Categories

threat hunting

Hunting for Windows Subsystem for Linux based attacks

Hunting for WSL based Badness

In threat hunting, Nov 10, 2024

Impacket - Part 3

Continuing with Impacket

In threat hunting, Jun 01, 2024

Impacket - Part 2

Hello mr. Impacket – I am back!

In threat hunting, Apr 27, 2024

Exploring hunting options for catching Impacket

Hunting for usage of Impacket

In threat hunting, Apr 13, 2024

Hunting for signs of SEO poisoning

How to hunt for SEO poisoning?

In threat hunting, Feb 23, 2024

Rare process launch as a service

Back after a long break

In threat hunting, Feb 05, 2024

Turla

Why Turla?

In threat hunting, May 19, 2023

Malware statistics to ELK

I’ve been somewhat busy lately and hadn’t had much time to write anything to the blog unfortunately. I also have had some issues in thinking of good topics as I don’t want to get stuc...

In threat hunting, Feb 16, 2023

AsyncRAT

In threat hunting, Jan 08, 2023

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

In threat hunting, Nov 28, 2022

Qakbot

Qakbot - anything new on a recent sample?

In threat hunting, Nov 22, 2022

My version of a home lab

This time I am going to introduced my version of a home lab. This is not as “pro” as many others have but have a good combination of lab and a home computer in a same package. The pos...

In threat hunting, Nov 19, 2022

From Shodan to MDE queries

I’ve had an idea for some time for using the Shodan and MDE API:s. The idea is to pull recently identified C2 servers from Shodan and use the IP-addresses to run a query against the M...

In threat hunting, Sep 04, 2022

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

In threat hunting, Aug 13, 2022

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

In threat hunting, Jul 17, 2022

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

In threat hunting, Jun 05, 2022

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

In threat hunting, May 27, 2022

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

In threat hunting, May 08, 2022

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

In threat hunting, Apr 30, 2022

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

In threat hunting, Apr 20, 2022

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

In threat hunting, Apr 13, 2022

How to start with host based threat hunting?

How to start with host based threat hunting?

In threat hunting, Apr 10, 2022

threat intelligence

OpenCTI RSS feed support

RSS feed support in OpenCTI

In threat intelligence, Sep 16, 2023

dfir

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

In dfir, Aug 29, 2024

The DFIR thing

The DFIR.. what?

In dfir, Jul 27, 2024