Christophe 

@christophetd@infosec.exchange
1.2K Followers
148 Following
300 Posts
• Cloud and container security
• Security research and open source at Datadog
🇨🇭🇫🇷
Websitehttps://christophetd.fr
GitHubhttps://github.com/christophetd
Twitter🪦
Christophe Mar 24
WietzeMar 24

By making minor changes to command-line arguments, it is possible to bypass EDR/AV detections.

My research, comprising ~70 Windows executables, found that all of them were vulnerable to this, to varying degrees.

Here’s what I found and why it matters 👉 https://wietze.github.io/blog/bypassing-detections-with-command-line-obfuscation

Bypassing Detections with Command-Line Obfuscation

Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables’ parsing “flaws”, can bypass such detections. It also introduces ArgFuscator, a new tool that documents obfuscation opportunities and generates obfuscated command lines.

Christophe Dec 16, 2024

New research: We've been monitoring a threat actor publishing dozens of trojanized GitHub repositories targeting threat actors, leaking hundreds of thousands of credentials along the way

https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/

Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | Datadog Security Labs

This post describes an in-depth investigation by Datadog security researchers into a threat actor dubbed MUT-1244, which targets other malicious actors as well as security practitioners and academics.

Christophe Oct 29, 2024
Rory McCuneOct 29, 2024

Some interesting research by my colleague @christophetd on default service accounts in GCP. Looks at how default rights can be in place and some of the risks to GKE environments.

https://securitylabs.datadoghq.com/articles/google-cloud-default-service-accounts/

Exploring Google Cloud Default Service Accounts: Deep Dive and Real-World Adoption Trends | Datadog Security Labs

This post offers a deep dive into Google Cloud’s default service accounts, explaining their functionality, risks, and real-world adoption trends.

Christophe Sep 10, 2024

New blog post: A SaaS provider's guide to securely integrating with customers' AWS accounts

https://securitylabs.datadoghq.com/articles/securely-integrating-with-customers-aws-accounts/

A SaaS provider's guide to securely integrating with customers' AWS accounts | Datadog Security Labs

An opinionated guide to securing third-party AWS integrations

Christophe Aug 15, 2024

A little late on Mastodon, but I'm excited to release a new open-source tool to help with AWS detection engineering: Grimoire!

https://github.com/datadog/grimoire

https://securitylabs.datadoghq.com/articles/announcing-grimoire/

GitHub - DataDog/grimoire: Generate datasets of cloud audit logs for common attacks

Generate datasets of cloud audit logs for common attacks - DataDog/grimoire

GitHub
Christophe Jun 14, 2024

Stop worrying about 'allowPrivilegeEscalation' in Kubernetes

https://blog.christophetd.fr/stop-worrying-about-allowprivilegeescalation/

#containersecurity #kubernetes

Stop worrying about 'allowPrivilegeEscalation' - Christophe Tafani-Dereeper

Kubernetes' 'allowPrivilegeEscalation' is a useful but poorly understood security hardening setting. Let's dive into how it works and debunk some common myths about it.

Christophe Tafani-Dereeper
Christophe Jun 13, 2024

Super excited that my colleague Ian Ferguson (staff engineer in our Runtime Infrastructure team) is giving this talk at fwd:cloudsec next week.

Includes a brand new open-source project that facilitates multi-cloud IAM 👀

https://pretalx.com/fwd-cloudsec-2024/speaker/ET8VX3/

Ian Ferguson fwd:cloudsec 2024

Schedule, talks and talk submissions for fwd:cloudsec 2024

Christophe Apr 1, 2024
Victor GrenuApr 1, 2024

🛎️ DING! AWS Security Digest 157 is ready!

1️⃣ IMDSv2 enforcement: coming to a region near you! @christophetd
2️⃣ AWS Bulletin regarding CVE-2024-3094 (+ Interesting blogpost)
3️⃣ Amazon GuardDuty EC2 Runtime Monitoring is now generally available

Link below...

Christophe Mar 27, 2024

IMDSv2 enforcement: coming to a region near you!

https://blog.christophetd.fr/imdsv2-enforcement/

IMDSv2 enforcement: coming to a region near you! - Christophe Tafani-Dereeper

On March 25, AWS released a new feature that helps enforcing IMDSv2 at the region level by default for newly-launched instances.

Christophe Tafani-Dereeper
Christophe Mar 22, 2024

The slides, recording and blog post for my KubeCon Europe talk with @udgover, "Keep hackers out of your cluster with these 5 simple tricks", are now available!

📖 Blog post on tl;dr sec: https://tldrsec.com/p/kubernetes-security-threat-informed-defense

🖥️ Slides: https://docs.google.com/presentation/d/1FDzzxo7U_890_nHZyNK9L3XNisqao5aVyJrqI1ntgmE/edit#slide=id.g2c3c3dab940_0_481

⏺️ Recording: https://www.youtube.com/watch?v=UZz44j8bszU

Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks!

A threat-informed roadmap for securing Kubernetes clusters

tl;dr sec