In light of the most recent disclosure for Pulse Secure VPN solution I wanted to provide a quick guide to creating detection for this attack.

Brief Backstory — FireEye detected 12 malware families and multiple threat actors abusing Pulse Secure vulnerabilities. The most recent vulnerability, CVE-2021–22893, allows for RCE. A detailed explanation can be found HERE.

From a high level the things we’re interested in alerting on are requests/activity for/to some very specific URIs/files. Those are as follows:

  • /home/bin/memread
  • /home/runtime/logs/*
  • /tmp/1
  • meeting_testjs.cgi
  • /home/runtime/logs/*
  • /home/perl/
  • ive-host/dana-na/auth/
  • /tmp/dsactiveuser.statementcounters
  • /tmp/dsstartssh.statementcounters
  • /tmp/dsserver-check.statementcounters
  • compcheckjava.cgi
  • compcheckresult.cgi
  • memread
  • licenseserverproto.cgi
  • dana-na/auth/recover.cgi
  • downloadlicenses.cgi
  • *dana*
  • *meeting*
  • *fb*
  • *smb*
  • *dana-cached*

If you missed my previous series in which i go over the methodology to implementing & using VirusTotal API data combined with Splunk’s correlation power to discover malicious activity on your network by detecting network traffic to domains that had recently been registered — check it out HERE and HERE. Long story short, if you’re developing threat detection content you NEED to provide context for your detections to speed up SOC analysis and decision making. …

Identifying the odd TGT Kerberos ticket requests in your environment using Splunk’s Anomalydetection command.

Splunk introduced a few handy anomaly focused commands used in their Machine Learning Toolkit app aimed at helping analysts or data deep divers look for anomalies within their datasets. The commands useful for finding anomalies are anomalies, anomalousvalue, anomalydetection. This article is focused on the anomalydetection command.

If you’ve been following any of my other articles you’ve probably picked up on the fact that I’m a fan of anomaly detection as a way to substitute IOC detections. These types of detections are very useful when trying…

In a previous article, Detecting Cobalt Strike by Fingerprinting Imageload Events, we discussed how we can potentially identify Cobalt Strike being initially executed on a system by focusing on the common DLLs loaded at runtime.

Additional research into CS led me to some pretty interesting research posts, one by The Wover, MDSec, and MichaelKoczwara which talk about .NET Assembly injection techniques. .NET injection is actually something Microsoft considers a feature and happens quiet a bit within a normal production environment. Turns out there are a few very unique DLLs that will be loaded every time a .NET assembly is loaded…


For anyone who has created or written SIEM alerts/alarms you’re all to familiar with the balancing act between developing signatures that a Security Operations Center (SOC) analyst can investigate or will find useful to start an investigation. …

UPDATE — Check out a related detection technique to find execute-assembly activity

While 2020 has been pretty miserable for many people one small silver lining is this year I’ve been fortunate enough to engage in multiple Purple Team exercises affording me the opportunity to observe some pretty interesting TTP courtesy our Adversary Emulation team. Quick background…


Cobalt Strike, for those of you living under a rock, is a commercial penetration testing platform, developed by Raphael Mudge, used by many of today’s elite Red Teams and, unfortunately, nation state and criminal threat actors. For about $3,500 a bad guy gets…

Using endpoint logs to track down compromised hosts

When attackers gain an initial foothold within an environment they’ll inevitably start looking to perform some sort of lateral movement techniques to achieve their objectives. Attackers will likely start this process through a series of ping sweeps and port scans.

This post assumes you’re lucky enough to be collecting endpoint TCP connection logs from tools like Sysmon, or popular EDR solutions. These logs can be very noisy but can be very helpful when tracking down lateral movement from adversaries. Below is an example of Sysmon EventID 3.

The important fields from this…

If you missed Part 1 of this series, I highly recommend you check it out. In it i go over the methodology to implementing & using VirusTotal API data combined with Splunk’s correlation power to discover malicious activity on your network by detecting network traffic to domains that had recently been registered.

In Part 2, I am going to demonstrate the value of threat intelligence data being regularly ingested into a SIEM like Splunk by taking a single IOC, like an IP address or domain name and finding possibly related other IOCs that may be useful. Again, i will be…

Part One — Tracking down possible malicious web activity with the help of Splunk and VirusTotal API v3 WHOIS data.


If you’re unfamiliar with VirusTotal, it is a free service that allows security researchers to submit and search for malicious files, urls, domains, IP addresses, etc and their associated anti-virus detections. As the service has matured, VirusTotal offers some premium features for businesses and security researchers. A full list of their features and offerings can be found HERE, but for the sake of this article I’ll only be focusing on their Premium API v3 offering.

Combining VirusTotal’s immense community supported…


Recently, Microsoft O365 AutoForward rules are back in the news as SANS suffered a data breach on August 11, 2020. The full details of the breach can be found here. If you hadn’t heard about the incident basically an attacker successfully phished a SANS employee which resulted in a malicious O365 cloud app and an auto-forwarding rule being installed/enabled on the victim user’s account. SANS detected the breach within a few weeks of the incident during a routine O365 audit.

There are multiple ways in which these auto-fowarding rules can be detected. SANS was gracious enough to provide a walk-through…


Cyber Security enthusiast, detection developer and engineer, researcher, consultant.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store