Maybe this is common sense but what I learned in the past during incident response engagements is, that knowing your team and colleagues is at least as important as knowing your tools.

I highly recomment to train incidents with platforms like CyberBit (https://www.cyberbit.com/platform/cyber-range/) not only to sharpen your technical skills but also to learn on how to document your incidents while you're working on them. Documentation goes a long way during an incident. Trust me with that one. Even if you start out with an Excel sheet, it's better than nothing and during your trainings you learn the pro's and con's of your documentation tool and can fix it while not everything around you is on fire.

Bonus points if you randomly mix your teammates during the different exercises to learn how to best approach the different characters in your team and how to best leverage them to achieve your common goal.

#incidentresponse #BlueTeamAnalyst #BLUETEAMTIPS

Bypassing #Kerberoasting detections by using TrustedSec’s new #Orpheus tooling.

This changes the request for the juicy SPN you’re after so that the Kerberos options (0x40810010) and
ticket type (RC4 0x17) are no longer used and therefore detected🔥 :thisisfine:

To counter this, create and alert on “Honey SPNs” and hope that the attackers query one of these instead - these accounts should never be queried.

https://www.trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus/

Demo
https://youtu.be/SwbSq1dTz7Y

#DFIR #BLUETEAMTIPS #activedirectory