Tags

How to start with host based threat hunting?

How to start with host based threat hunting?

Impacket - Part 3

Continuing with Impacket

Impacket - Part 2

Hello mr. Impacket – I am back!

Exploring hunting options for catching Impacket

Hunting for usage of Impacket

Threat hunting for signs of credential dumping

Why this topic?

Hunting for signs of SEO poisoning

How to hunt for SEO poisoning?

Rare process launch as a service

Back after a long break

From Shodan to MDE queries

I’ve had an idea for some time for using the Shodan and MDE API:s. The idea is to pull recently identified C2 servers from Shodan and use the IP-addresses to run a query against the M...

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

How to start with host based threat hunting?

How to start with host based threat hunting?

Hunting for Windows Subsystem for Linux based attacks

Hunting for WSL based Badness

Hunting for malicious scheduled tasks

Why?

Impacket - Part 3

Continuing with Impacket

Impacket - Part 2

Hello mr. Impacket – I am back!

Exploring hunting options for catching Impacket

Hunting for usage of Impacket

Threat hunting for signs of credential dumping

Why this topic?

Hunting for signs of SEO poisoning

How to hunt for SEO poisoning?

Rare process launch as a service

Back after a long break

Hunting for msbuild based execution

Why?

AsyncRAT

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

How to start with host based threat hunting?

How to start with host based threat hunting?

Hunting for Windows Subsystem for Linux based attacks

Hunting for WSL based Badness

Hunting for malicious scheduled tasks

Why?

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

How to start with host based threat hunting?

How to start with host based threat hunting?

How to start with host based threat hunting?

How to start with host based threat hunting?

Hunting for Windows Subsystem for Linux based attacks

Hunting for WSL based Badness

Hunting for malicious scheduled tasks

Why?

Impacket - Part 3

Continuing with Impacket

Impacket - Part 2

Hello mr. Impacket – I am back!

Exploring hunting options for catching Impacket

Hunting for usage of Impacket

Threat hunting for signs of credential dumping

Why this topic?

Hunting for signs of SEO poisoning

How to hunt for SEO poisoning?

Rare process launch as a service

Back after a long break

OpenCTI RSS feed support

RSS feed support in OpenCTI

Threat Intelligence Platform - OpenCTI

What?

Analysis of the current malware - Icedid

Malware statistics to ELK

I’ve been somewhat busy lately and hadn’t had much time to write anything to the blog unfortunately. I also have had some issues in thinking of good topics as I don’t want to get stuc...

Hunting for msbuild based execution

Why?

AsyncRAT

HTML Smuggling - how does it look like?

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

Qakbot

Qakbot - anything new on a recent sample?

Recent phishing emails + Emotet recent sample analysis

Phishing emails

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

Running multiple instances of discovery commands in short period of time

When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The comma...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

How to start with host based threat hunting?

How to start with host based threat hunting?

Hunting for malicious scheduled tasks

Why?

(Trying to) hunt for a hidden scheduled task

Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe

DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having a...

Bzz.. Bzz.. Bumblebee loader

Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the d...

AMSI bypass detection with MDE

Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the AP...

Detecting Follina with MDE

About a week ago there was a new zero-day office “zero-click” vulnerability noted. This vulnerability was dubbed as Follina by Kevin Beaumont who discovered it while investigating a d...

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

Detecting a Payload delivered with ISO files with MDE

It’s been a little quiet on my blog for a while now - reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some fre...

Analysis of the current malware - Icedid

Malware statistics to ELK

I’ve been somewhat busy lately and hadn’t had much time to write anything to the blog unfortunately. I also have had some issues in thinking of good topics as I don’t want to get stuc...

Qakbot

Qakbot - anything new on a recent sample?

Running live malware for threat hunting purposes

This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MD...

From Shodan to MDE queries

I’ve had an idea for some time for using the Shodan and MDE API:s. The idea is to pull recently identified C2 servers from Shodan and use the IP-addresses to run a query against the M...

Recent phishing emails + Emotet recent sample analysis

Phishing emails

Recent phishing emails + Emotet recent sample analysis

Phishing emails

HTML Smuggling - how does it look like?

Qakbot

Qakbot - anything new on a recent sample?

Recent phishing emails + Emotet recent sample analysis

Phishing emails

Hunting for msbuild based execution

Why?

AsyncRAT

HTML Smuggling - how does it look like?

Qakbot

Qakbot - anything new on a recent sample?

Recent phishing emails + Emotet recent sample analysis

Phishing emails

My version of a home lab

This time I am going to introduced my version of a home lab. This is not as “pro” as many others have but have a good combination of lab and a home computer in a same package. The pos...

My version of a home lab

This time I am going to introduced my version of a home lab. This is not as “pro” as many others have but have a good combination of lab and a home computer in a same package. The pos...

Qakbot

Qakbot - anything new on a recent sample?

Analysis of the current malware - Icedid

Malware statistics to ELK

I’ve been somewhat busy lately and hadn’t had much time to write anything to the blog unfortunately. I also have had some issues in thinking of good topics as I don’t want to get stuc...

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

MDE/MDI/MDO365 advanced hunt queries to ELK

I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data ...

HTML Smuggling - how does it look like?

HTML Smuggling - how does it look like?

AsyncRAT

Hunting for msbuild based execution

Why?

Analysis of the current malware - Icedid

Malware statistics to ELK

I’ve been somewhat busy lately and hadn’t had much time to write anything to the blog unfortunately. I also have had some issues in thinking of good topics as I don’t want to get stuc...

Turla

Why Turla?

OpenCTI RSS feed support

RSS feed support in OpenCTI

Threat Intelligence Platform - OpenCTI

What?

OpenCTI RSS feed support

RSS feed support in OpenCTI

Threat Intelligence Platform - OpenCTI

What?

Hunting for Windows Subsystem for Linux based attacks

Hunting for WSL based Badness

The DFIR thing

The DFIR.. what?

OpenCTI RSS feed support

RSS feed support in OpenCTI

Threat Intelligence Platform - OpenCTI

What?

Rare process launch as a service

Back after a long break

Rare process launch as a service

Back after a long break

Hunting for signs of SEO poisoning

How to hunt for SEO poisoning?

Threat hunting for signs of credential dumping

Why this topic?

Impacket - Part 3

Continuing with Impacket

Impacket - Part 2

Hello mr. Impacket – I am back!

Exploring hunting options for catching Impacket

Hunting for usage of Impacket

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

The DFIR thing

The DFIR.. what?

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

The DFIR thing

The DFIR.. what?

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

The DFIR thing

The DFIR.. what?

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

The DFIR thing

The DFIR.. what?

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

The DFIR thing

The DFIR.. what?

The DFIR thing reg parsing #1

This blog post was lost in migration from Wordpress to Github Pages. :(

The DFIR thing

The DFIR.. what?

Hunting for Windows Subsystem for Linux based attacks

Hunting for WSL based Badness