All Stories

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

In threat hunting, Aug 13, 2022
Running live malware for threat hunting purposes

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

In threat hunting, Jul 17, 2022
Detecting a Payload delivered with ISO files with MDE

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

In threat hunting, Jun 05, 2022
Detecting Follina with MDE

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

In threat hunting, May 27, 2022
AMSI bypass detection with MDE

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

In threat hunting, May 08, 2022
Bzz.. Bzz.. Bumblebee loader

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

In threat hunting, Apr 30, 2022
Running multiple instances of discovery commands in short period of time

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

In threat hunting, Apr 20, 2022
DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

In threat hunting, Apr 13, 2022
(Trying to) hunt for a hidden scheduled task

How to start with host based threat hunting?

How to start with host based threat hunting?

In threat hunting, Apr 10, 2022
How to start with host based threat hunting?

Featured

  1. Autonomous SOC, part 2, isolating agent
    In SOC,
  2. Autonomous SOC, possible or just pointless AI hype?
    In SOC,
  3. Why Your Threat Hunting Program Is Working (Even When It Finds Nothing)
    In threat hunting,
  4. OpenCTI RSS feed support
    In threat intelligence,
  5. Threat Intelligence Platform - OpenCTI
    In threat intelligence,