Nathan Burns @n-burns - Bluesky Profile

Nathan Burns

@n-burns.bsky.social

Senior Detection Engineer and Threat Hunter @ Autodesk https://medium.com/@nburns9922 Opinions are my own (of course)

322 Followers | 71 Following | 7 Posts | Joined: 22.11.2024 | 1.5657

Latest posts by n-burns.bsky.social on Bluesky

GitHub - AlbinoGazelle/esxi-testing-toolkit: 🧰 ESXi Testing Tookit is a command-line utility designed to help security teams test ESXi detections. 🧰 ESXi Testing Tookit is a command-line utility designed to help security teams test ESXi detections. - AlbinoGazelle/esxi-testing-toolkit

Looking to start deploying detections in ESXi environments? I'm releasing ESXi Testing Toolkit: github.com/AlbinoGazell...

It's a Python-based CLI tool that contains adversary tests from places like LOLESXi and Atomic Red Team. It features 21 different tests, 18 pre-made Sigma rules, and much more!

13.01.2025 23:27 — 👍 2 🔁 0 💬 0 📌 1

Always rewarding to contribute back to open source projects, but it's even better when they give you some free swag. Thanks Red Canary!

21.12.2024 01:28 — 👍 2 🔁 0 💬 0 📌 0

You could also detect this via /var/log/shell.log and/or /var/log/auth.log but you'd be detecting the command line execution and not the underlying procedure of interacting with the ESXi API.

There's numerous ways to achieve an objective, focus on coverage!

04.12.2024 23:28 — 👍 0 🔁 0 💬 0 📌 0

Threat Assessment: Howling Scorpius (Akira Ransomware) Howling Scorpius, active since 2023, uses Akira ransomware to target businesses globally, employing a double-extortion strategy and upgrading tools regularly. Howling Scorpius, active since 2023, uses...

Neat blog post by Unit42 on Akira Ransomware variants designed specifically for ESXi hosts.

Luckily, ESXi will log when syslog and coredump settings are modified in /var/log/hostd.log. See below gist for artifacts.

gist.github.com/AlbinoGazell...

Ref: unit42.paloaltonetworks.com/threat-asses...

04.12.2024 23:24 — 👍 1 🔁 0 💬 1 📌 0

Pay-what-you-want training that covers Sigma/pySigma, Detections as Code, and Splunk? Support this!

25.11.2024 22:26 — 👍 1 🔁 0 💬 0 📌 0

Getting a sense of the source for each detection would be good. Did these spawn from past incidents, internal research, fancy CTI reports or other?

Figuring out what native alerting mechanism exists would help to remove potential duplicative alerts and let engineers focus on what matters, gaps.

25.11.2024 05:11 — 👍 1 🔁 0 💬 0 📌 0

I made a Detection Engineering starter pack, will be adding more as more folks jump over to bluesky! go.bsky.app/HenXJUR

18.11.2024 15:37 — 👍 125 🔁 55 💬 8 📌 3

Interesting discovery while researching potential ESXi detections. If you execute a command over ssh (e.g ssh root@esxi.local "echo 123") that isn't logged to /var/log/shell.log but rather /var/log/auth.log as "User 'root' running command echo 123".

Make sure your detections look at both log files!

23.11.2024 23:24 — 👍 1 🔁 1 💬 0 📌 0

@n-burns is following 20 prominent accounts

kepano
@stephango.com

making @obsidian.md

Jamie Brummell
@jamieb.com

Dad • Gamer • Humanist • InfoSec • Cyber • Founder & CTO @socura.co.uk • MDR / SOC • Detection Engineering • DFIR 🌐 jamieb.com 📍 Buckinghamshire, UK

Randy
@irishdeath

Dad above all other jobs Detection Engineering and Threat Hunting Email and Empathy

ThinkstCanary
@thinkstcanary.canary.tools

Know. When it matters. https://canary.tools

LimaCharlie
@limacharlie.io

Security tools and infrastructure on-demand. Use LimaCharlie to automate and manage security operations at scale.

Black Hills Information Security
@bhinfosecurity

Specializing in pen testing, red teaming, and Active SOC. We share our knowledge through blogs, webcasts, open-source tools, and Backdoors & Breaches game. blackhillsinfosec.com & poweredbybhis.com

Antisyphon Training - Powered by BHIS
@antisyphontraining

Affordable and accessible cybersecurity training that doesn't suck. Featuring cybersecurity practitioners, former SANS instructors, and industry recognized leaders from all over the world. https://www.antisyphontraining.com

Red Siege
@redsiege.com

Penetration Testing, Purple Team, Red Team & Adversary Emulation. Let our Offense, Prepare your Defense. https://redsiege.com #weareoffensive

Electronic Frontier Foundation
@eff.org

We're the Electronic Frontier Foundation. We're a nonprofit that fights for your privacy and free speech online. Find all of EFF's social media accounts at eff.org/social. eff.org

MITRE ATT&CK
@attack.mitre.org

MITRE ATT&CK® - A knowledge base for describing the behavior of adversaries. Replying/Following/Reposting ≠ endorsement.

GreyNoise
@greynoise.io

GreyNoise analyzes Internet background noise. Use GreyNoise to remove pointless security alerts, find compromised devices, or identify emerging threats.

Volexity
@volexity.com

A security firm providing Incident Response, Proactive Threat Assessments, Trusted Advisory, and Threat Intelligence // volexity.com

Volatility
@volatilityfoundation.org

Official account of the Volatility Memory Analysis Project and Windows Malware and Memory Forensics Training. http://volatilityfoundation.org

TrustedSec
@trustedsec.com

End-to-end Cybersecurity consulting team leading the industry, supporting organizations, and giving back. #HackThePlanet https://trustedsec.com/

I Am The Cavalry
@iamthecavalry.org

Hackers on the Hill
@hackersonthehill.org

A semi-regular gathering for irregulars from the security research community to engage with Congressional staffers. Run by I Am The Cavalry, bridging the gap between the hacker and public policy communities since 2017.

TraceLabs
@tracelabs

NFP with the mission of #crowdsourcing OSINT to help find #missingpersons while training members in the tradecraft of #OSINT | Contact us at info@tracelabs.org | Visit our site for more info and Discord link: tracelabs.org

Security Onion
@securityonion

By defenders. For defenders. Peel back the layers of your network and make your adversaries cry. https://www.securityonion.com

Graylog
@graylog

🌍 Trusted Threat Detection & Incident Response solutions. Experience the difference with our unmatched capabilities. #SIEM #APISecurity #LogManagement #InfoSec

The DFIR Report
@thedfirreport

Real Intrusions by Real Attackers, the Truth Behind the Intrusion. https://thedfirreport.com