforce/falco…) gist.github.com/secgroundzer…

FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C

In today’s edition, we’ll cover a technique and a new feature in Microsoft Defender for Endpoint: PE header information.

medium.com
2
24
70
First attempt with standard dev in KQL based on @rpargman beaconing analysis to detect potential bruteforce attacks with EID4625. gist.github.com/secgroundzer…

KQL Query for failed logins

KQL Query for failed logins. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com
4
15
Discord bot cnc github.com/GeorgePatsias/dis… - @GeorgePatsias1

GitHub - GeorgePatsias/discord-bot-CnC: Discord Bot for Linux device Command & Control

Discord Bot for Linux device Command & Control. Contribute to GeorgePatsias/discord-bot-CnC development by creating an account on GitHub.

github.com
2
5
-Yiannis- retweeted
Monica@MonicaPolemitis
19 Nov 2020
Last Tuesday I moderated an event organized by the Int'al Chamber of Commerce National Committee of CY,titled Digital Economy&the Importance of ICT for Business in a post-COVID environment. If you didn't have the chance to watch it, check out the recording lnkd.in/dhxHg2n
15
10
4 days of intense detection engineering training with @olafhartong done. So much info to ingest from the trainers and the great course participants. Now back to that detection cycle.
3
2
18
Day 1 of @falconforceteam detection engineering course done. Amazing content, tons of new learning and @olafhartong makes it easy. Looking forward for the next days.
2
1
11
Answer is that they don't have to be normalized. EQL understands the schema and it can be queried directly.
-Yiannis-@Sec_GroundZero
5 Aug 2020
Help needed: anyone normalized security logs with eqllib? Sysmon is fine and i see that security logs are supported but the format it not identified @EndgameInc
1
1
Switched from Evernote to Notion and finally my notes are starting to make visual sense.
2
27
1986 when my dad (center) was the distributor for the new North Star microcomputers (mainframes) in Cyprus.
8
Is there a way to do similar to EQL (sequence with maxspan) with KQL? Basically want to compare the time generated of 2 different events. #azure #Sentinel
1
2
3
-Yiannis- retweeted
FalconForce Official@falconforceteam
14 Aug 2020
As of today, we will periodically release detection & hunting queries to detect advanced adversary techniques. Currently focused on DATP & Sysmon. Let us know what you think! GitHub: lnkd.in/drph7kn Blog: lnkd.in/dYv9q-s

LinkedIn

This link will take you to a page that’s not on LinkedIn

lnkd.in
6
36
81
Daughter #2 coming in 3 weeks. I hope she never Google her birth year.
1
14
Help needed: anyone normalized security logs with eqllib? Sysmon is fine and i see that security logs are supported but the format it not identified @EndgameInc
1
1
-Yiannis- retweeted
Brent Murphy@brent_murphy
30 Jun 2020
Today @elastic opened a public detection rules repo! We believe in the power of open source and community. This will allow us to develop our rules out in the open and accept community rule contributions. Check out our blog for getting started - elastic.co/blog/elastic-secu…

Elastic Security opens public detection rules repo

Elastic Security has opened its detection rules repository to the world. We will develop rules in the open alongside the community, and we’re welcoming your community-driven detections. This is an...

elastic.co
2
51
102
-Yiannis- retweeted
Security BSides Athens@BSidesAth
1 Jul 2020
[Watch Now] Talk 3 | Yiannis Ioannides (@sec_groundzero) | Orchestrating Resilient Red Team Infrastructure - Protect yourselves and your clients | youtu.be/Zr5AB0SUef0 | #BSidesAth #InfoSec #CyberSecurity
2
3
Just pushed a selection of Zeek logs and their respective logstash configs to the project #threathunting github.com/secgroundzero/oss…

GitHub - secgroundzero/ossem_modular: OSSEM Modular

OSSEM Modular. Contribute to secgroundzero/ossem_modular development by creating an account on GitHub.

github.com
-Yiannis-@Sec_GroundZero
13 Jun 2020
Putting my blue hat on and releasing ossem_modular inspired by @olafhartong SYSMON Modular. This project started as something else and ended to this. Many thanks to @Cyb3rWard0g & @Cyb3rPandaH for their work on OSSEM and HELK. Happy #threathunting github.com/secgroundzero/oss…
1
2
Load more