A list of resources to build an information security team.
The why, what, and how of threat research - Matt Graeber, RedCanary
An excellent overview of how to approach creating a new detection from the initial idea, research, and development.
Introducing the Funnel of Fidelity - Jared Atkinson, SpecterOps
A model that breaks down the scope of different stages of detection, which helps focus on the tools and technologies needed at each phase.
What Happens When You Type Your Password Into Windows? - Steve Syfuhs, Microsoft
A definitive breakdown of the authentication process on Windows.
How Does Windows Defender Credential Guard Work? - Steve Syfuhs, Microsoft
A review of how Credential Guard protects passwords on Windows from credential theft, in some scenarios.
Reading Your Way Around UAC, Part 1, Part 2, Part 3 - James Forshaw, Google Project Zero
An extensive exploration of how User Account Control works on Windows, and ways to bypass it. It took me several rereadings of this series to fully grok it.
Introduction to Windows tokens for security practitioners - Will Burgess, Elastic
An introduction to the "base unit" of Windows access control, the access token, and how it ties into logon sessions.
Restricting SMB-based lateral movement in a Windows environment - Palantir
SMB-based lateral movement is a frequently used technique by adversary groups, and underpins PSExec, CrackMapExec, and many other tools. This blog post covers many built-in Windows security controls that can be enabled to restrict SMB movement within an environment.
Detecting Windows Endpoint Compromise with SACLs - Dane Stuckey, Palantir
A case study in using System Access Control Lists (SACLs) as part of Windows advanced auditing to detect common indicators of successful code execution, lateral movement, or other compromises.
The Illustrated TLS Connection - Michael Driscoll
A detailed breakdown of a TLS Connection, at every stage, with annotated examples showing exactly how it looks "on-the-wire". Fantastic for anyone looking to write a parser or fully understand what is sent for every TLS connection, and at what stage.
Portable Executable File Format - Krzysztof Kowalczyk
A useful reference for the PE Format, the most common executable format on Microsoft Windows, and how that information is stored at the file and structural level. Incredibly thorough, with datatypes and structures to build off if you're working with the format.
DigitalOcean Tutorials - DigitalOcean
An excellent collection of short, practical articles about systems administration and the complex stack of technologies you'll often run into, often with detailed practical manuals to work with them. Example: How To Use Journalctl to View and Manipulate Systemd Logs.
Tools Analysis Result Sheet - JPCERT/CC
A collection of digital artifacts created when running a particular tool or technique. Immensely useful when considering ideas for detections that rely on interesting behaviors or files created, or to find potential artifacts to prove a technique was used when threat hunting in an environment with sparse logging coverage.
Simple Anomaly Detection Using Plain SQL - Haki Benita
An excellent introduction to using SQL to identify patterns and anomalies in data, using a simple setup and queries that can be adapted to the query language or tool of your choice. A great way to define how you can use statistics to define outliers and practically implement the queries to identify them.
CyberChef - GCHQ
The self-described "Cyber Swiss Army Knife", CyberChef is an excellent web tool to chain together different procedures for tasks to decode, translate, or otherwise manipulate data without whipping up a standalone script. Very useful for analyzing snippets of data.