Why? Executing code & persistence through scheduled tasks is one of the most common techniques used by the threat actors to persist on a device. I also have noted that quite often the threat hunting is based on something like schtasks being used to create those tasks. This is fine as that is likely...
Impacket – Part 2
Hello mr. Impacket – I am back! Today I will write about Impacket. Last time I wrote about the psexec and smbexec modules which I found to be the most logical start to the series (BTW I would like to remind that 2 posts can be series). You know, it is a gift which...
Exploring hunting options for catching Impacket
Hunting for usage of Impacket Impacket is one of those tools which the threat actors are constantly using during the attacks. It is interesting tool as it allows interacting with several protocols with Python. It, for example, allows for a PsExec like behavior which is very often one of the key tools the threats...
Threat hunting for signs of credential dumping
Why this topic? I chose this topic because I’ve seen a lot of different queries to hunt for signs of credential dumping. However, these have been mostly developed around finding certain tools which do dump the credentials. My idea was to try to hunt for the activity done by the application which dumps the...
Hunting for signs of SEO poisoning
How to hunt for SEO poisoning? Well this is a good question to which I don’t have a good answer. This query is going to go through the very basics of how this can be started but it is not really that easy to do. I’ve had several different ideas of how to hunt...
MDE/MDI/MDO365 advanced hunt queries to ELK
I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data that has been ingested to it. It supports whatever that you can imagine of using over the API and thus offers great...
Running live malware for threat hunting purposes
This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MDE agent installed. This could potentially provide great telemetry data to generate ideas for threat hunting purposes....
Detecting a Payload delivered with ISO files with MDE
It’s been a little quiet on my blog for a while now – reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some free time to keep on blogging. While I was on a vacation I read an...
Detecting Follina with MDE
About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a document originating from Belarus. An article by Kevin is available here. This is very interesting approach to exploit the Office applications, which apparently also applies for...
AMSI bypass detection with MDE
Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the API to scan the content before it is being launched. If the content is malicious the execution will be prevented. This function works with Defender...