All Stories

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

In threat hunting, Apr 30, 2022
Running multiple instances of discovery commands in short period of time

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

In threat hunting, Apr 20, 2022
DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

In threat hunting, Apr 13, 2022
(Trying to) hunt for a hidden scheduled task

How to start with host based threat hunting?

How to start with host based threat hunting?

In threat hunting, Apr 10, 2022
How to start with host based threat hunting?

Featured

  1. Having a look at a few new fields in MDE
    In threat hunting,
  2. Look into couple of suspicous registry activities
    In threat hunting,
  3. Hunting for Windows Subsystem for Linux based attacks
    In threat hunting,
  4. The DFIR thing
    In dfir,
  5. OpenCTI RSS feed support
    In threat intelligence,
  6. Threat Intelligence Platform - OpenCTI
    In threat intelligence,