Christopher Glyer Profile picture
Microsoft Threat Intelligence Center - Former Incident Responder @Mandiant & Chief Security Architect @FireEye
Oct 3, 2018 10 tweets 6 min read
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

Oct 3, 2018 5 tweets 3 min read
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit It's not often that you see ACI Shims used for persistence

Jul 18, 2018 8 tweets 3 min read
Remediation strategy in #DFIR is always a fun topic - with many opinions & not always a clear rule book to follow. It's like the English language for every rule there are 5 exceptions. My views have evolved over time - from combo of experience & as monitoring tools have improved If you catch attacker early in attack lifecycle - this one is pretty easy. Take action immediately before they get a strong foothold. Very few exceptions to this rule. Tipoffs you are early in attack lifecycle. Malware owned by primary user of system or malware in startup folder
Jul 18, 2018 18 tweets 5 min read
I've been thinking about the recent conspiracy theory of "where is the physical DNC server".

Here is a thread on the "missing" DNC server and my experience/advice from conducting similar investigations. First, some background for my comments. Over the last decade, I've personally led investigations at over 100 organizations & taught dozens of classes for both federal law enforcement and the private sector on incident response and digital forensics.
Dec 1, 2017 9 tweets 2 min read
Reading… today reminded me how I got my start in #DFIR in 2008 investigating FIN1. Let's take a walk down memory lane. FIN1 (in my experience) has had a few major periods of activity (2007-2009, 2011-2012, and 2014-2015) - each with their own distinct set of TTPs. They've significantly improved their capabilities over the years (even though multiple members have been arrested)